1 Feb 2009, 09:00

A man took his computer to a computer company for repair. The company advised him that it would have to copy his hard drive to determine what the problem was with the computer.

The man agreed to this initially. However, later that day, he decided that the information on his hard drive was highly sensitive. He contacted the company to say that it should not copy the hard drive. Unfortunately, it had already started work on the computer, and had made the copy.

The relationship between the man and the company deteriorated. He complained to us that the company had retained his personal information in breach of principle 9. He argued that even if it had ‘deleted' the information, it could still retrieve the information and therefore still held it.

Principle 9

Principle 9 of the Privacy Act states that:

An agency that holds personal information shall not keep that information for longer than is required for the purposes for which the information may lawfully be used.

Our investigation discovered that the company had not kept a copy of the hard drive. First, it had deleted it as requested. Secondly, and importantly, the deleted information had been continuously overwritten. While it was technically still possible to retrieve information that had been deleted, here it would have been time-consuming, costly and difficult to do. The deleted documents would not retain their file names. Also, the more documents are overwritten, the more difficult it is to retrieve the deleted data.

We were therefore satisfied that, in these circumstances, the company had not retained the information and had not breached principle 9. We informed the man of our conclusions and closed the file.


May 2009

Retention of personal information - computer company - copy of hard drive - copy deleted and overwritten - personal information not retained - Privacy Act 1998, principle 9