Hard delete

elevenM’s Cassie Findlay on how hard, and how important, it is to formally and systematically delete unnecessary data.

“Retention of data is a really big issue that comes across our desk time and time again. Having entities take a good look at that would really put people in good stead.” Carly Kind, Australian Privacy Commissioner

For anyone working in the world of privacy, data or cyber security, even those only peripherally involved, it is well known that the over-retention of data presents a serious risk.

Most of the data organisations keep today contains some information about individuals. This can range from basics such as names to detailed profiles of their shopping habits, health information, details about their home and family members and more. For many organisations, a long history of collecting proof of identity documentation (passports, drivers licences and the like) means that they are storing very large volumes of digital copies of these, long past when they are needed.

How did we get here?

Based on our experience with retention and deletion in many different types of organisations, the most common reason for a lack of action on retention and deletion is simple: up to now it has been easier to just keep everything.

Back when we were dealing with paper records, there were obvious reasons to avoid the accumulation of large volumes of material, including the need to make space or avoid for paying offsite storage. Also, paper is not complicated to destroy; providing it is done securely, it is usually a straightforward matter of shredding.

Not so for data! Today we find that:

it can be technically difficult to permanently delete data and other information, including data in database environments and document-based information
there can be a risk of breaking data interdependencies between systems and other unforeseen downstream effects
data can reside in places that are out of sight (sometimes referred to as shadow data). This can mean decommissioned systems, back-up systems, logs, and data held with third parties.

In other words, ‘one does not simply’ delete data. It’s HARD!

What are the risks?

Over-retaining personal information can put a target on your back. The existence of large quantities of aged personal information in organisations’ data stores has the potential to attract bad actors looking for content they can sell on the dark web.

The volume and sensitivity of the personal information can increase the severity of a breach. If a breach does occur:

If the numbers of individuals affected is high, the costs associated with remediation will increase accordingly.
If the information types involved include data that can be used for identity theft or otherwise has a value on the dark web, there is a higher the likelihood that individuals (customers, employees, others with information in the data store) will experience serious harms as a result.

There are regulatory risks as well. Where an organisation is subject to the Privacy Act, if it no longer needs personal information it must take reasonable steps to destroy the information or ensure that it is de-identified. The current reform process has introduced a new tiered penalty regime designed to capture a broader range of contraventions of the Privacy Act. Under the provisions of the Privacy and Other Legislation Amendment Act 2024, the OAIC may seek civil penalties of up to $50 million, or potentially more based on turnover, or benefit from the breach, for serious interferences with privacy.

The reforms have also introduced a cause of action for individuals in tort for serious invasions of privacy, with associated remedies. This means we are likely to see an uptick in class actions in this space.

OK that sounds bad. What do we do?

Make the case

Establishing governance arrangements and carrying out data deletion or de-identification comes with costs, so it may be necessary to make the case-to-act to decision-makers. There are a number of benefits that flow from an investment in retention and deletion which can be highlighted in a business case, including:

reduction in storage costs and the ability to decommission legacy applications
lower costs associated with remediation in the event of a breach. According to a report by the Australian Cyber Security Centre (ACSC), the average cost of a cybercrime incident for an Australian business is $276,323, and Ponemon/IMB lists the average cost of a data breach in Australia as USD2,780,000. In cases where the number of individuals or the sensitivity of the personal information is lower this cost can be reduced
processes for deletion can be embedded and routine so that personal information will not continue to accumulate over time as it may have in the past.

Understanding data in its business context is essential

Dealing with retention and deletion can seem like an overwhelming task when faced with the complex array of data and other information held by your organisation, across myriad systems. That’s why we recommend taking a systematic approach to building a structured map of data in context, that will enable the classes of data, and other information with common retention obligations, to be identified. The result of this step is a data processing inventory (DPI), which you can read about in our five part series, published last year.

Define the rules before you start deleting

Before any deletion activity can even be contemplated, it is important to define organisational policy and the rules for retention and deletion across in-scope data and other information. In this way, roles and responsibilities are defined and the key requirements for accountable and authorised retention and deletion activities are established.

A retention and disposal schedule is the instrument by which the rules are described, in a structured document aligned with the functions of the organisation that can be updated as requirements change over time. Classes of data and other information identified via the DPI process are linked to business and regulatory requirements to retain and delete. Read more about why you need a retention and disposal schedule.

Use risk to prioritise deletion

Where to start? Here the findings from the DPI are used once again, to prioritise systems and data for action. Those presenting the highest privacy risk (high volumes, more sensitive information) should be tackled early. It is essential to set up an implementation plan with governance and other supporting elements to ensure that the teams tasked with executing the rules will be set up for success.

Contact us

If you’re interested in learning more about implementing data retention and disposal, please contact us.

How did we get here?

What are the risks?

OK that sounds bad. What do we do?

Make the case

Understanding data in its business context is essential

Define the rules before you start deleting

Use risk to prioritise deletion

Contact us

Recent posts

Hard delete

New report reveals AI is exceeding the expectations of Australian SMEs, but many face a range of adoption barriers that they need help to overcome

A privacy officer’s guide to facial recognition technology for security

Data processing inventories: The secret weapon in cyber security

Getting to the heart of the cyber security and privacy issues impacting Australian healthcare.

Tags

Services

About us

Resources

Get in touch