Privacy Legislation
The Australian Privacy Act provides that business must “take reasonable steps to destroy or de-identify personal information that is no longer required.” Not complying can result in serious business loss as well as fines. This comes from the Privacy Act (Cth) 1988. The regulations are well established and have been tested in the courts.
The Office of Australian Information Commissioner has created a useful and practical document that “sets out standards, rights and obligations for the handling, holding, use, accessing and correction of personal information (including sensitive information).”