Cyber-attacks are on the rise in New Zealand and the more data a business holds, the more it stands to lose. Organisations can reduce this risk by following a simple rule in relation to personal information: if you don’t need it, don’t keep it.

Sleeping giant, unnecessary data

2022 saw a 41% rise in serious data breaches compared to the last financial year as well as an increase in breaches resulting from “malicious activity”.^[1]

Notably, it was also the year that saw Latitude Financial Services suffer the biggest cyber-attack in New Zealand’s history, involving the theft of 14 million customer records. 

Surprisingly, some of the information stolen from Latitude was up to 18 years old. This prompted the Deputy Privacy Commissioner to describe data retention as “the sleeping giant of data security”, warning that businesses holding on to personal information for too long risk “being a hostage” to hackers.^[2]

What can you do?

As a starting point, go back to basics - the Privacy Act has some very clear principles dealing with collection and storage of personal information.

• Collection: Information Privacy Principle 1 (IPP 1) provides that organisations must only collect personal information if it is for a lawful purpose connected with their functions or activities, and the information is necessary for that purpose. Before asking customers to hand over personal information, ask yourself whether you really need it. The more sensitive the information (for example, a copy of a driver’s licence or passport), the more important this analysis. Further, IPP 1 provides that if identifying information is not required, then it should not be collected.

• Storage and Security: Information Privacy Principle 5 (IPP 5) states that organisations must ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information. The nature of the safeguards will depend on the circumstances, including the sensitivity of the personal information and the security measures available, and the impact they will have on the agency’s functions.

• Retention: Information Privacy Principle 9 (IPP 9) deals specifically with the retention of personal information and clearly states that organisations should not keep personal information for longer than it is required for the purpose it may lawfully be used. For example, if a copy of a driver’s licence is only necessary for the purpose of verifying identity, it may not be necessary to retain it once verification is complete. Holding on to such sensitive information unnecessarily exposes customers to far greater risks in the event of a data breach.

  Certain sectors and industries have specific rules and regulations about collection and retention of data, which will inform these decisions. For example, health agencies and employers are under certain obligations to retain records. Organisations must ensure that they are familiar with, and follow, any rules specific to their own situation, including any obligations placed on them by contractual arrangements.

We recommend that organisations make certain that they have clearly documented data security and data retention policies, that they ensure are adhered to and regularly reviewed. When followed, these policies should reduce the risks and costs involved in storing unnecessary and irrelevant information. 

Factors to take into account in a data retention policy include regulatory and legislative retention requirements, contractual obligations to customers and audit issues. A data retention policy should also cover how information that is no longer needed is disposed of - secure destruction or deletion is always the best way to go.

Get in touch

Our experts are here to help businesses understand and comply with their Privacy Act obligations. If you have a question, please get in touch.