Retention of Personal Information

Guidance
Records Management Advice
Last updated:

Retention of Personal Information

State organisations collect, handle and store personal information from individuals such as employees, clients, students, volunteers and visitors as part of their regular business activities.

Organisations should consider the risks involved in keeping details of, or copies of, personal information and the actions required to appropriately manage and protect that information.

What is personal information?

Personal information is defined in the Privacy and Responsible Information Sharing Act 2024 (PRIS Act) as

information or an opinion, whether true or not, and whether recorded in a material form or not, that relates to an individual, whether living or dead, whose identity is apparent or can reasonably be ascertained from the information or opinion”.

Somes examples of personal information include:

  • name, date of birth and demographic information
  • contact details (street address, telephone number or email)
  • IP address (in relation to use of online services)
  • financial information (bank details, credit or debit card number)
  • photographs or other likenesses
  • health or medical information
  • biometric records (face, fingerprints, iris, palm, voice etc.)
  • unique identifiers and identify information (Medicare number, passport number, driver’s licence).

How should an organisation manage records containing personal information?

The PRIS Act received Royal Assent on 6 December 2024. Subject to decisions of government, it is anticipated that the privacy provisions will commence in 2026.

The interim privacy position for the Western Australian public sector is that organisations should ensure their actions to manage the collection, use, disclosure and security of personal information are consistent with applicable Australian Privacy Principles (APPs) set out in Schedule 1 to the Privacy Act 1988 (Cth).

State organisations must create and keep records in accordance with the State Records Act 2000.

Good record keeping practices support organisations to manage personal information appropriately.

There are several factors to consider: 

Does the information need to be held, or will sighting it be sufficient?

Organisations can minimise the need to dispose of information by limiting the amount of personal information collected in the first place. 

Organisations should not collect personal information unless it is absolutely necessary for business purposes.

Organisations should consider if the information needs to be held, or whether sighting is sufficient. In most cases simply noting and recording that a person has the relevant qualifications, licenses etc. is sufficient.

Disposal of unsolicited personal information and copies of proof-of-identity information is authorised by General Retention and Disposal Authority for State Government (GRDASG 2023-004 71) and Local Government (GRDALG 2023-005 88).
 

How will the information be used and disclosed?

Organisations should keep records that explain why personal information was collected, how it will be used and the conditions upon which it may be disclosed to third parties. 

These details can be made available in a collection notice or a privacy policy, enabling organisations to be open and transparent about their privacy practices.

How will the information be stored and protected?

Organisations must store personal information securely, keep it no longer than necessary and protect it from misuse, loss, unauthorised access, modification or disclosure.

Policies and procedures must be in place within the organisation to limit access to only those roles / individuals who need to access personal information for business purposes. This could be as simple as locking hardcopy files in an area where only appropriate staff have access, or by having access permissions embedded in systems which manage records.

Refer to Record Keeping Basics for more guidance on records storage and handling.

Refer to Cyber Security and Record Keeping for further advice on managing information security risks.

How will the information be disposed?

All records must be retained and disposed of in accordance with an approved retention and disposal authority (RDA), either by destruction or retention as a State archive. 

Organisations should implement a regular retention and disposal program to ensure records and information are not kept longer than required.

When destroying any records, especially those containing personal information, organisations must ensure it is done completely so that no information is retrievable.

Refer to SRO Guideline: Records Retention, Disposal and Destruction for instruction on the proper retention and disposal of their records and to ensure that information stored on digital media and devices has been sanitised appropriately for disposal upon decommissioning.

Refer to the Frequently Asked Questions FAQs – PRIS and Record Keeping for more information.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation is a European Union law and requires organisations to safeguard personal data and uphold the privacy rights of anyone in the European Union.

It applies to any business, anywhere in the world, that processes personal data relating to an individual in the European Union.

Organisations may refer to the Office of the Australian Information Commissioner at Australian Entities and the European Union General Data Protection Regulation.

State organisations that process personal information relating to an individual in the European Union, should seek legal advice to clarify their own obligations in relation to GDPR. 

Sources

The SRO acknowledges the Department of Premier and Cabinet and the State Records Advisory Committee for contributing to the development of this advice. 

The SRO acknowledges the following sources used in the development of this records management advice:

Office of the Victorian Information Commissioner, IPP 4 – Data Security, https://ovic.vic.gov.au/privacy/resources-for-organisations/guidelines-to-the-information-privacy-principles/ (accessed 5 May 2025).

Office of the Australian Information Commissioner Australian Privacy Principles Quick Reference, https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-quick-reference (accessed 5 May 2025).

ACT Government, Identity Verification, https://www.territoryrecords.act.gov.au/__data/assets/pdf_file/0006/2608485/Assess-Identity-Verification-2024-FINAL-v-1.1.pdf (accessed 11 April 2025).
 

Have a question or want to report a problem?

Fill in the form to get assistance or tell us about a problem with this information or service.

Send feedback