According to the Act, personal information may not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed. There are several exceptions to this rule though so it would be best to seek legal advice to confirm your specific obligations depending on your type of business and industry.
Companies are responsible to destroy/delete personal information or “de-identify” it as soon as reasonably practical when they are no longer authorised to retain this information. This does not necessarily mean that the customer had to ask you to remove his/her personal information, but could be that you have fulfilled your obligations under some kind of agreement.
This requirement of being able to remove or de-identify records has several implications, mostly complications, with regards to a company’s information architecture. As such it is important that each company has an information register that can act as an information or data map as discussed in the previous section. This includes keeping track of all sources and storage locations of personal information but also means preparing systems to be able to cope with the possibility of removing records, including unique identifiers. This could affect systems integration, audit information (audit trails and systems) and your backup strategy. Also consider the implication of storing any personal information in Excel spreadsheets, staff storing information on their own PC (including their mailbox), shared network drives/repositories, fax solutions, phone management system, CCTV and security records, etc. All of these would have to be updated manually to remove this information.