Secure disposal of personal information – responsibility from cradle to grave

The OIC is urging agencies to review their document destruction policies and processes to meet their legislative obligations and recommends that:

• Documents containing personal information should not be disposed of within general or non-secure waste bins.
• Agencies ensure personal information is being disposed of in a secure way (for example shredding prior to disposal and/or using an external disposal company that specialises in secure document destruction).
• When documents containing confidential information are to be disposed off-site, place the documents in a shredding bag and store the bag securely until it is collected for shredding.

Agencies should remember that when using a commercial destruction service, the agency remains responsible for ensuring the records are securely stored, transported and destroyed (see our Bound contracted service providers guide for more information).

It should also be noted, if a document contains extremely sensitive information, such as health data or criminal records, maximum care should be taken when disposing of the information.

The above recommendations are supported by the principles set out under the IP Act including:

• National Privacy Principle 4 (NPP 4) – Data Security
• Information Privacy Principle 4 (IPP 4) – Data Security

For more information, view our:

• Basic guide to NPPs 3-4: Data quality and security
• Basic guide to IPP 4: Storage and security
• Bound contracted service providers guide