At our recent STN Cyber forum, Allens partners Valeska Bloch and Isabelle Guyot shared practical insights on how organisations can improve the way they handle data retention and destruction. The core message was simple, keeping too much data is one of the biggest risks for today’s financial services and superannuation sector.

Data breaches in Australia continue to rise. In 2024 there were more than 1,100 reported, almost 70% of them malicious. Every breach reinforces the same lesson. The more information an organisation stores, the harder it is to secure and the greater the fallout when it leaks.

The Problem with “Keeping Everything”

For years, many organisations have defaulted to storing information indefinitely. That has been driven by complex IT systems, the idea that data might be useful one day, and the need to show records for regulators or customer claims. Some even see data as a future asset for AI or analytics.

But the risks now outweigh the benefits. Storing too much data can bring serious consequences:

• Regulatory pressure: more than 800 federal and state laws create retention and destruction rules, and superannuation funds face over 300 on their own. Regulators such as APRA and the OAIC are actively questioning over-retention.
• Legal exposure: class actions following the Optus and Medibank breaches are testing whether companies had complied with Privacy Act obligations to destroy or de-identify personal information once it was no longer needed.
• Technical headaches: legacy systems often lack deletion functions, data is duplicated across multiple platforms, and free-text fields hide personal information in unexpected places.
• Reputational risk: individuals now ask why organisations still have their details from decades ago once those details appear in a breach.

Finding the Right Balance

The challenge is balancing two risks. Hold on to data too long and the organisation is more vulnerable in a breach. Delete too early and it may be harder to respond to claims, remediation programs, or regulatory requests.

That balance comes from a structured, documented approach. Each type of record needs to be tested for whether it is genuinely required, in what form, and for how long. Not all records are equal. For example, Tax File Numbers may exist in several systems, but in most cases only one copy is needed for compliance. Extra copies simply increase the chance of exposure.

A Practical Roadmap

Organisations can take a series of steps to get this right:

1. Map the data. Understand what you hold, where it is, who uses it, and why.
2. Document obligations. Capture the legal, regulatory, contractual, and business rules that apply.
3. Update policies. Create or refresh retention and destruction policies that include exceptions and methods for secure de-identification or disposal.
4. Work system by system. Prioritise by risk and sensitivity, and design tailored plans for each platform.
5. Keep checking. Monitor compliance, review regularly, and make sure de-identified data remains de-identified.

Importantly, this is not a one-off exercise. Business models, technology and the law all change, which means retention and destruction frameworks must be kept up to date. Data mapping is especially valuable as it supports not only retention decisions but also privacy compliance, cyber risk management, and even AI governance.

Looking Ahead

Boards are starting to take a stronger interest in this area. They see that building up data stores without limits no longer aligns with good governance. A smarter, risk-based approach reduces exposure while still meeting member and regulatory expectations.

Yes, deletion is hard. Old systems often lack the functions to erase data securely and business units are reluctant to part with records they think they might need one day. But doing nothing can be a bigger risk. By putting structured retention and destruction practices in place now, organisations can cut the impact of future breaches and show they are serious about protecting the data entrusted to them.