Can an organisation keep the personal information it has collected about me forever?
No. However, the Privacy Act does not set a specific time period for the destruction of personal information. The National Privacy Principles do say that organisations should take reasonable steps to destroy or permanently de-identify personal information if they no longer need it for any purpose consistent with the Principles. It is up to the organisation to decide what is reasonable in its case. For more information on this topic please go to National Privacy Principle 4 (NPP 4) and Information Sheet 6 - Security and Personal Information.
If the organisation still holds personal information about you, you will be able to get access to it in most circumstances under National Privacy Principle 6. This Principle also allows you to seek to correct personal information about you that is incorrect. More information can be found in National Privacy Principle 6 (NPP 6) and Information Sheet 4 - Access and Correction. For more information about both Security and Personal Information, and Access and Correction of Personal Information go to the Guidelines to the National Privacy Principles.
For more general information about what the Privacy Act means for you go to My Privacy, My Choice - Your New Privacy Rights.