How long can a company keep my personal information?

In Plain English:

The answer to your question depends on the type of information and the specific laws that apply. Here's a breakdown based on the provided context:

• Eligible Data Breach Declaration: If a data breach occurs, any special permissions to collect, use, or share your personal information related to that breach will end either at a time specified in the declaration, when the declaration is cancelled, or 12 months after the declaration began, whichever comes first Privacy Act 1988.
• Credit Reporting Information: How long credit reporting bodies can keep your information depends on the type of information. For instance, information about debt agreement proposals is kept until the proposal is withdrawn, not accepted, cancelled, or lapses Privacy Act 1988. If you've been a victim of fraud, a credit reporting body must destroy the credit reporting information related to that fraud, unless required by law or court order to keep it Privacy Act 1988.
• Pricing Information (Very Large Retailers): Very large retailers must keep pricing information for at least three years after the information is created or given to the retailer Competition and Consumer (Industry Codes—Food and Grocery) Amendment (Supermarkets Excessive Pricing Prohibition) Regulations 2025.
• Foreign Acquisitions and Takeovers: Records related to significant actions or notifiable actions must be kept for 5 years. Records relating to conditions must be kept for 2 years Foreign Acquisitions and Takeovers Legislation Amendment Act 2015.
• Consumer Data Right (CDR) Records: Records related to the Consumer Data Right must be kept for 6 years Competition and Consumer (Consumer Data Right) Rules 2020.
• Research Information: Research organisations must only keep identifiable research information while the details of the identity of the individual whom the information is about continue to be necessary to be retained for research purposes. The information must be destroyed or de-identified once these purposes have been achieved Privacy (Market and Social Research) Code 2021.

Detailed Explanation:

Several pieces of legislation and rules outline specific retention periods for personal information.

• Privacy Act 1988 (docid=1):
  • Eligible Data Breach Declaration: Section 26XB of the Privacy Act 1988 allows entities to collect, use, or disclose personal information during an eligible data breach declaration, but this authorisation is temporary. Section 101 specifies that such a declaration ceases to be in force after a specified time, repeal, or 12 months from commencement.
  • Credit Reporting Information: Sections 20W and 20X of the Privacy Act 1988 detail retention periods for credit information and personal insolvency information. Section 20Y mandates the destruction of credit reporting information in cases of fraud, unless otherwise required by law.
• Competition and Consumer (Industry Codes—Food and Grocery) Amendment (Supermarkets Excessive Pricing Prohibition) Regulations 2025 (docid=4):
  • Subsection 45C(1) requires very large retailers to keep pricing information for at least three years after the information is created or given to the retailer Competition and Consumer (Industry Codes—Food and Grocery) Amendment (Supermarkets Excessive Pricing Prohibition) Regulations 2025.
• Foreign Acquisitions and Takeovers Legislation Amendment Act 2015 (docid=7):
  • Section 118 specifies that records related to significant actions or notifiable actions must be kept for 5 years, while records relating to conditions must be kept for 2 years Foreign Acquisitions and Takeovers Legislation Amendment Act 2015.
• Competition and Consumer (Consumer Data Right) Rules 2020 (docid=10):
  • Rule 9.3(5) states that each record referred to in this rule must be kept for a period of 6 years beginning on the day the record was created Competition and Consumer (Consumer Data Right) Rules 2020.
• Privacy (Market and Social Research) Code 2021 (docid=5):
  • Clause 19A states that a Research Organisation must retain identifiable research information only while the details of the identity of the individual whom the information is about continue to be necessary to be retained for research purposes. The information must be destroyed or de-identified once these purposes have been achieved Privacy (Market and Social Research) Code 2021.
• Privacy (Persons Reported as Missing) Rule 2024 (docid=6):
  • After a person reported as missing has been located, any subsequent use and disclosure of that person’s personal information must comply with the Australian Privacy Principles (APPs), particularly APP 6 Privacy (Persons Reported as Missing) Rule 2024.

It's important to note that the Privacy Act 1988 and the Australian Privacy Principles (APPs) generally govern the handling of personal information, including its use, disclosure, and storage. APP 11 outlines the requirements for the security of personal information, and APP 11.2 states that if an APP entity holds personal information that it no longer needs for any purpose for which the information may be used or disclosed, the entity must take reasonable steps to destroy the information or to ensure that the information is de-identified.

Without knowing the specific context of the personal information you're asking about, it's impossible to provide a definitive answer.