The new Scheme falls under Part IIIC of the Privacy Act 1988 (Privacy Act). The requirements of this Act are outlined in the Australian government’s ‘Guide to securing personal information‘ which provides guidance on the reasonable steps organizations are required to take to protect “the personal information they hold from misuse, interference, loss, and from unauthori[z]ed access, modification or disclosure.” This guide is not legally binding; however, it is used by the government as a reference when undertaking Privacy Act functions, including its privacy assessments and investigations. The guide gives recommendations on securing data throughout its lifecycle, including the “destruction or de-identification of the personal information when it is no longer needed.”

Under the Australian Privacy Principles guidelines (APP) 11.2, government and other affected organizations must take reasonable steps to destroy or de-identify the information they have once it is no longer needed for any purpose that it may be used or disclosed under these guidelines. The exception is personal information is included in a “Commonwealth record” or where the entity is required to do so by law (court order) to retain the personal information.