Earlier this year, an investigation undertaken by the Office of the Information Commissioner (OAIC) found that the Pound Road Medical Centre did not take reasonable steps to destroy or permanently de-identify personal information when it stored patient health records in a garden shed during renovations. The shed was subsequently broken into and the sensitive data was compromised, the majority of which was at least 11 years old and related to approximately 960 people who ceased to be active patients.

All Australian Privacy Principle (APP) entities, which are defined as an ‘agency’ or ‘organisation’, must take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed.

Are you confident that your organisation understands what constitutes total data destruction and what circumstances dictate the need for de-identification?

Unfortunately, the definition of ‘reasonable steps’ is not black and white but I will endeavour to explain at a topline level in this article. Reasonable steps will depend on a variety of factors, including the amount and sensitivity of the personal information. More rigorous steps may be required as the quantity of personal information increases or if the information is particularly sensitive.

As we increasingly work on a mix of mobile devices, any single employee could conceivably create multiple copies. Key consideration must also be given to the multiple copies that could exist across the business, in archive or held on back-ups.

The Information Commissioner has provided guidelines under the Australian Privacy Principle 11 (APP 11). Essentially, personal information is ‘destroyed’ when it can no longer be retrieved. However, the steps that are reasonable for an organisation to take to destroy information will depend on whether the information is held in hard copy or electronic form.

In hard copy, disposal through garbage or recycling collection would not ordinarily constitute as taking reasonable steps to destroy the personal information, unless the personal information had already been destroyed through a process such as pulping, burning, pulverising, disintegrating or shredding. This example is most relevant to the issue of confidential waste collected by third party suppliers and contracts for services should provide for immediate shredding in order to ensure data is ‘destroyed’ in an environmental manner.

In electronic form, reasonable steps will vary depending on the kind of hardware used to store the personal information. In some cases, it may be possible to ‘sanitise’ the hardware to completely remove stored personal information. For hardware that cannot be sanitised, reasonable steps must be taken to destroy the personal information in another way, such as by irretrievably destroying it. 

Where it is not possible to irretrievably destroy personal information held in electronic format, an organisation could instead comply with APP 11.2 by taking reasonable steps to de-identify the personal information, or put the information ‘beyond use’.

We also operate in a world, where we connect our business with third-party service providers. Consideration must also be given to the personal information stored externally, such as in a cloud environment. If the organisation has instructed the third party to irretrievably destroy the personal information, reasonable steps would include taking steps to verify that this has occurred.

Where it is not possible for an organisation to irretrievably destroy personal information held in electronic format, reasonable steps to destroy it would include putting the personal information ‘beyond use’. However, an organisation could instead consider whether de-identifying the data would be appropriate and if so, take reasonable steps to de-identify the personal information.

The APP 11 states that personal information is ‘beyond use’ if the organisation:

• is not able, and will not attempt, to use or disclose the personal information,

• cannot give any other entity access to the personal information,

• surrounds the personal information with appropriate technical and organisational security. This should include, at a minimum, access controls together with log and audit trails, and

• commits to take reasonable steps to irretrievably destroy the personal information if, or when, this becomes possible.

The APP 11 also indicates that only in very limited circumstances would it not be possible for an organisation to destroy personal information held in electronic format. For example, where technical reasons may make it impossible to irretrievably destroy the personal information without also irretrievably destroying other information held with that personal information, which the entity is required to retain.

De-identification of personal information may be more appropriate than destruction where the de-identified information could provide further value or utility to the organisation or a third party. For example, where an organisation shares de-identified information with researchers, or an organisation uses de-identified information to develop new products.

To assist with ensuring full time compliance, it is recommended that organisations should have in place:

• A data destruction policy for information past its required retention period

• Regular training programmes to ensure that employees understand the role they play in the process

• Permanent secure shredding procedures which mitigate data breaches on a daily basis whilst ensuring that shredded material is environmentally recycled.

With the introduction of the Australian Privacy Principles, implementing and following a data destruction policy doesn’t just make business sense, it ensures that reasonable steps are taken to destroy or de-identify information which is no longer needed.

Jakki Jarvis is the Marketing & Business Development Manager for Iron Mountain Australia