In this episode, privacy law specialists Richard Wells and Suzy McMillan consider the legal framework governing data retention and destruction and how organisations can strike the right balance between regulatory compliance and commercial practicality in the age of big data.
[00:37] Richard and Suzy talk about the growing challenges organisations face in a data driven era, where the temptation to store information indefinitely can lead to significant privacy, security, and compliance risks.
[02:07] Richard and Suzy outline the regulatory framework that governs data retention, focusing on Information Privacy Principle (IPP) 9 of the Privacy Act 2020, which acts to restrict organisations from holding personal information longer than is required for its lawful use, and how this interacts with statutory minimum retention periods found in employment, tax, health and companies’ legislation.
[05:10] They consider how to determine when data should be deleted once those statutory minimums expire, focusing on IPPs 1, 5, 9 and 10 and what constitutes a “lawful use” for continued retention, emphasising the positive obligation on agencies to justify continued retention.
[08:10] Suzy sets out some practical steps organisations can take to meet their compliance obligations, including establishing effective data retention policies and schedules that categorise data types, identify the legal basis for data retention, specify destruction methods and responsibility and prioritise high risk data such as personal, financial, and sensitive information.
[10:31] Richard highlights the importance of privacy by design in this context: embedding retention rules into new systems from the outset.
[14:25] They discuss recent incidents where organisations holding excessive legacy data found their exposure significantly amplified when a breach occurred, before closing with a practical reminder that the goal is balance - retaining information long enough to meet legal and business obligations, but not so long as to create unnecessary or disproportionate risk.
Information in this episode is accurate as at the date of recording, 5 March 2026.
Please contact Richard Wells, Suzy McMillan or our Privacy team if you need legal advice and guidance on any of the topics discussed in the episode.
And don’t forget to rate, review or follow MinterEllisonRuddWatts wherever you get your podcasts. You can also email us directly at [email protected] and sign up to receive technology updates via your inbox here.
Additional resources
