By Sue White, Information Governance Manager
In my early days as a Data Protection Officer, I remember being taken to a room which I affectionately now refer to as ‘The Room of Doom’. This was a medium-sized storage room stacked high with folders and boxes each full to the brim with customer/staff records and documents – a document graveyard if you will! When I asked why the records had been kept for so long, I was told, “we can’t risk destroying them!” My response was, “can you risk NOT destroying them?”
As humans, our nature is to hoard – to hold onto things, ‘just in case’. However, holding onto people’s personal data carries a substantial risk as it may well mean breaching data protection laws.
Think back to when you collect people’s personal data. You provide them with a Privacy Notice to assure them their personal details will be handled safely and lawfully with your organisation. Part of this Privacy Notice states how long you will keep the data, but how many organisations can, hand on heart, state they abide by their own promises (and the law) and destroy the data after this period?
The GDPR is made up of Principles – lawfulness, transparency, security etc. One of the Principles which tends to be forgotten is Storage Limitation, which simply means, ‘we must not keep data for longer than we need it.’
Storage Limitation comes into play at the end of an activity or project when all the work and excitement is over. It’s like tidying up after the party – the part which nobody likes!
Holding onto personal data when you no longer need it often involves costly storage and security but can also mean you are breaching other GDPR Principles:
- Lawfulness Principle – Can you state your lawful basis to still be holding the personal data?
- Fairness Principle – Would the individual reasonably expect you to still be holding their data? (Especially if your Privacy Notice stated you would destroy it).
- Accuracy Principle – Can you be sure the data you are holding is still up to date?
- Accountability Principle – Are you abiding with your retention schedule? Have you documented that you are holding this data and how would you account for it at an audit?
- Purpose Limitation – Can you be sure that the personal data you are holding is not being used for a different purpose?
- Data Minimisation – Even if you have a lawful basis to keep some of the data, have you destroyed the data you no longer need?
In addition to breaching many of the data protection Principles, you also run the risk of having excessive data if an individual exercises their rights of access to their personal data and submits a Subject Access Request. Your legal obligation to provide all the data you hold, where you have unlawfully held it, will probably involve significant time and effort and be embarrassing to provide. It could even be costly if the individual is outraged at the amount of personal information, you have kept unlawfully!
Let’s consider cyber-attacks. They don’t just happen to other organisations; they can happen to anyone. It is catastrophic to lose any personal data in an attack but imagine losing personal data belonging to ex-staff whose data you’ve been unlawfully holding for decades, or customers’ details which you didn’t ever delete when you should, or student records you should no longer have. Imagine those, often extremely sensitive, records being physically stolen, accessed by a computer hacker, or even held by a malicious organisation threatening to post them on the dark web – it happens!
What should I keep and what should I destroy?
This will depend on the types of personal data you have and your reasons for holding it. When assessing how long you retain files, it is important that you check your Privacy Notices to see what you told individuals when they provided their data. There may be legal reasons why you need to keep personal data, such as taxation laws around staff records etc. It may be that you need to retain just a core record of data, such as some parts of a student record to verify academic achievements etc, but very unlikely that you will have a lawful reason to retain their health details or any casual notes for longer than the stated period.
What can we do?
The good news is that data retention planning is easy. Once you review what personal data you have and what you should have, whether it be boxes of paperwork or electronic files, you should permanently destroy the records you no longer need.
After that, it’s a case of setting up a regular ‘cull’ of your data.
- Set yourself a date in the diary to have a clear-out day every quarter.
- Set retention periods on your records to automatically delete files.
- Store your paperwork in labelled boxes with dates when it should be destroyed – and do it!
- Remember to permanently delete your electronic files, emails, and empty your electronic wastebin.
- Have clear, documented, retention schedules so everyone knows what should be deleted, and when.
Further help
If you found this useful and want to deepen your expertise in data protection, explore our Intermediate and Advanced Certificates in Data Protection, or contact our Training Manager at info@naomikorn.com.