One issue in information law that can be easily overlooked is the blurry line between when agencies must delete data and the sometimes conflicting obligations to retain data. Two recent examples demonstrate that difficulty in litigation, but the issue is much wider than that.
In one case (discussed below) the Human Rights Review Tribunal (HRRT) ordered an agency to give a failed job applicant access to other applicants' personal information (ordinarily a grave breach of privacy); and, in another, Kim Dotcom has argued that the GCSB deleted information that he needed as evidence in his case against it. In contrast, a recent report shows that government agencies regularly retain information beyond the point at which it should have been deleted (see below).
Organisations looking to understand their obligations to retain information must look beyond the Privacy Act 1993, which requires agencies to delete information once it is no longer required for lawful purposes, but is subject to other obligations to retain data, which include:
- Health regulations oblige all health providers to keep information for 10 years after the last encounter with the patient (even after death).
- Various statutory obligations to retain information, even after it has no lawful use for the holding agency, to be shared with bodies such as ACC, the Ministry of Social Development, the Department of Internal Affairs, the Financial Markets Authority, the Commissioner of Inland Revenue, and AML/CFT supervisors.
- Discovery obligations require the parties involved to retain information relevant to litigation that has begun or is contemplated. If personal information is relevant to litigation (including in the HRRT), the holding party cannot delete it, but its disclosure will not breach the Privacy Act.
How should an organisation faced with conflicting obligations manage the information it holds?
- Start with any express obligation to retain and keep information for the time or the purposes specified in those overriding provisions.
- After any mandatory retention time or purpose lapses, the organisation may keep the information only the extent it still requires it for lawful purposes (in accordance with the Privacy Act).
- If there is no express duty to maintain the information, the organisation can normally delete it even if it could still retain it for a lawful purpose. If information has been deleted before any request for access was signalled, the information will not be "held" and there will be no breach of Privacy Act principles for failing to disclose (unless the information can still be recovered without excessive difficulty).
Some fundamental lessons are that the Privacy Act prohibitions on disclosure do not guarantee that the holders of personal information will not have to disclose it to third parties, nor does compliance with that Act satisfy all retention obligations.