The Privacy Act requires credit providers to “destroy” certain information: for example 20J (pre-screening assessment) and 21S (for security reasons).

Paragraph 1.2(g) of the CR Code explains the obligation to destroy as follows:

An obligation on a CP to “destroy” credit reporting information or credit eligibility information requires the CP to take reasonable steps to ensure that it irretrievably destroys the information. Where it is not possible for a CP to irretrievably destroy credit-related personal information held in electronic format, the CP should take steps to put the information ‘beyond use’. Information is ‘beyond use’ if the CP:
(i) is not able to use, and will not attempt to use, the information, including for the purpose of deriving CP derived information; and
(ii) is not able to disclose, and will not attempt to disclose, the information; and
(iii) surrounds the information with appropriate technical and organisational security; and
(iv) commits to irretrievably destroy the information if, or when, this becomes possible.

Paragraph 22.2 of the CR Code requires each CP to maintain adequate records where credit-related personal information is destroyed to meet obligations under Part IIIA, the Regulations and the CR code (but only if this is possible).

25 February 2014: See update here.

OAIC Information Sheet on de-identification of data and information