HOME ABOUT Platform OUR GUIDE CATHERINE ASHTON SHOP DON'T BE CAUGHT DEAD PODCAST CONTACT
SUPPORT
PODCASTNEWSCONNECTGUIDESEVENTSVIDEOS

WARNING: Aboriginal and Torres Strait Islander viewers are warned that the following website may contain images and voices of deceased persons.

Join the Critical Info Community
and be Rewarded!


Sign up to be one of the first users of the Critical Info Platform when it’s released in early 2025 and receive a lifetime 10% discount.

"*" indicates required fields

Name*
This field is for validation purposes and should be left unchanged.

Sign up to download the speakers kit!

Join the Critical Info Community
and be Rewarded!


Sign up to be one of the first users of the Critical Info Platform when it’s released in early 2025 and receive a lifetime 10% discount.

Data Retention and Deletion Policy & Security Policy

 

Hello, and welcome to Critical Info.

 

This Data Retention and Deletion Policy, and Security Policy (“Policy”) is designed to ensure compliance with Australian legal and regulatory requirements regarding the retention, deletion, and security of data. It applies to all data processed and stored by the Data Controller and the Data Processor, as defined below, in the course of their business operations.

 

The objective of this Policy is to define the responsibilities and procedures for effectively managing the lifecycle of data, from its collection to its eventual disposal, and to ensure the protection of such data against unauthorised access, disclosure, alteration, and destruction. This Policy outlines the principles for data retention, deletion, and security measures that are to be adhered to by both parties to safeguard the privacy and integrity of the data.

 

Scope and Purpose

 

This Data Retention and Deletion Policy, and Security Policy (“Policy”) applies to all personal data processed by the Data Processor on behalf of the Data Controller, in accordance with the data protection laws and regulations of Australia. The purpose of this Policy is to ensure that personal data is managed in a way that is compliant with legal and regulatory requirements, protects the privacy of individuals, and maintains the integrity and security of the data.

 

The Policy outlines the responsibilities of both the Data Processor and the Data Controller in relation to the retention and deletion of personal data, as well as the measures in place to protect the security of the data throughout its lifecycle. It is designed to ensure that personal data is not retained for longer than necessary, and that when it is no longer required, it is securely deleted in a manner that prevents its recovery or misuse.

 

Definitions

 

For the purposes of this Data Retention and Deletion Policy, and Security Policy (the “Policy”), the following terms shall have the meanings ascribed to them below:

 

• “Data Controller” means the party responsible for determining the purposes and means of processing Personal Data.

 

• “Data Processor” means the party processing Personal Data on behalf of the Data Controller.

 

• “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

• “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

Data Retention Policy

 

In accordance with applicable Australian laws and regulations, the Data Controller and the Data Processor are committed to ensuring the secure and lawful handling of Personal Data. This Data Retention Policy outlines the types of data collected, the purposes for data collection, retention periods for different categories of data, and the legal basis for processing and retaining Personal Data.

 

The following principles shall apply to the retention of Personal Data:

 

1. Personal Data shall only be retained for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

 

2. Upon the expiration of the retention period, Personal Data shall be deleted or anonymised in a manner that the data subject can no longer be identified, unless further retention is required or permitted by law.

 

3. Retention periods may vary depending on the category of Personal Data and the legal basis for processing. Specific retention periods are determined based on the statutory obligations and the operational requirements of the Data Controller and Data Processor.

 

4. The Data Controller and Data Processor shall regularly review the retention periods for Personal Data and update them as necessary to comply with legal and regulatory changes.

 

This policy is designed to ensure that Personal Data is managed in compliance with applicable legal and regulatory requirements and to minimize the risk of unauthorized access or disclosure.

 

Data Retention Policy

 

Upon the termination of the Data Processing Agreement or upon the Data Controller’s request, the Data Processor shall, at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller and delete existing copies unless Australian law requires storage of the Personal Data.

 

The Data Processor shall identify Personal Data for deletion based on the criteria specified by the Data Controller, including but not limited to the expiration of the data retention period, the fulfillment of the purposes for which the Personal Data was collected, or upon a specific request by the Data Subject.

 

The deletion process shall be carried out in a manner that ensures the permanent removal of Personal Data from all storage media in the Data Processor’s possession or control. This includes, but is not limited to, physical destruction, degaussing, or employing other effective deletion methods that render the data irretrievably unreadable or unusable.

 

The Data Processor shall provide the Data Controller with a written confirmation that the Personal Data has been deleted, except for any copies that are required to be retained under Australian law. This confirmation shall include details of the deleted data, the date of deletion, and the deletion method used.

 

Both parties agree to comply with all applicable Australian laws and regulations regarding the deletion of Personal Data, including the Australian Privacy Principles and the Privacy Act 1988 (Cth).

 

Data Security Policy

 

The Data Processor shall implement and maintain technical and organizational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Such measures shall include, but not be limited to:

 

• Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

• Implementing measures to ensure that Personal Data is not accessed, except by employees in the proper performance of their duties;

• Using encryption and pseudonymization techniques where appropriate;

• Maintaining a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing;

• Ensuring that any natural person acting under the authority of the Data Processor, who has access to Personal Data, does not process them except on instructions from the Data Controller, unless he or she is required to do so by law.

 

In the event of a data breach, the Data Processor shall promptly notify the Data Controller without undue delay after becoming aware of it. The notification shall include all relevant information concerning the data breach in order to enable the Data Controller to fulfill any data protection laws or regulations’ obligations to report or inform Data Subjects of the data breach.

 

The Data Processor agrees to assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the General Data Protection Regulation (GDPR) concerning security of processing, notification of a personal data breach to the supervisory authority, communication of a personal data breach to the Data Subject, and data protection impact assessments and prior consultation with the supervisory authority.

 

Roles and Responsibilities

 

This Data Retention and Deletion Policy, and Security Policy (the “Policy”) outlines the roles and responsibilities of the Data Controller and the Data Processor in relation to the processing of Personal Data, in compliance with applicable Australian laws and regulations.

 

The Data Controller is responsible for determining the purposes and means of the processing of Personal Data. The Data Controller must ensure that the processing of Personal Data is in accordance with the principles of data protection and privacy laws applicable in Australia. This includes ensuring that appropriate data protection and security measures are in place to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

 

The Data Processor, acting under the authority of the Data Controller, is responsible for processing Personal Data on behalf of the Data Controller. The Data Processor must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures to protect against unauthorised or unlawful processing and against accidental loss, destruction, or damage of Personal Data. The Data Processor must assist the Data Controller in fulfilling its data protection and security obligations, including obligations related to Data Subject rights, data breach notifications, and data protection impact assessments.

 

Both parties agree to comply with all applicable data protection and privacy laws and regulations, including obligations related to the processing, security, and confidentiality of Personal Data. The parties also commit to cooperating with each other to ensure compliance with such laws and regulations, including in the event of a Data Breach.

 

Legal Compliance

 

The Data Processor and Data Controller shall comply with all applicable laws, regulations, and guidelines related to data protection, data retention, data deletion, and data security, including but not limited to the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) set out therein, as well as any other relevant Australian state or territory legislation. Furthermore, where the Processing of Personal Data involves data subjects who are located outside of Australia, the Data Processor and Data Controller shall also ensure compliance with the relevant data protection laws of those jurisdictions.

 

In the event of a Data Breach, the Data Processor shall promptly notify the Data Controller without undue delay. The Data Controller shall then assess the situation and, if required by applicable law, notify the relevant supervisory authority and/or the affected Data Subjects in accordance with the legal requirements.

 

Both parties agree to cooperate fully with each other to ensure compliance with all applicable data protection laws and to handle any inquiries or complaints from Data Subjects or regulatory authorities concerning the Processing of Personal Data.

 

Policy Review and Updates

 

This Data Retention and Deletion Policy, and Security Policy (“Policy”) shall be reviewed at least annually by the Data Controller and Data Processor to ensure compliance with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and any other applicable laws and regulations. This review will include an assessment of the effectiveness of the Policy’s provisions in protecting Personal Data, as well as the identification and implementation of improvements as necessary.

 

Any updates or amendments to this Policy must be approved by both the Data Controller and the Data Processor. Following any updates, the revised Policy will be communicated to all relevant parties, including employees and subcontractors who handle Personal Data on behalf of the Data Controller and Data Processor. This is to ensure that all parties are aware of and understand their responsibilities and the procedures to be followed for the effective protection of Personal Data.

 

In the event of a Data Breach, the Policy will be reviewed promptly to identify any failures in policy or practice that contributed to the breach. Appropriate modifications will be made to prevent similar incidents in the future. The Data Controller and Data Processor commit to ongoing compliance with this Policy and to regular training for staff on data protection principles and practices.

 

Breach Notification Procedures

 

In the event of a Data Breach, the Data Processor shall, without undue delay, notify the Data Controller upon becoming aware of the Data Breach. This notification shall include, to the extent possible, the categories and approximate number of Data Subjects affected, the categories and approximate number of Personal Data records concerned, the likely consequences of the Data Breach, and the measures taken or proposed to be taken by the Data Processor to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

 

The Data Controller shall assess the impact of the Data Breach and determine the necessity of notifying the Data Subjects and/or the relevant authorities, in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). If it is deemed necessary to notify the Data Subjects, the Data Controller shall do so in a manner that is timely and in compliance with the legal requirements set forth in the Australian Privacy Act 1988 (Cth).

 

Both parties agree to cooperate fully with each other to investigate any Data Breach, to mitigate the effects of any Data Breach, and to comply with applicable legal requirements. This includes sharing information related to the Data Breach investigation and any measures taken to address it, subject to legal and regulatory constraints.

 

The Data Processor is also required to document all Data Breaches, including the facts relating to the Data Breach, its effects, and the remedial action taken. This documentation must be made available to the Data Controller upon request, to enable compliance with the Data Controller’s legal obligations under the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

 

Contact Information

 

In the event of any questions or concerns regarding the Data Retention and Deletion Policy, Security Policy, or any related matters, the Data Subjects or any concerned parties may contact the following: contactus@criticalinfo.com.au or call us on: 03 8595 3033 – our General office enquiries number, open during business hours 9am – 5pm AEST.

 

Both the Data Controller and the Data Processor are committed to ensuring the privacy and security of all Personal Data processed in accordance with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Any Data Breaches will be addressed promptly in compliance with applicable laws and regulations.

 

Last update: Monday, 07 April 2025