For most organisations, a lot of thought and care goes into ensuring that when you’re collecting data, you are complying with the relevant data protection legislation- that it’s being collected with consent where required, that you have a lawful basis etc. However,
How long you keep the data for, and when/how you get rid of it is just as important. This can often be a lesser understood area of data protection, and this article should hopefully (if I’ve done my job correctly) allow you to understand the requirements around the retention and destruction of data.
It would be great if the legislation gave us an easy breakdown of retention periods that said something like “employment records should be kept for no longer than 5 years post employment ending”, or “student grades should be kept for 10 years”, however this isn’t the case. There is no set period of time that you as an organisation should keep the data that you collect for. It is, to a certain extent, up to you. This isn’t to say however that you can keep every piece of data that you collect on people forever, because it's easier. You are only permitted to retain data for as long as you have a use for it. The piece of legislation that governs this is Article 5(1)(e) of the GDPR, which states that:
“Personal data shall be:
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures…”
So, not only can you only retain personal data only for as long as you have a use for it, it can also only be used for the purposes for which it was originally processed for, unless there are legitimate archiving uses. The retention guidelines that we see align with the data minimisation and accuracy principles of data protection- you should always collect as little data as you need to carry out the purpose for which you need it, and should only retain it for as long as you need it.
The ICO outlines various reasons why limiting the amount of data you collect and keep is not only a requirement, but also benefits your organisation. Firstly, minimising the amount of data you have, and ensuring that data you no longer need is erased/destroyed will help ensure that the data you have doesn’t become irrelevant, out of date, excessive or inaccurate. This then means that when you come to use the data that you have, you don’t use it in error; the less you have, the less likely you are to misuse it. In addition to this, if you keep data for longer than you need it, you will unlikely have a lawful basis for processing it, meaning you would be in breach of the GDPR. When it comes to associating costs with processing/retaining data, the more you have may mean a higher cost to your organisation, as would paying for the security of that data.
As an organisation that processes personal data, you are required to respond to subject access requests where an individual requests to have a copy of all the information you as an organisation hold on them. The more data you hold, the more time and therefore money it would cost in gathering all of that information to respond to the SAR. Ensuring that you have a clear retention policy that can be followed by all at your organisation would also mean that it would minimise the number of requests you have to erase data, as well as receiving questions about your retention policy.
Retention Policy
This takes us on to our next area of discussion- whether your organisation needs a retention policy or not. Your retention schedule should outline the types of records or information you hold, what you use it for, and how long you intend to keep it for. This helps you establish a standard retention period for the data that you process, and allows individuals to be aware of those periods. You don’t necessarily need to create an individual retention policy, although you can. Your retention policy could also form a part of your overall data processing document, such as your data protection policy. You can find a model retention policy for example embedded within Data Protection Education’s model Data Protection Policy, which your organisation can use as your own, you just need to make the necessary amendments. To comply with documentation requirements, you need to establish and document standard retention periods for different categories of information you hold wherever possible. It is also advisable to have a system for ensuring that your organisation keeps to these retention periods in practice, and for reviewing retention at appropriate intervals. Your policy must also be flexible enough to allow for early deletion if appropriate. For example, if you are not actually using a record, you should reconsider whether you need to retain it. However, if you are a small organisation, you may not need to create a retention policy document if the data you are processing is ‘low risk’.
As mentioned above, UK GDPR doesn’t provide a set time that you should keep personal data for, however you must always be able to justify why you are keeping personal data that is able to identify individuals. If you don’t need to be able to identify an individual, you should anonymise the data. Another time you may wish to keep personal data once a relationship ends could be to keep record that the relationship existed, and that it has ended. Another reason you may wish to keep data is to protect your organisation should a future legal claim be made- however in this case you should still delete data that couldn’t possibly be relevant to a legal claim. There may also be legal requirements for keeping personal data on record- this can be for tax and audit purposes, or for health and safety reasons.
Reviewing the Procedure
At the end of every standard retention period, your organisation should conduct a review on whether you should erase or anonymise the relevant personal data depending on whether you still have a legitimate use for it. If you don’t have a set retention period, you should conduct regular reviews. How often these reviews are however may depend on a multitude of factors such as the resources your organisation has, as well as the privacy risk to individuals. You must also review an individual’s personal data and whether you still need it if they ask you to, as they have the right to erasure of personal data that you no longer need.
How to Delete the Data
When it comes to the deletion of any personal data, you can either outright delete it, or anonymise it. It is important to understand that taking data and storing offline still means that you need a purpose for using it, and must respond to a subject access request with any information you store offline as well as online. Personal data that has been pseudonymised – eg key-coded – will usually still permit identification. Pseudonymisation can be a useful tool for compliance with other principles such as data minimisation and security, but the storage limitation principle still applies.
It’s also important to note that you can store personal data indefinitely should you be doing so for the purposes of archiving in the public interest, scientific or historical research purposes, or statistical purposes.
Ultimately, as an organisation you need to ensure that you are only retaining data that you need and have a purpose for, and that purpose must be legitimate. Whilst there is no set period that certain types of data should be kept for, your retention policy should outline how long you intend to keep an individual’s personal data for, and what you intend to use it for. Whilst there are certain exceptions that allow you to retain data indefinitely, you should erase/destroy data once you no longer have a use for it, in line with UK GDPR.
The full ICO guide to retention can be found by clicking here.