Data Minimisation and Retention Best Practice Guidance
In November 2023, RIMPA Global was invited by the Digital Service Providers Australia and New Zealand (DSPANZ) to provide feedback on their draft Data Minimisation and Retention Best Practice Guidance.
The draft document describes the recordkeeping requirement for digital services providers (DSPs) under Australian taxation and employment law, as well as guidance for the DSPs in relation to the management and retention of customer data.
RIMPA Global's feedback was that the draft document provided a sound basis on which to support decisions about the retention of customer data. Additionally our submission highlighted the following:
- need for a clearer distinction between the role of data custodian and data owner, particularly in regards to defining management roles and responsbilities
- potential for misinterpretation and the risk of data loss or premature disposal when using the phrase 'maximum retention' as opposed to 'minimum retention' when referring to legislative record retention obligations
- need to fully inform the customer about the implications of retention practices on the performance of aggregated data sets, which may act as a catalyst for longer retention
- absence of guidance about the retention/deletion of data created during the data portability process in order to avoid 'just in case' retention
- desirability for data deletion certificates and client acknowledgement, and
- specific conditions that should be included in all contracts, ensuring the risks of shared repsonsibilities under a SaaS model are clearly defined.