A review of data retention obligations in the Asia Pacific region prepared by leading technology law firm, Fieldfisher LLP has identified six key compliance challenges that enterprises and government agencies need to address.

The report, commissioned by Hitachi Data Systems (HDS), examines the principles that have given rise to common requirements for data capture, storage and management.

New global legislation, such as the Markets in Financial Instruments Directive II ("MiFID2"), Dodd-Frank and, looking ahead to 2018, the General Data Protection Regulation ("GDPR"), further extend the influence and power of regulators.

The six primary compliance challenges identified by the researchers include:

• Capture and management
• Access and availability
• Privacy and security
• Integrity and authenticity
• Retention and preservation
• Disposal and defensibility

The Fieldfisher report also looks at the implications of unique legal frameworks for Australian and New Zealand enterprises, including the Australian Privacy Principles (“APP”) and the Information Privacy Principles (“IPP”) in New Zealand.

Simon Briskman, partner at Fieldfisher said: “In comparison with many countries in APAC, Australia is well advanced in access and disclosure requirements. Australian law in the area has a long evolution.

“For example, the Australian Corporations Act 2001 lays down extensive obligations for the preparation of financial reports. Regulators such as the Australian Securities and Investments Commission and the Office of the Australian Information Commissioner ensure Australia meets broad international standards on information security, data management, record keeping, disclosure and data quality.”

He added: “Both Australia and New Zealand have legislation allowing electronic communications to be admitted in evidence in court, and of course there have been significant changes to the privacy laws in both countries. Overall, the landscape is one of increasingly sophisticated regulation that requires specific compliance solutions. Technology has become a vital part of those solutions.”

In data retention and record keeping requirements, Australia and New Zealand are in the middle bracket, with the Australia Corporations Act 2001 and the New Zealand Companies Act 1993 requiring records to be kept for at least seven years. The period of retention varies widely across the region: In Singapore, the minimum is five years, in Hong Kong and India 10 years, and in China records can be required to be retained permanently, depending on the nature of the record.

A full copy of the report is available here.