Data Retention

Data retention is dull. Really, really dull.

Chances are you either don’t have a data retention policy, or you hastily knocked one up for an audit or customer compliance objective, and it has sat largely untouched ever since.

With that in mind, lets also consider that two major ANZ breaches this year have been greatly worsened by poor data retention practices. Both of these cases are currently before the relevant privacy authorities.

The case for data retention governance is very simple. More data equals more risk. You should not keep any data you are not required to keep legally, or is not critical for your business.

Lets have a look at some examples.

Manage My Health (NZ)

The Manage My Health breach exposed clinical documentation relating to more than 100,000 patients.
This was not just names and email addresses. It included referrals, test results, clinical correspondence and other sensitive health information.

Healthcare providers in New Zealand must retain health records for defined minimum periods. The Privacy Act 2020 also makes it clear that personal information must not be kept for longer than is required for lawful purposes. Minimum retention does not mean indefinite retention in every connected system.

In most cases, Manage My Health was not the primary holder of the clinical record. The source of truth sits within the GP practice’s patient management system.

So the governance question becomes simple.

If a practice offboarded from the platform, or if a patient account became inactive for years, why was the full historical dataset still sitting within a live, internet-facing portal?

A secondary platform should have:

• Defined offboarding controls
• Inactivity thresholds
• Account lifecycle management
• Data minimisation and purge schedules

Let’s make this into an example policy for clarity. This could be as simple as ‘If a practice offboards, or no new data is received for a patient for a defined period, notify the user and, if there is no response within a set timeframe, permanently delete the portal account and associated data’.

When attackers gain access, those dormant records become part of the breach. That is not a storage issue. That is a governance failure.

Victorian Government Schools, Australia

In 2026, the Victorian Department of Education confirmed a cyber incident involving both current and former student records, including names, school email addresses and encrypted passwords.

Schools have legitimate retention obligations. Enrolment registers may be permanent. Attendance and child safety records can require long-term retention.

Authentication credentials are different.

There is no legal requirement to retain dormant student login accounts or password hashes years after a student has left. So the governance decision here is simple. If a student has graduated, why does their authentication data still exist on a live system.

A policy could be as simple as: disable accounts immediately when a student leaves and permanently delete authentication credentials after a defined period, while retaining only the academic records required by law.

Lesson learnt?

Effective data retention is not about keeping everything just in case. It is about discipline and risk mitigation. Do not collect information you do not genuinely need. Retain only what is required to meet legitimate business objectives or clear legal obligations. When data is no longer necessary, remove it. Where possible, anonymise it.

In practical terms, that means:

• Collect deliberately
• Retain purposefully
• Delete confidently
• Anonymise wherever feasible
• Audit regularly

Every additional dataset increases your attack surface. Every dormant account widens breach scope. More data retained = more risk.

How can I help?

I have spent years working in regulated environments where retention is not theoretical. Healthcare, sensitive data, audit scrutiny, board reporting. I have seen what happens when policies exist but lifecycle controls do not.

Through CySura, I work directly with organisations to review what they are actually holding, map that against legal and business requirements, and implement practical controls that reduce exposure. That might mean a focused retention audit, cleaning up identity sprawl, aligning to ISO 27001 or SOC 2 requirements, or providing ongoing vCISO support where I sit alongside leadership and make sure governance is real, not just documented.

You get practical IT and network experience, security leadership, and governance oversight in one place. No theory. No shelfware policies. Just clear advice on what you need to keep, what you do not, and how to reduce risk properly.