The retention of large amounts of personal information for an extended period of time increases the risk of a data breach. Organisations holding this information need to comply with all their obligations under the Privacy Act, including the requirements to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure.
Key to this debate will be ensuring the ongoing privacy interests of Australians. It will also be important to consider whether a data retention scheme is effective, proportional, the least privacy invasive option and consistent with community expectations. Any scheme should also be transparent, accountable and have appropriate independent oversight.
Timothy Pilgrim — Australian Privacy Commissioner