If an organisation no longer uses or discloses health information for any of the purposes referred to in National Privacy Principle (NPP 2), the organisation must take reasonable steps to destroy or de-identify the information: see National Privacy Principle 4.2 (NPP 4.2). More detail of "the purposes referred to in NPP 2").

The "reasonable steps" to be taken will depend on the circumstances, such as the ability of the organisation to destroy or de-identify the information or the size and nature of the medium on which the health information is stored.

Health service providers will need to meet these obligations, but they may also have good reasons for needing to retain the health information. These could include the long-term care and treatment of the individual, the usefulness of the information in the development of future health care technologies or due to the requirements of the law or the codes of practice/advice of professional bodies. Where a health service provider must make a decision about keeping or destroying data, the provider should balance the benefits of retaining the information against the risks of privacy breaches. For more information, see Guidelines on Privacy in the Health Care Sector.