Version 1.1 – Updated Policy (No Reference to Backup Vault Policy)
Effective Date: 01/09/2025 | Owner: IT Security & Compliance | Approved By: CEO
This policy establishes the principles, responsibilities, and retention periods that govern how Mibowork retains, archives, and securely destroys data. It ensures compliance with Australian legislation, ISO/IEC 27001:2022, client contractual requirements, and Mibowork’s Information Security Management System (ISMS).
The purpose of this policy is to minimize data retention risk, ensure lawful handling of personal information, and demonstrate transparency to clients and auditors regarding Mibowork’s data lifecycle practices.
This policy supports the Mibowork Information Security Management System (ISMS) and is supported by the following documents:
Mibowork will retain data only for as long as it is needed for legitimate business, legal, or regulatory purposes. Once data is no longer required for its original purpose, it will be securely deleted or de-identified.
Retention periods are established based on data classification, regulatory obligations, and operational needs. Retention schedules apply regardless of data format or storage location.
|
Data Category |
Retention Period |
Legal / Regulatory Basis |
Destruction Method |
|
Client / Customer Data |
Contract term + 90 days |
Privacy Act 1988 (Cth); ISO 27001 A.8.10 |
Secure deletion / Certificate of Data Deletion |
|
Financial Records |
7 years |
Corporations Act 2001; Taxation Administration Act 1953 |
Secure deletion / Shredding (paper) |
|
Employee Records |
7 years post-employment |
Fair Work Act 2009 |
Secure deletion / Shredding (paper) |
|
Security Logs |
1–7 years (risk-based) |
ASD Essential 8; ISO 27001 A.5.30 |
Secure deletion with audit trail |
|
Operational Data |
As required for business continuity (maximum 12 months) |
ISO 27001 A.8.13 |
Secure deletion / Archival purge |
Deletion of data follows a structured and auditable process. Upon expiration of the retention period or a valid client request, Mibowork initiates secure data deletion in accordance with the Certificate of Data Deletion process.
Steps include:
Verification of request and data ownership.
Identification of affected systems and data sets.
Secure purge using Microsoft 365 Purview or approved deletion tools.
Dual-authorization of deletion by IT Security and Data Owner.
Issuance of Certificate of Data Deletion to the client.
Retention of deletion logs for at least 12 months for audit readiness.
Data Protection Officer (DPO): Oversees enforcement and reports on compliance.
IT Department: Implements technical controls and executes deletion procedures.
Department Managers: Ensure team compliance with retention schedules.
Legal Counsel: Advises on legal holds and approves exceptions.
Security Team: Verifies and co-signs deletion evidence.
Compliance with this policy will be verified through regular internal audits, automated monitoring, and evidence-based review. Exceptions must be documented and approved by senior management. Legal holds override retention schedules until formally released.