Data Retention and Destruction

Background

1.1. CJLQ Enterprises Pty Ltd must comply with the the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs) and any other applicable privacy laws.

1.2. CJLQ Enterprises Pty Ltd also has legal obligations to keep certain kinds of data on record for a specified amount of time. The table in Appendix 1 sets out the legally required retention periods for common categories of data.

1.3 This policy sets out CJLQ Enterprises Pty Ltd’s approach to managing, retaining and destroying records and data (including personal information) we hold, to ensure compliance with the APPs and data retention laws. The purpose of this Policy is to outline roles, responsibilities, and steps CJLQ Enterprises Pty Ltd and staff must take when dealing with record and data retention and destruction.

1.4 This policy does not cover all circumstances that may arise, is not a comprehensive statement of the relevant law, and is not a substitute for legal advice. If you are unsure or have any questions about this policy, or CJLQ Enterprises Pty Ltd’s obligations, you should consult the Data Processor, email hello@chelseyjean.com.au

Scope

2.1 What do we mean by ‘record’ and ‘data’?

2.1.1. The Privacy Act provides that a ‘record’ can be a paper document or an electronic file. Records may include physical documents, digital scans of documents, databases, and electronic files such as text, image, video, or audio files. In essence, any medium that captures and contains information constitutes a ‘record’.

2.1.2.In this policy, ‘data’ means any information which is contained in a record, including (but not limited to) personal information.
2.2 Who does this policy apply to?

2.2.1. This Policy applies to all employees, including temporary employees, contractors, and volunteers who have access to CJLQ Enterprises Pty Ltd records and data or who are involved in the process of collecting, storing or securing CJLQ Enterprises Pty Ltd records and data on behalf of CJLQ Enterprises Pty Ltd.

General rules and principles

2.2.2.In this policy, ‘data’ means any information which is contained in a record, including (but not limited to) personal information.
2.3 Information lifecycle

2.3.1 The information lifecycle describes each phase of CJLQ Enterprises Pty Ltd records and data.

2.3.2 This policy focuses on the ‘Hold’ and ‘Destroy’ phases. ‘Hold’ refers to how records and data are recorded, stored, secured, backed-up and archived, while ‘Destroy’ refers to how records and data are disposed of or put beyond use. For personal information, ‘Destroy’ also covers the de-identification of that information so that it is no longer considered personal information.

2.3.3 The Privacy Act requires us to delete personal information when no longer required (which includes for any legal purpose), but data retention laws may require us to keep that personal information for certain periods of time. Privacy laws and data retention laws may appear to conflict but it is essential to consider both obligations together.

2.3.4 You must consider and apply the guiding principles set out below when managing, retaining and destroying records and data.

2.4 Guiding principles on managing, retaining and destroying records and data

2.4.1 Actively and continuously consider whether retention of data is necessary.

2.4.2 Do not destroy records and data that are necessary for CJLQ Enterprises Pty Ltd’s business functions or legally required to be kept.

2.4.3 Do not destroy records and data that may be relevant to ongoing or anticipated disputes, litigation or regulatory investigations. Consult with the Data Processor if you have doubts about whether certain records or data should be retained for their evidentiary value.

2.4.4 Retain only minimum data necessary. It is possible to have too much data. Over-collection of data is a significant risk. Only keep what is reasonably necessary for CJLQ Enterprises Pty Ltd’s business functions or to comply with our legal obligations.

2.4.5 Consider whether CJLQ Enterprises Pty Ltd has contractual obligations to destroy certain records and data after the expiration of a contractual relationship

2.4.6 Record data in the most appropriate format and minimise paper records. Scan physical documents and save the digital scans in Google Drive. Do not use your email inbox as a record filing system.

2.4.7 Take steps to secure your records and data and minimise risk of corruption of data or accidental loss. Ensure that important data is securely backed-up and archive records when they are not actively being used (but which are not ready to be destroyed).

2.4.8 Ensure data can be easily located and accessed (even when archived or not in active use).

2.4.9 Ensure paper records are securely destroyed if appropriate. Use shredders or security bins to destroy paper records.

Steps to manage data

3.1 Step 1: Identify record, data and purpose

3.1.1 Step 1 is to identify:

a. the data that you deal with and the records in which they are contained (i.e. certain data may be in multiple records)

b. the purpose for which the data was collected

c. the purpose for which the data (and record) is currently being held.

3.1.2 The data and records that you deal with in your day-to-day activities will depend on your role.

For example, an employee in our Human Resources or Accounting departments may regularly collect and handle:

a. tax file numbers in records relating to employees

b. role and salary information

c. identification documents (records such as scanned passports and drivers’ licences)

d. contact information

e. health information of our employees and contractors for payroll purposes and to comply with our legal obligations.

3.1.3 An employee in our Marketing or Business Development Departments, on the other hand, may regularly collect and handle customer:

a. email addresses

b. consents

c. preferences

d. cookie data to promote our goods and services.

3.1.4 To identify the kinds of data you handle, and what possible obligations may attach to them, ask yourself:

a. What data do I use to carry out my functions?

b. Does that data contain personal information about individuals?

3.2 Step 2: Determine whether it is necessary to retain the data (and relevant records) and, if so, for how long.

3.2.1 Data is sometimes collected for one-time use, and once the purpose for which it was collected is fulfilled, it is not necessary to retain it. In such circumstances, you should promptly delete or destroy the data (and relevant records), especially if it contains personal information about individuals, to minimise the risk of that data being compromised in the event of a data breach. This is particularly important in relation to government issued identifiers such as passport and drivers’ licence numbers.

3.2.2 Certain data (and relevant records) must be retained because they are necessary forCJLQ Enterprises Pty Ltd’s business functions, or because the law requires that the data be retained for a specific period of time. If you determine that it is necessary to retain the data and record identified in Step 1, determine whether it falls into a category with a specific retention period (see Appendix 1). If so, you should take reasonable steps to ensure that the data is destroyed after that period has elapsed (see Step 4).

3.2.3 If the data and relevant records do not fall into a specific category, but are required to be retained, best practice is to retain the data (and relevant record):

a. for seven years for financial and governance records;

b. for seven years if it is personal information about an adult

c. for seven years after a child turns 18 if it is personal information about a child

d. until it is no longer necessary for the purpose for which it was collected (whichever is the longer).

3.2.4 Consult with the Data Processor for advice on determining the appropriate retention period for records and data that do not fall into a category set out in Appendix 1.
3.3 Step 3: Decide how, and in what format, the data should be held.

3.3.1 If the data is recorded in hard copies (i.e. paper records), the general rule is that the document should be scanned and stored electronically, and that the physical paper copy should be securely destroyed. An exception applies to original versions of documents which are legally required to be retained (see Appendix 1) or which CJLQ Enterprises Pty Ltd may be required to produce as evidence in a dispute, legal proceedings or an investigation.

3.3.2 Consider whether the data (and relevant records) will need to be regularly accessed or whether they should be archived. In either case, the data (and relevant records) should be held in a manner which allows them to be easily located, accessed and retrieved when needed. If you decide to archive the data, be sure to record the date the data was created, the date it was archived, and the date after which it should be destroyed.

3.3.3 Data should be stored securely and in a manner that is appropriate to the value and sensitivity of the data, and the physical properties (if applicable) of the record (for example, paper records should be stored in a cool, dry place outside of direct sunlight to avoid degradation).

3.3.4 As a general rule, email inboxes and mailbox folders should not be the primary source of storing records and data, particularly data which consists of personal information or sensitive information. File records with personal information, sensitive information, financial information or government identification numbers in Google Drive.

3.4 Step 4: Determine whether and how the data should be destroyed, put beyond use, or de-identified.

3.4.1 In most circumstances, data (and the relevant record) should be destroyed after its retention period has elapsed and it is no longer required for a business function or to comply with a legal requirement.

3.4.2 There may be occasions where it is not possible or practicable to irretrievably destroy data (because, for example, the system on which the data is stored does not allow data to be deleted, or where the data is part of a larger dataset). These circumstances should be avoided if possible, but if they arise, you should take reasonable steps to:

a. put the data beyond use. The Office of the Australian Information Commissioner (OAIC) has said this means CJLQ Enterprises Pty Ltd:

i. is not able (and will not attempt) to use or disclose that data, and

ii. cannot give any other entity access to that data, and

iii. surrounds the data with appropriate technical, physical and organisational security. This should include at a minimum, access controls including logs and audit trails, and

iv. commits to take reasonable steps to irretrievably destroy the data if, or when, this becomes possible; or

b. de-identify the data: If the data contains personal information or sensitive information, consider whether it is possible and practicable to de-identify the data. This means taking steps to remove information that could reasonably identify an individual (for example by redacting scanned documents).

3.4.3 There may be certain circumstances in which the data should be de-identified immediately (such as where it is being used for analytics or research purposes, which does not require individuals to be personally identifiable.

Roles and responsibilities

4.1 Business units

4.1.1 Determine retention periods for the records they hold, having regard to:

a. legally required retention periods (see Appendix 1)

b. whether the retention of the record or data is (and continues to be) necessary for one or more of CJLQ Enterprises Pty Ltd’s functions and activities

c. whether the record or data (and the relevant record) may hold evidentiary value in an existing or potential dispute, legal proceeding or regulatory investigation

d. the guiding principles set out in section 3.2.

4.1.2 Ensure that records and data are securely held, and that appropriate roles, responsibilities, practices and processes are put in place to ensure that records and data are destroyed after the relevant retention period has ended.

4.1.3 Take reasonable steps to destroy,de-identify or put beyond use records and data once the retention period has elapsed.

4.1.4 Seek advice where necessary from:

a. The Data Processor, in relation to practices and procedures relating to storage and security of records, and destruction of records and data

b. The Data Processor, in relation to determining appropriate retention periods and confirming whether certain records or data should be destroyed or retained.

4.2 Employees, contractors and volunteers

4.2.1 Consider the legal obligations relating to retention and destruction of the records and data they deal with, including obligations to:

a. retain necessary and important data

b. destroy unnecessary records and data.

4.3 Policy owner

4.3.1 Communicate policy requirements to business units, managers and team leaders.

4.3.2 Ensure the policy is accessible and disseminated.

4.3.3 Provide organisation wide training on the requirements of the policy.

4.3.4 Undertake periodic reviews of this policy and the specific retention periods set out in Appendix 1, and vary this policy as necessary from time to time.
Additional policies

5.1 Privacy Policy

Appendix 1: Data Retention Requirements