The issue of data retention is a question that every business and organisation should be asking themselves.
(The following overview only relates to retention periods for personal data. However, businesses and organisations should consider what other data and records they have and for how long they should be retained).
The UK GDPR provides that personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.[1]
The period during which the personal data is stored must be limited to a strict minimum and the time limits for erasure need to be subject to periodic review to ensure the personal data is not kept longer than necessary. [2]
The starting point for any business or organisation is to carry out an audit or review to establish what personal data is held, by whom and where. They need to consider personal data held on IT systems, back-ups, in cloud storage, by third party service providers and on personal devices.
Once this information is available, the business or organisation can put together its data retention policy, setting out how it will classify personal data and manage the retention and eventual disposal of personal data. The policy will need to cover all formats of data, including hard copy and electronic documents, emails, financial and company records, employment records, digital media and back up storage.
Staff and customers, as data subjects, will need to be provided with information about retention periods, so privacy policies should refer to the periods during which particular personal data will be stored, or, if that is not possible, the criteria which will be used to determine those periods.
The Information Commissioner’s Office does not set data retention periods. The actual data retention periods will vary from business to business and will depend on the type of data.
For example, in relation to interview notes and details of a candidate who was unsuccessful in a job application, you may wish to retain these for at least 3-6 months, so that if the successful candidate does not pass their probation period, you can revert to other candidates.
Taking another example, contact details for those involved in the performance of a contract should be kept for at least 6 years, as 6 years is the limitation period for a contract claim (unless the contract was made as a deed[3]).
The data retention policy should be a clear reference source for staff, so that the retention periods for different types of personal data can be established easily.
No data retention policy should be set in stone – it will need periodic review to take account of legal changes and risk factors which may have increased or diminished.
In relation to the disposal of personal data, the business or organisation must consider what methods of disposal and deletion will be used, to ensure that this occurs securely. Particular care is needed regarding computer equipment and electronic data, to ensure that data, once deleted, is irretrievable.
Anonymisation may be an alternative to disposal or destruction, but this would need to be permanent and not simply pseudonymisation – where the personal data is divided up and referenced by a key – because the key could be used to enable the separate data files to be amalgamated later to restore the personal data.
If you have any queries regarding data retention policies, please contact Peter James or James Fox.
[1] Article 5 (1) (e) UK GDPR
[2] Recital 39 UK GDPR
[3] The limitation period for a deed is 12 years.