Personal Information Retention & Destruction Policy¶
| Code | PRI-003 |
| Domain | Privacy & Data Rights |
| Owner | Privacy Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD09 |
| Review date | 2027-03-25 |
Regulations: Privacy Act 2020 · Privacy Act 1988¶
Purpose¶
Govern the platform's obligations for cross-border transfers of personal information, including the conditions under which transfers are permitted and the contractual protections required.
Scope¶
All transfers of personal information from NZ or AU to offshore recipients, including transfers to cloud service providers, third-party processors, and group entities operating in other jurisdictions.
Policy statements¶
The platform SHALL not transfer personal information to an offshore recipient unless one of the following conditions is satisfied: (a) the recipient is in a country with comparable privacy protections assessed as adequate; (b) the individual has consented to the transfer after being informed that their information may not be protected in the same way; (c) the transfer is required by NZ or AU law; or (d) contractual protections equivalent to the NZ Privacy Act or AU Privacy Act are in place.
For transfers to cloud service providers and third-party processors, the platform SHALL ensure that a data processing agreement is in place that: requires the recipient to protect the information to an equivalent standard, prohibits onward transfer without authorisation, requires breach notification, and includes audit rights.
The platform SHALL maintain a register of all material cross-border transfers, including the recipient, jurisdiction, legal basis, and contractual protections in place. The register SHALL be reviewed annually by the Privacy Officer.
Transfers of sensitive personal information (health information, biometrics, financial crime information) to offshore recipients SHALL require Privacy Officer approval before initiation.
Where the platform transfers personal information to a group entity in another jurisdiction, the group entity SHALL be bound by privacy standards equivalent to the NZ Privacy Act and AU Privacy Act through a binding group privacy policy.
The Privacy Officer SHALL report the cross-border transfer register status to the BRC annually.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-043 | EventBridge domain event governance | AUTO |
DLQ messages capped at 14-day TTL — no event payload retained beyond the operational resolution window |
| MOD-073 | Document vault | AUTO |
Documents are retained for the required regulatory period and purged automatically when retention expires — the vault enforces the retention schedule. |
| MOD-074 | Back-office customer 360 | GATE |
Back-office access to customer records requires an active authorised session with a role that includes customer data access — no anonymous or unscoped access. |
| MOD-100 | External asset connector | GATE |
External asset retrieval halts immediately on consent revocation and cached records are deleted within 24 hours — no data retained beyond consent scope. |
| MOD-103 | Neon database platform bootstrap | AUTO |
Neon project is provisioned in the correct AWS region for data residency (NZ and AU environments in region-appropriate endpoints), satisfying the data localisation obligation. |
| MOD-148 | Privacy access request (DSAR) workflow | LOG |
Every access request, data assembly action, disclosure decision, and regulator escalation is logged as an immutable privacy record. |
Part of Privacy & Data Rights · Governance overview
Compiled 2026-05-22 from source/entities/policies/PRI-003.yaml