You probably file this under records management, not the board. It belongs on the board. The Privacy Act lets you keep personal information only for as long as you actually need it. Most databases were built to add and update. They were never built to delete. So old customers, old applicants, old staff, old payment details sit there year after year, long after the reason for holding them has gone.
Here is the part that should bother you. Every one of those records is still in scope. If you are breached tomorrow, the damage is not measured by the customers you have today. It is measured by every personal record the database has ever held and never let go. A leak does not care that a record is eleven years old and belongs to someone who left in 2014. It exposes them anyway, and you answer for them anyway.
So a fair question. Is there anyone in your organisation who can tell you, with a date, when a customer record is allowed to be deleted and whether that deletion actually happens? Not the policy document. The mechanism. In most places the honest answer is no, and the records have been quietly accumulating the whole time.
I am not going to pretend this is dramatic. It is the opposite. It is a slow, invisible expansion of everything you are liable for, and it never shows up as an incident until the day it does. The data that should be gone is just waiting to be the reason a small breach becomes a reportable one.
What would it take to find out how much personal data you are holding past its legal life? Less than you think. The first step is not a retention project or a policy rewrite. It is a plain look at what is actually in the database and how old it is, in language a board can read.
The free 15-minute health check is read-only and changes nothing. It produces a graded, plain-English report you can hand straight to your board, including where you may be holding personal data well past the point you were allowed to keep it. No sales call, no obligation. If the report comes back clean, you have your answer for the next audit. If it does not, you found out on a quiet afternoon instead of at 2:39am.
Want to know if this is sitting in your estate? We run a read-only check and hand you a graded report in plain English.
Get your free health check