All templates
Privacy Act / APPs · APP 11.2

Data Retention and Destruction Policy Template — APP 11

APP 11.2 retention and destruction policy with state-specific schedules (NSW HRIPA, Vic HRA, ACT HRPPA). Covers minimum retention for adult and minor records, deceased patients, billing records, sterilisation logs and CCTV. Includes destruction methods (paper, electronic, mobile), Certificate of Destruction handling, de-identification, and a destruction register.

Privacy Act 1988Health Records and Information Privacy Act 2002 (NSW)Health Records Act 2001 (Vic)Health Records (Privacy and Access) Act 1997 (ACT)6 pages, Word format

This template is available on a paid plan

Subscribe to ClinicComply to download the Data Retention and Destruction Policy template and access all policy templates.

View plans

What's in this template?

This Data Retention and Destruction Policy template gives Australian healthcare practices the document required by Australian Privacy Principle 11.2 to govern how long personal information is kept and how it is destroyed. It is built directly from the structure of the OAIC's APP Guidelines (Chapter 11), the Guide to Health Privacy and the state health records legislation (NSW HRIPA, Vic HRA, ACT HRPPA), then tailored for medical and allied health settings.

The template covers 14 sections plus a sign-off block:

  1. Purpose — links the policy to APP 11.2 and state health records legislation
  2. Scope — clinical, administrative, billing, staff, visitor, CCTV, backups
  3. Legislative framework — Privacy Act, NSW HRIPA, Vic HRA, ACT HRPPA, Medicare regulations
  4. Retention schedule — full table with retention periods, trigger dates and storage formats
  5. Storage during retention — physical, electronic, archive, backup
  6. Trigger to destroy — five-condition test before any destruction
  7. Destruction methods — paper, electronic, mobile devices
  8. Destruction register — log of every destruction event
  9. De-identification — alternative to destruction
  10. Patient and staff requests for destruction — APP 11.2 individual requests
  11. Roles and responsibilities — Privacy Officer, Records Custodian, Practice Manager, IT
  12. Annual review — destruction reviews and policy updates
  13. Related documents — full document set
  14. Approval and review — formal sign-off table

Editable placeholder fields

  • {{practice_name}}, {{abn}}
  • {{privacy_officer}}, {{records_custodian}}
  • {{practice_state}} — NSW, Vic, ACT, Qld, SA, WA, Tas, NT
  • {{destruction_provider}} — your secure document destruction supplier
  • {{review_date}}, {{next_review_date}}

Retention periods at a glance

The retention schedule in section 4 includes the following minimum periods:

  • Adult clinical records — 7 years from last consultation (NSW HRIPA, Vic HRA, ACT HRPPA, RACGP guidance)
  • Minor (under 18) clinical records — until age 25 (whichever is later)
  • Deceased patient records — 7 years from death
  • Medicare and DVA billing records — minimum 7 years (regulation 8AAZA)
  • Sterilisation / autoclave logs — 10 years (RACGP IPC guidance)
  • Cold chain temperature logs — 5 years
  • Workplace incident records — 5 years
  • Staff personnel records — 7 years from termination
  • CCTV footage — 30 days
  • My Health Record audit logs — lifetime of registration

Who needs this policy?

Every Australian healthcare practice that holds personal information. APP 11.2 binds every APP entity, and the state health records legislation in NSW, Victoria and the ACT imposes specific minimum retention requirements that must be reconciled with the destruction obligation.

That includes:

  • General practices of any size, including solo GPs
  • Specialist medical practices
  • Allied health practices (physiotherapy, podiatry, psychology, optometry, dental)
  • NDIS providers holding participant information
  • Pharmacies, pathology and diagnostic imaging providers
  • Aboriginal Community Controlled Health Organisations
  • Private hospitals, day surgeries and aged care providers

A common audit finding is that practices keep records "forever" by default. APP 11.2 makes that a breach — destruction (or de-identification) is required once the legal retention period has passed and there is no other reason to keep the information.

APP 11.2 at a glance

Australian Privacy Principle 11.2 requires APP entities to take reasonable steps to destroy or de-identify personal information when it is no longer needed for any purpose for which it can be used or disclosed under the APPs, unless:

  • The information is contained in a Commonwealth record
  • The entity is required by or under an Australian law, or a court/tribunal order, to retain the information

For healthcare practices, the second exception applies until the state minimum retention period expires (typically 7 years for adults / age 25 for minors). After that the entity must destroy or de-identify, unless another reason to keep the information exists (e.g., active litigation, ongoing complaint, research project with consent).

Privacy Act and state legislation

| State | Statute | Adult records | Minors | |---|---|---|---| | NSW | Health Records and Information Privacy Act 2002 | 7 years | Until age 25 | | Victoria | Health Records Act 2001 | 7 years | Until age 25 | | ACT | Health Records (Privacy and Access) Act 1997 | 7 years | Until age 25 | | Qld, SA, WA, Tas, NT | No state-specific health records law | RACGP recommends 7 years | Until age 25 |

How to customise this template

  1. Download the Word document and replace every {{placeholder}} with your details
  2. Set your practice state — the retention schedule defaults already work for NSW, Vic and ACT
  3. Confirm with your insurer / lawyer if your practice has medico-legal reasons to retain longer than the statutory minimum (paediatrics, obstetrics, mental health are common cases)
  4. Identify your secure destruction provider for paper records and confirm they provide a Certificate of Destruction
  5. Confirm electronic destruction methods with your IT support — clinical software vendors generally provide soft-delete; confirm the audit trail is retained
  6. Schedule the annual destruction review — usually run by the Records Custodian
  7. Have it approved by the Privacy Officer and practice owner and signed in the approval table

Related templates and tools

This policy is the operational document for APP 11.2. Pair it with:

  • Privacy Management Plan — APP 1.2 governance backbone
  • Privacy Policy — patient-facing statement of retention
  • Health Records Management Policy — RACGP-aligned records lifecycle
  • Data Breach Response Plan — for breaches involving the destruction process
  • Computer and Information Security Policy — APP 11.1 technical safeguards

Frequently asked questions

How long must Australian medical records be kept?

For adult patients, the minimum is 7 years from the last entry in the record (NSW HRIPA, Vic HRA, ACT HRPPA, RACGP guidance). For minors, records must be kept until the patient turns 25 (or 7 years after the last entry, whichever is later). For deceased patients, 7 years from death. Medicare and DVA billing records have a minimum of 7 years under regulation 8AAZA.

What does APP 11.2 actually require?

APP 11.2 requires APP entities to take reasonable steps to destroy or de-identify personal information when it is no longer needed for any purpose for which it can be used or disclosed under the APPs, unless the entity is required by law to retain it. For healthcare records, the practical effect is "destroy after the legal retention period expires unless there is another reason to keep it".

Are practices allowed to keep records forever?

No. Indefinite retention is the most common APP 11.2 audit finding. Once the minimum retention period has passed, the practice must destroy or de-identify the records unless another exception applies (active litigation, ongoing patient care, research with consent). "We might need them one day" is not sufficient.

What's the difference between destruction and de-identification?

Destruction physically eliminates the information (shredding, secure deletion, drive destruction). De-identification removes identifiers (name, DOB, Medicare number, identifying combinations) so the information is no longer about a reasonably identifiable individual. Both are permitted under APP 11.2; de-identification is useful where data has ongoing analytical value but identification is no longer needed.

Do we need a Certificate of Destruction?

Yes for any externally destroyed paper records. The certificate evidences that destruction occurred to a recognised standard and is retained in the destruction register for at least 7 years. Internal cross-cut shredding is acceptable for low-volume destruction but should still be logged.

Can a patient ask us to destroy their record?

A patient can request destruction under APP 11.2, but the practice can refuse where the legal retention period has not expired or where another exception applies. The Privacy Officer assesses each request and responds within 30 days. The decision and reasons are recorded in the privacy register. After the retention period expires, a patient request to destroy will generally be granted.

Does this policy apply to backups?

Yes. Backups follow the same retention schedule as live records. The destruction event must include destruction of the information from primary, archive and backup storage. Where a cloud vendor holds backups, the practice obtains written confirmation of deletion from primary and backup copies.

Related templates

APP 5

Patient Data Collection Notice

Short, plain-English notice given to patients at the point of collection in line with APP 5. Covers identity, purpose, consequences of not providing information, recipients of disclosure, overseas storage, access and correction rights, and complaints. Designed for registration forms, online booking, patient portal sign-up and telehealth intake.

View template
APP 6 & APP 8

Third-Party Data Sharing Agreement Template

Contract clauses for sharing personal information with a service provider in compliance with APP 6 (use and disclosure) and APP 8 (cross-border disclosure). Covers permitted purpose, AI training prohibition, security, sub-processors, breach notification, audit, retention and destruction on termination, and indemnity. Suitable for clinical software vendors, MSPs, AI scribes, billing services and telehealth platforms.

View template
APP 1.2

Privacy Management Plan

The internal governance plan required by APP 1.2. Sets out the Privacy Officer's role, the practices, procedures and systems implemented to comply with the APPs, training, risk management, and the privacy register that tracks complaints, requests and breaches.

View template
30-day free trial, no credit card

Your next accreditation visit starts today.

Join Australian GP clinics and medical practices that have replaced spreadsheets and email threads with a single healthcare compliance platform. Your free trial starts the moment you sign up.

Start your 30-day free trialView all features
No credit card required
Australian data residency (Sydney)
Cancel anytime