Data security: When to purge and why

In the wake of recent cyber-criminal activity affecting millions of Australians – and harming the reputations of major businesses – data security should now be front of mind for business leaders. Many retailers need to tighten business practices and take action in order to minimise exposure to cyber risks.

Concerningly, they’re not.

From our conversations with businesses, we’re seeing some organisations have a good understanding of what’s required, while others have come to us because they recognise data security is not within their expertise and they need external support.

Increased regulatory requirements are on the horizon, including proposed reforms to remove small business exemptions under the Australian Privacy Act. There are mounting calls to bring Australia’s privacy laws in line with more stringent European standards, which may indicate where the Commonwealth Government’s regulatory direction is heading.

Irrespective of potential legal requirements, it is prudent for retailers to consider existing compliance requirements as well as customers’ expectations. Public reaction to recent cyber-attacks indicates a growing concern among Australians about the handling of their personal information and sets a clear expectation for businesses to manage data responsibly.

Safeguarding data is best achieved via a proactive approach. Regular reviews and updates of processes and policies for data retention, and regular deletion of unused data or inactive customer accounts, is an important step to protect businesses, customers and data from cybercriminals.

It is an existing requirement under privacy principles for businesses to take steps to destroy – or ‘purge’ – data they don’t need. Yet, a recent finding by the Governance Institute of Australia indicates that less than a third of organisations regularly purge their data.

There are plenty of helpful resources that have been created to assist businesses. The Australian Cyber Security Centre (ACSC) is a good place to start.

Speak with your existing IT advisors or engage with a reputable provider who can review your data processes. Make sure your approach to holding data is as secure as it could be. Ask your lawyer to identify any additional risks and ensure the processes comply with relevant privacy laws.

If you’re not already talking about data security, retention and exposure with your leadership team, start now. Explore questions including: What data do we have? How long have we held it? How recently have we used it? When should we delete it?

A plan to review and delete data is a positive first step. Determine a reasonable period of time to keep data. This will vary by industry and business type and should be considered among other business needs including legal requirements and statutes of limitation.

How much data do you collect – and do you really need it? In addition to compliance with existing requirements under the Privacy Act, take the time to consider if you’re collecting more data than you need, or if you are even using the data you’ve collected. By limiting the information your business holds, you’ll simultaneously limit your exposure to cybercrime.

It’s quite likely smaller businesses, which are currently exempt from some requirements in Australia’s Privacy Act, will soon need to comply with privacy protections already required of larger businesses. Small businesses should consider acting as if the Australian Privacy Principles apply to them now, putting best practices in place and demonstrating to customers that they take data security as seriously as big business.

As cyber-attacks become more prevalent and sophisticated, business leaders must regularly turn their minds to deleting unused data and inactive customer accounts.

Failure to do so creates a risk of breaching Australian privacy laws and could leave businesses, and their customers, vulnerable to ongoing cyber threats.


This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.

Our team of cyber and information security specialists advises clients at each stage of the data lifecycle – from proactive risk management to incident response and recovery.

From the outset, we work closely with our clients to identify and manage internal and external data privacy and security risks through legal documentation, establishment of appropriate board and management governance arrangements, policies and procedures, on-boarding arrangements and IT protection.

Should a cyber incident or information breach occur our team will be right by your side to advise and assist you with response, damage mitigation, recovery and obtaining legal remedies.

Find out more about how our expert cyber and information security team can assist your business here.

The Cyber Alliance Group is a collaboration between DMAW Lawyers, Comunet and Digital Trace Australia to provide comprehensive cyber security advice and services to business.

Whether you are responding to a cyber security incident or are looking to proactively enhance your cyber security processes and governance, we can provide a range of services that will enable you to re-focus your attention where it’s needed – your business.

Find out more about our involvement with the Cyber Alliance Group here.