Retention and deletion of personal information collected during COVID-19

As the response to COVID-19 evolves across Australia, entities should regularly take stock of their personal information holdings and assess whether they should continue to collect and retain personal information.

For example, some organisations and agencies have collected personal information about their employees (such as vaccination status information and other health information), as required by public health orders or to meet relevant work health and safety obligations. Some organisations have collected personal information, including health information, about customers and visitors to their premises – for example, contact tracing information through QR codes or check-in apps, or vaccination status information.

As the response to COVID-19 continues to shift over time, it may be necessary for entities to destroy personal information if there is no longer an ongoing need to retain it.

This aligns with community expectations that the information they provided to support the COVID-19 public health response should not be retained indefinitely and should be deleted as soon as it is no longer needed.

Entities should be mindful of their obligations in the Australian Privacy Principles (APP), specifically APPs 11.1 and 11.2 which require that reasonable steps be taken to protect personal information and personal information be destroyed or de-identified once it is no longer needed.

Is collecting personal information still necessary?

If entities continue to collect personal information, it is important to consider whether there is an ongoing need or legal basis for this collection. There should be clear and justifiable reasons for collecting personal information, and these reasons may change (and reduce) over time.

For example, entities should check to see whether there are still public health order requirements or other laws in place which require the collection of personal information. If public health order requirements have changed, this may impact on whether you are required or authorised to continue collecting personal information.

If there is no law requiring or authorising the collection of personal information, entities should also review whether it is reasonably necessary for their functions or activities to continue to collect personal information. The ‘reasonably necessary’ test is an objective test: whether a reasonable person who is properly informed would agree that the collection is necessary. This will require consideration of several factors such as whether there are any applicable workplace laws and contractual obligations which make the collection of personal information reasonably necessary for your functions and activities.

If there is no longer a requirement or a reason to collect personal information, then entities should take steps to ensure that they do not continue to collect personal information. This could include:

  • notifying individuals that they are no longer required to provide their personal information
  • removing QR codes or check-in requirements from physical premises
  • disabling any features in apps or other electronic systems which collect personal information
  • reviewing and updating privacy notices and privacy policies as necessary.

Is retaining personal information still necessary?

Entities should delete or de-identify information that is no longer needed. If there is no requirement or justification for retaining the information, entities must take reasonable steps to destroy or de-identify the personal information, as required by APP 11.2.

There are some exceptions to this requirement in APP 11.2, including where the information is contained in a Commonwealth record, and where an Australian law, or a court/tribunal order, requires the entity to retain the information.

Agencies can seek advice internally from their Privacy Officer as to whether personal information is contained in a Commonwealth record, and all entities should consider whether there are any public health order requirements or other laws which require certain information to be retained.

Where information is required to be retained for a period of time, entities should ensure they have systems and processes in place to regularly review whether retention is still necessary. For example, entities may find it useful to create a schedule which categorises the types of personal information held and when the information is to be destroyed or de-identified.

Destroying personal information

Entities will need to take reasonable steps to destroy or de-identify personal information where it is no longer necessary to be retained.

It is important to identify the various ways in which personal information has been collected and stored, as this may impact on the destruction and de-identification process.

If the information is stored in a hard copy (such as a paper-based register of contact tracing information or printed copies of COVID-19 digital certificates), secure disposal might include methods such as secure shredding before recycling or throwing away.

If the information is stored electronically, such as in cloud-based storage, servers, USBs or with a third-party provider, you should ensure that the digital records are permanently destroyed, including in any back-up system or offsite storage.

It is also important to consider whether employees require any training to ensure that personal information is securely destroyed.

Entities should refer to the Guide to Securing Personal Information for more detailed guidance on how to securely destroy personal information.