Following the provisions of the Privacy Act generally means that you get rid of information as soon as you no longer need it. However, this is overruled by other forms of legislation which require records to be kept for longer.
Regarding drug testing, there is nothing explicitly spelt out in any standard or legislation.
Here’s how it’s handled for other forms of testing:
- The National Pathology Accreditation Advisory Council (Australia) recommends 7 years, for laboratory reports
- The Health (Retention of Health Informaion) Regulations 1996 specifies that healthcare providers keep patient records for a minimum of 10 years from when they last provided services to that patient
- The Health and Safety at Work 2016 Act has a section regarding storage of health monitoring records. This specifies at least 30 years after the record is made, if the testing is non-asbestos-related. If it involves testing for asbestos-related diseases, 40 years.
It’s possible that if you conduct drug testing, you’d be considered a provider under the Health (Retention of Health Information) Regulations 1996.
4 Definition of provider
…(k) any other person who provides, or holds himself or herself or itself out as providing, services to the public or to any section of the public, whether or not any charge is made for those services.
How long you should keep drug test results ultimately comes down to what you say in your company policy.
To be safe, you should keep them a minimum of 10 years. If you’re carrying out health monitoring also, keep the drug test results for 30 – 40 years!