Right To Be Forgotten: Essential Guide For Australian Businesses

In a world where information spreads quickly and sticks around, it’s natural for people to ask “can you delete that about me?” As a business owner in Australia, you might receive these requests from customers, former employees, or even your own team.

Globally, this is often called the “right to be forgotten” or “right to erasure.” But what does it actually mean under Australian law? Do you have to delete data when someone asks? And how do you balance those requests with your legal record-keeping obligations?

In this guide, we’ll explain what the right to be forgotten is, how Australian privacy laws currently approach deletion, what may change with privacy reforms, and practical steps you can take now. We’ll also cover the contracts and policies that help you respond to deletion requests confidently and consistently.

What Is The “Right To Be Forgotten”?

The “right to be forgotten” is a privacy concept that lets individuals ask organisations to remove certain personal information from their systems or from public view (for example, de-listing a search result). It originated in Europe and is most clearly expressed in the EU’s General Data Protection Regulation (GDPR) as a formal “right to erasure.”

In everyday terms, it’s about giving people more control over their digital footprint. A person might ask you to close and delete an old account, remove outdated profile information, or stop processing data you no longer need.

It’s a compelling idea, and Australian consumers are increasingly aware of it. However, Australia’s legal position is different from the EU-and that difference matters for how your business should respond.

Does The Right To Be Forgotten Apply In Australia?

Not in the same way as the EU. Australia does not currently have a general, express “right to be forgotten” that lets individuals demand deletion of their personal information on request.

Instead, Australian businesses that are covered by the Privacy Act 1988 (Cth) must follow the Australian Privacy Principles (APPs). Under APP 11, organisations must take reasonable steps to destroy or de‑identify personal information when they no longer need it for the purpose for which it was collected (unless another law requires retention). That’s a data minimisation and lifecycle obligation, not a blanket “delete on request” right.

Individuals do have rights to access and correction under the APPs, but those are different to an erasure right. If you’re new to the framework, it’s worth revisiting the Australian Privacy Principles to see how they apply to your business and where deletion fits in.

What About GDPR And Overseas Customers?

If you actively target EU or UK customers (for example, you offer goods or services to them or monitor their behaviour), you may be caught by GDPR‑style rules in those jurisdictions. In that case, separate erasure obligations could apply in addition to your Australian obligations. If you think you might be within scope, it’s best to seek tailored privacy advice before you commit to a process.

Proposed Reforms In Australia

Australian privacy law is undergoing reform. Government reviews have supported introducing a more explicit right to erasure, closer to the GDPR approach. While change isn’t in force yet, it’s wise to prepare your systems and contracts so you can handle erasure‑style requests without scrambling.

What Does The Privacy Act Require Right Now?

If your business is subject to the Privacy Act (many businesses with annual turnover of $3 million or more are covered, along with some smaller entities in specific industries or activities), you should focus on these current duties:

• APP 11 – Security and Lifecycle: Take reasonable steps to protect personal information you hold, and destroy or de‑identify it once you no longer need it for the purpose for which you collected it, unless a legal retention requirement applies.
• APP 12 & APP 13 – Access and Correction: Individuals can request access to their personal information and ask you to correct it if it is inaccurate, out‑of‑date, incomplete or misleading. These are not erasure rights, but you must respond appropriately and within a reasonable time.
• Transparency and Consent: Be clear about what you collect and why. A well‑drafted Privacy Policy and appropriate collection notices help set expectations and reduce confusion when requests arise later.

Many businesses also adopt internal retention schedules to meet APP 11 and minimise risk. If you hold a lot of data, consider documenting your approach in an Information Security Policy so your team knows when and how to archive, de‑identify or destroy data securely.

How Should You Handle A Deletion Or “Erasure” Request In Practice?

Even though Australia doesn’t yet have a broad erasure right, customers will still ask to have their data removed-and responding well builds trust. Here’s a practical, compliant process you can tailor to your business.

1) Confirm Scope And Identity

Clarify what the person wants you to delete (for example, an account, a profile, transaction history, marketing preferences) and verify their identity. Be careful not to disclose personal information to the wrong person during this process.

2) Map Where The Data Lives

Check your systems and suppliers. Data is often spread across a CRM, email marketing tools, backups, cloud storage and third‑party processors. If you use external processors, your Data Processing Agreement should set out how they support deletion, de‑identification and suppression requests.

3) Assess Legal And Operational Limits

Ask: do we still need this information for the purpose we collected it? If not, APP 11 points you towards destruction or de‑identification. If yes, document why. If a law requires retention (for example, corporate, employment, health, or tax record‑keeping rules), you may need to keep some information for a period-often five years under tax record keeping rules, though the exact period depends on your circumstances. For tax and accounting specifics, speak with your tax adviser or accountant.

4) Apply The Right Outcome: Delete, De‑Identify Or Suppress

Where you can, delete or irreversibly de‑identify personal information. If deletion isn’t possible or appropriate (for example, due to a legal hold or technical limitation), consider suppression-removing the data from active use while retaining it only for compliance. Make sure backups and replicated systems are addressed in your procedures.

5) Close The Loop

Respond in plain language. Explain what you’ve done, what you couldn’t do (and why), and when the changes take effect. Update your internal logs-keeping a short record of requests, decisions and actions helps demonstrate compliance if you’re ever audited.

If you’re unsure about the balance between privacy obligations and retention rules in a specific scenario, getting early privacy advice can save time and reduce risk.

When Shouldn’t You Delete Data?

Data deletion has limits. Before you remove anything, consider whether you must retain it for legal or operational reasons. Common retention requirements include:

• Record‑keeping laws: Company, employment and financial records often need to be kept for minimum periods under Australian law. The exact timeframe depends on the record type and the law that applies.
• Regulatory or dispute holds: If information may be relevant to an investigation, audit or legal dispute, you may need to preserve it.
• Safety and security: Some data is required to maintain system integrity or fraud prevention. Where possible, minimise and de‑identify instead of retaining identifiable data.

A structured retention schedule helps you apply these rules consistently. If you’re designing or refreshing your program, this overview of data retention laws in Australia is a helpful starting point.

Contracts, Policies And Systems That Make Deletion Easier

You can make deletion requests simpler-and reduce risk-by aligning your customer‑facing documents, internal policies and vendor contracts. Consider the following essentials.

Customer‑Facing Documents

• Privacy Policy: Set clear expectations about what you collect, how long you keep it, and how people can contact you about access or correction. A tailored, up‑to‑date Privacy Policy is the cornerstone of your privacy program.
• Collection Notices and Consent: When you collect information (for example, via web forms), present a concise collection notice that explains purpose and key handling practices. For higher‑risk data, obtain express consent using plain language.
• Website Terms: If you run an online platform or store, include account management, closure and content removal processes in your Website Terms and Conditions. This helps users understand what will happen to their data when they leave.

Internal Policies And Playbooks

• Information Security Policy: Outline data lifecycle controls, including retention, de‑identification and secure destruction. An Information Security Policy turns high‑level intentions into practical steps for your team.
• Data Breach Response Plan: Deletion and data security go hand in hand. A clear data breach response plan ensures you can detect, contain and notify quickly if something goes wrong.

Third‑Party Supplier Controls

• Data Processing Agreements: If you share personal information with cloud providers, marketing platforms or other processors, your Data Processing Agreement should require them to support deletion, de‑identification, suppression and return of data on request or termination. It should also deal with backups and subcontractors.
• Service Contracts: For B2B services, align promises in your customer contracts with what your systems can actually deliver. Don’t promise instant “complete erasure” if backups and legal retention rules mean you need a more nuanced approach.

Bringing these documents together ensures your public promises, legal duties and technical capabilities are consistent-reducing the chance of complaints or regulator scrutiny.

Practical Tips To Stay Compliant And Build Trust

• Create and maintain a simple data map so you know which systems (and vendors) hold personal information, including backups.
• Adopt a retention schedule that implements APP 11-destroy or de‑identify when information is no longer needed for the purpose you collected it.
• Train your team to recognise and triage privacy requests quickly, including access, correction and deletion‑style requests.
• Design customer exit and account‑closure flows that automatically remove or de‑identify personal information where appropriate.
• Document decisions where you can’t delete data due to legal retention or disputes, and set a review date to reassess.
• Review your privacy program annually against the APPs, and be ready to adjust for upcoming reforms.

Key Takeaways

• Australia doesn’t currently have a general “right to be forgotten,” but APP 11 requires you to destroy or de‑identify personal information once it’s no longer needed for the purpose you collected it (unless a law requires retention).
• Access and correction rights under the APPs are not the same as an erasure right-treat deletion requests carefully and assess your legal position before acting.
• Have clear, consistent documents in place-your Privacy Policy, collection notices, Website Terms and Conditions, and Data Processing Agreements should align with what your systems can deliver.
• Before deleting, check for retention requirements (for example, company, employment or tax records). Timeframes vary-get accounting or legal guidance where needed.
• A structured process-verify identity, map the data, decide to delete/de‑identify/suppress, and close the loop-helps you respond quickly and consistently.
• Privacy reforms may introduce a stronger erasure right in Australia, so preparing now will make any transition smoother.

If you’d like a consultation on handling right‑to‑be‑forgotten requests or building a privacy program that fits your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.