The Risks of Retention – Why the data you hold on to matters.
It borders on trite to suggest that we live in an age ruled by data, however, that’s entirely the outcome of the data-driven way in which we all operate. We are incrementally improving our ability to store it cheaply, transfer it quickly and analyse it comprehensively. Big Data has become the way to do business and the prevailing mindset is that organisations that aren’t on board will be left behind.
Data analytics is not particularly new; regression analyses were being performed early in the 19th century and the phrase “machine learning” was coined in 1959. What is new, however, is the extent to which the global population is now aware of the ways we can use data and the way those processes are being marketed and sold. Further, more and more of our daily lives can now be quantified in databases. Our correspondence is increasingly digital (and searchable), our consumer choices easily tabulated, and our movements are all tracked (at least by default).
With that much data floating around, it is obvious that it presents some risk. The privacy concerns about the way data is misused or lost is well understood, typified by the Facebook-Cambridge Analytica and SolarWinds issues. However, organisations must soon come to understand that the mere act of holding on to information, even if nothing is ultimately done with it, can have consequences as well. The usual position for organisations when it comes to data is to hold on to as much as possible, after all, who knows when it could be useful? However, one needs to properly consider what sort of data is being collected and, if it’s not being used, whether it is best to let it go.
Data as a means of control
In 2021, the Fair Work Commission (FWC) found in favour Diego Franco in his unfair dismissal claim against Deliveroo. A key finding in that matter was that he was an employee, rather than an independent contractor as argued by Foodora. An interesting consideration in that decision was in respect of the comprehensive data that Foodora held regarding the work that was preferred by Mr Franco and the “control” over Mr Franco that the data enabled. Foodora submitted that they did not use data metrics to appraise rider performance around the time that Mr Franco was dismissed, although they had done so previously. Commissioner Cambridge noted that the fact that Foodora were not actively using the data at the time was not determinative of the issue of control. The fact that they held that copious amount of data meant that they had the capacity to do so should they wish.
Commissioner Cambridge stated (emphasis original): The capacity for this control is inherently available from any utilisation of the significant volume of data that provides the metrics upon which control of engagement and performance of the work may be exercised. True it was that Mr Franco was not under any obligation to actually perform work for Deliveroo, but Deliveroo could exercise significant control over when, where and for how long Mr Franco worked if it chose to do so.
The importance of this FWC decision for data is not based on any precedential value; it is after all a small part of a decision which an appeal is currently underway. However, Commissioner Cambridge’s comments indicate a nuanced approach to the act of holding data that will likely become more prevalent. This is not to say that holding on to the data was the wrong business move for Foodora, but that the decision of whether or not to retain data is something that needs proper consideration.
The Regulation of Retention
Entities that are subject to the Australian Privacy Principles (APPs) under the Privacy Act 1988 do have some obligations when it comes to the way they hold on to data. This includes ensuring the security of the personal information it holds (APP 11) as well as the quality and accuracy of that data (APP 10). Under APP 11, an organisation must also take reasonable steps to either destroy or de-identify personal information it holds once it no longer needs it and are not legally required to retain it.
Organisations subject to the European Union’s General Data Protection Regulation (GDPR) have further obligations in respect to the information they hold. Article 5(1)(b) indicates that personal data held should be restricted to that which is necessary for the processes for which they are processed (known as data minimisation). It is also to be held (at least, in an identifiable form) for no longer than is necessary for the purpose that it was collected (Art 5(1)(e)).
Whether or not privacy regulations apply to an organisation or not may, in some circumstances, be determined due to the nature that the entity holds. Under section 6D(4)(b) of the Privacy Act 1988, an entity that would otherwise not be regulated by the Act will come under its auspices where it holds any “health information” except in an employee record. The definition of health information is broad, being any information or an opinion about a person’s health or health service. The simple act of holding this information may bring with it further obligation.
It is a common expectation that privacy regulations will increase in scope in time as awareness of privacy issues grows and becomes a greater concern for the general population. While Australia does not have any tort regarding privacy, it continues to be a matter of debate. The issue of the implications data retention is not something that can be left in the archives.
A Considered Approach to Data Retention
The above issues should not be seen as an attempt to discourage the use of data, rather it shows a need for a considered approach to the retention of information. The attitude towards data for many organisations is “collect everything, retain everything”, however, that is a mindset that should change. Avoiding the collection of unnecessary data, anonymising data (where possible) and having a robust data retention (and deletion) policy are all steps that organisations can take to ensure they are treating the information they hold with the respect it deserves.