Can I throw out old information?
There are no minimum timeframes for retention of information under the Privacy Act. Rather, agencies must not keep personal information for any longer than they have a lawful purpose for using that information.
The first thing you need to consider is do you have a lawful purpose to keep this personal information? Keep in mind that there may be another law or regulation that requires you keep information for a certain period of time.
For instance, the Employment Relations Act 2000, the Tax Administration Act 1994, Public Records Act 2005 and the Health (Retention of Health Information) Regulations 1996 all impose obligations to keep certain types of information for certain timeframes.
If you aren’t required to keep the information, and you no longer have a lawful purpose to use it, you should take appropriate steps to ensure the information is securely deleted or destroyed.