Why Data Obligations Survive a Business Closure
When a business closes its doors, many obligations end. Leases are terminated, employees are released, and operations cease. But data protection obligations do not simply vanish because the business has stopped trading. The personal information that a company collected from customers, employees, suppliers, and partners during its lifetime remains subject to privacy law regardless of the company’s operational status.
This creates a critical window of risk. During the wind-down period, attention is focused on finalising accounts, settling debts, and managing the emotional and logistical complexity of closure. IT equipment disposal often falls to the bottom of the list, dealt with in the final days when resources are scarce and urgency is high. Yet this is precisely when proper data destruction is most important, because once equipment leaves the business’s control, the opportunity to protect data is permanently lost.
Legal Obligations During Wind-Down
The Australian Privacy Act 1988 continues to apply to personal information held by a business until that information is properly destroyed or de-identified. A company that is closing down cannot simply abandon its data by leaving equipment in a vacated office or handing it to a disposal contractor without ensuring data destruction has occurred.
Directors of companies that are winding down retain personal liability for ensuring compliance with privacy obligations. Under the Corporations Act, directors must act in good faith and with due care and diligence, which extends to the proper handling of company data during closure. Failing to ensure adequate data destruction could expose directors to personal liability if a breach occurs.
If the company is being wound up by a liquidator or administrator, the appointed insolvency practitioner assumes responsibility for the company’s assets, including its data. However, insolvency practitioners may not be aware of the specific data destruction requirements that apply, particularly for businesses in regulated industries. Proactive communication about data obligations is essential.
Tax and employment records have specific retention periods that must be observed even after closure. Australian Taxation Office requirements mandate retention of financial records for at least five years. Employee records must be retained for seven years. These retention obligations mean that some data cannot be destroyed immediately upon closure but must be securely stored until the retention period expires.
Common Data Risks During Business Closure
The most common risk during closure is the rushed clearance of premises. When a lease is expiring and the business needs to vacate, IT equipment is often treated the same as furniture and fixtures, loaded onto trucks by clearance contractors with no consideration for the data stored on it.
Sale of business assets, including IT equipment, to recover value for creditors is standard practice during wind-down. However, if equipment is sold without data destruction, the buyer receives not just the hardware but all the data stored on it. This is particularly problematic when equipment is sold in bulk to second-hand dealers or at auction.
Loss of IT expertise is another significant factor. The IT team is typically among the first to be made redundant during a closure. By the time equipment disposal occurs, the people who understand the data landscape and could perform or oversee data destruction may no longer be available.
Forgotten storage media is a persistent problem. Backup tapes in fireproof safes, external drives in desk drawers, USB sticks in meeting rooms, and archive drives in storage cupboards are easily overlooked during the final cleanup. These forgotten media can contain years of accumulated business data.
Planning Data Destruction as Part of Closure
Data destruction should be incorporated into the closure plan from the earliest stages. As soon as the decision to close is made, an inventory of all data-bearing equipment and media should be compiled. This inventory should cover servers, desktops, laptops, mobile devices, external storage, backup media, printers with internal storage, and any other equipment that may contain data.
The inventory should note which data must be retained for legal or regulatory reasons and which can be destroyed immediately. Data subject to retention requirements should be migrated to secure long-term storage, ideally in a format that can be accessed if needed and eventually destroyed when the retention period expires.
For data that can be destroyed immediately, NIST 800-88 compliant sanitisation should be performed while the business still has access to IT resources and personnel. Waiting until the final days of operations reduces the chance of thorough, verified destruction.
Engaging a certified IT asset disposition provider early in the closure process ensures professional handling of equipment disposal. For businesses in financial difficulty, some ITAD providers can offset their service costs against the residual value of the equipment being disposed of.
Specific Scenarios and Considerations
For businesses in voluntary administration or liquidation, the administrator or liquidator should be briefed on data destruction requirements. Providing them with a clear summary of what data exists, where it is stored, and what obligations apply helps ensure data security is maintained throughout the insolvency process.
Cloud-based data requires separate attention. While physical equipment disposal is the focus of most closure planning, data stored in cloud platforms also needs to be addressed. Cloud accounts should be properly closed, with data either exported for retention purposes or permanently deleted according to the cloud provider’s deletion procedures.
Email systems and communication platforms contain significant volumes of personal and business data. These should be backed up if retention is required, then permanently deleted. Simply cancelling a subscription does not guarantee that data is immediately destroyed by the cloud provider.
Third-party processors and service providers who hold data on the company’s behalf should be notified of the closure and instructed to either return or destroy the data they hold. Contracts with these providers should be reviewed to understand their obligations regarding data destruction upon termination.
Documenting Destruction for the Record
Even though the business is closing, documentation of data destruction remains important. Certificates of destruction should be obtained and retained by the directors or the appointed insolvency practitioner. If questions arise in the future about how personal information was handled during the closure, these certificates provide evidence that reasonable steps were taken.
The cost of proper data destruction during a business closure is modest compared to the personal liability that directors could face if a breach occurs after the business has closed. Taking the time to handle data responsibly during wind-down is both a legal obligation and a demonstration of professional integrity that reflects well on the individuals involved, regardless of the business’s fate.