As the next in our series of “back to privacy basics”, we look at the rules regarding the retention of personal data.
As we will do throughout this series, we take a look at the current position and what is best practice for an organisation. We will also briefly consider what the new Data Protection Regulation may mean in this area.
The privacy position on data retention appears simple: organisations must not keep personal data for longer than necessary. However, the difficulty lies in evaluating what “necessary” really means and then equating this to an appropriate period of time. Further, what is “necessary” in one context might not be in another.
Often, the temptation for organisations is to store data on a “just-in-case” basis. However, as well as being potentially non-compliant with data protection laws, this comes with significant business risks. Information may become inaccurate or outdated; holding the extra data securely will come at a cost and may be an unnecessary risk in the event of a data breach; and the administrative burden will be higher when responding to subject access requests.
Organisations should therefore focus on individual business needs as well as any applicable legal, regulatory or industry requirements for keeping certain kinds of records. In practice, this will involve:
- Only capturing the personal data needed;
- Periodically reviewing personal data stored and assessing the need to continue to hold this information; and
- Deleting or removing personal data that is no longer required. This must be done in a secure manner.
If not already in place, organisations should consider creating a data retention policy specifying how long data should be retained for. This might go so far as to list categories of records and relevant retention periods. Staff should receive training on the policy and periodic audits should be undertaken to ensure compliance.
In addition, organisations should consider archiving or putting offline any personal data that does not need to be accessed regularly, but which still needs to be retained.
Position under draft Data Protection Regulation
The Regulation says that you can only retain personal data for the period which is necessary for the relevant purposes. Personal data may be stored for longer periods provided this is solely for historical, statistical or scientific research and provided a periodic review is carried out to assess the necessity to continue the storage. This will not be relevant to everyone and is unlikely to justify “just-in-case” retention.
So the approach remains “less is more” in relation to data retention. This approach is reflected in the European Court of Justice’s decision at the start of the month to declare the Data Retention Directive invalid. For further information see our blog post which will be of particular note to telcos and ISPs.