Can I ask a company to delete my personal information?

In Plain English

Yes, under certain circumstances, you can ask a company to delete your personal information.

Specifically, if a credit reporting body holds credit information about you, they must destroy the credit information, or ensure that the information is de-identified, within 1 month after the retention period for the information ends according to the Privacy Act 1988.

Also, if the results of the matching of information by the Chief Executive Medicare or an authorised Commonwealth entity are no longer needed for any purpose for which the information was matched, the Chief Executive Medicare or authorised Commonwealth entity must, within 90 days after the results cease to be needed, take reasonable steps to destroy the results according to the National Health (Data-matching) Principles 2020.

Accredited Data Recipients must delete CDR data in accordance with the CDR data deletion process according to the Competition and Consumer (Consumer Data Right) Rules 2020.

Detailed Explanation

The legislative context provides several scenarios where you can request or expect the deletion of your personal information:

1. Credit Reporting Information: According to the Privacy Act 1988, specifically referencing sections related to credit reporting, a credit reporting body must destroy credit information or de-identify it within one month after the retention period ends (see 20V).

2. Data Matching by Government Entities: The National Health (Data-matching) Principles 2020 outlines that if the results of data matching by the Chief Executive Medicare or an authorised Commonwealth entity are no longer needed, they must take reasonable steps to destroy the results within 90 days after the results cease to be needed (see section 16). Also, if personal information was provided for data matching but is not intended to be matched, it must be destroyed within 90 days of that determination (see section 17).

3. Consumer Data Right (CDR) Data: Under the Competition and Consumer (Consumer Data Right) Rules 2020, if an Accredited Data Recipient has identified CDR data as redundant, it must identify whether any of the provisions of the Act apply to the CDR data (see 1.17A). If one of those provisions applies, the accredited person must retain the CDR data while that provision applies. Also, if the Accredited Data Recipient can de-identify the relevant data to the required extent, the Accredited Data Recipient must delete any CDR data that must be deleted in order to ensure that no person is any longer identifiable, or reasonably identifiable (see 1.17).

It's important to note that the Privacy Act 1988 also contains Australian Privacy Principles (APPs) that govern how APP entities handle personal information. APP 13 addresses the correction of personal information, stating that if an APP entity holds personal information about an individual and is satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant, or misleading, or if the individual requests the entity to correct the information, the entity must take reasonable steps to correct that information. While this isn't a direct mandate for deletion, correcting information could involve removing inaccurate or irrelevant data.