Retention of Personal Information

Guidance
Records Management Advice
Last updated:

State and local government organisations collect, handle and store personal information from clients as part of their regular business activities.

What is personal information?
Personal information is defined in the Glossary to the Freedom of Information Act 1992 (WA), as:

“information or an opinion, whether true or not, and whether recorded in a material form or not, about an individual, whether living or dead -
(a) whose identity is apparent or can reasonably be ascertained from the information or opinion; or
(b) who can be identified by reference to an identification number or other identifying particular such as a fingerprint, retina print or body sample.”

Some examples of personal information can include:

  • name 
  • contact details (address, telephone number or email)
  • medical information; or
  • financial information.

How do I manage personal information?
Western Australian State and local government organisations are not regulated by privacy legislation; however, some controls for personal information are provided for in the Freedom of Information Act 1992 and the State Records Act 2000.

The Commonwealth’s Privacy Act 1988 lists 13 Australian Privacy Principles (APP) which, whilst not legally binding in Western Australia provide a framework for managing personal information. The APP advise organisations ‘must take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure’. Following these principles makes good business sense.

Organisations that are obliged to collect and handle personal information for business purposes should consider the risks involved in keeping details of, or copies of, personal information and must take the necessary steps to manage that information appropriately.

There are several factors to consider:

Does the information need to be held, or will sighting it be sufficient?
Organisations should not collect personal information unless it is absolutely necessary for business purposes. In most cases simply noting and recording that a person has the relevant qualifications, licences etc. is sufficient.

Who will have access to the personal information?
Policies and procedures must be in place within the organisation to limit access to only those roles / individuals who need to access personal information for business purposes. This could be as simple as locking hardcopy files in an area where only appropriate staff have access, or by having access permissions embedded in systems which manage records.

How will the information be used?
Organisations should have a privacy statement on their website which states how the organisation will use personal information and the conditions upon which it may be disclosed to third parties.
As an example, upon phoning many organisations you may hear a message saying, “this call may be used for quality and training purposes”. If there is a possibility that this recording could be used for purposes other than those stated, the organisation must advise customers of this in advance. This can be achieved by extending the initial message to include more detail, or by referring customers to the privacy statement on the organisation’s website.

How will the information be destroyed?
All records must be retained and disposed of in accordance with an approved Retention and Disposal Authority. When destroying any records, especially those containing personal and sensitive information, organisations must ensure it is done completely so that no information is retrievable.

Acknowledgement:
Office of the Australian Information Commissioner. Australian Privacy Principles (APP) guidelines
Australian Law Reform Commission. State and territory regulation of privacy
Office of the Information Commissioner. What is personal information?

Was this page useful?