Retaining personal data (Principle 5)
This section answers some common questions about how long personal data should be kept. It sets out briefly the duties of organisations in this regard, and gives examples of good practice in managing the retention of personal data.
In brief – what does the Data Protection Act say about keeping personal data?
The Act does not set out any specific minimum or maximum periods for retaining personal data. Instead, it says that:
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
This is the fifth data protection principle. In practice, it means that you will need to:
- review the length of time you keep personal data;
- consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
- securely delete information that is no longer needed for this purpose or these purposes; and
- update, archive or securely delete information if it goes out of date.
In more detail…
- Why should I worry about retaining personal data?
- What approach should I take to decisions about retaining personal data?
- What determines the length of a retention period?
What the information is used for
- The surrounding circumstances
- Any legal or regulatory requirements
Agreed industry practices
- What should happen to personal data at the end of its retention period?
What about keeping shared information?
Why should I worry about retaining personal data?
Assuming that you have a good reason for processing the personal data in question, it is obvious that discarding that data too soon would be likely to disadvantage your business and, quite possibly, to inconvenience the people the information is about as well. However, keeping personal data for too long may cause the following problems:
- There is an increased risk that the information will go out of date, and that outdated information will be used in error – to the detriment of all concerned.
- As time passes it becomes more difficult to ensure that information is accurate.
- Even though you may no longer need the personal data, you must still make sure it is held securely.
- You must also be willing and able to respond to subject access requests for any personal data you hold. This may be more difficult if you are holding more data than you need.
We have already mentioned the links between the third, fourth and fifth data protection principles. So, for example, personal data held for longer than necessary will, by definition, be excessive and may also be irrelevant. In any event, it is inefficient to hold more information than necessary.
What approach should I take to decisions about retaining personal data?
It is good practice to regularly review the personal data you hold, and delete anything you no longer need. Information that does not need to be accessed regularly, but which still needs to be retained, should be safely archived or put offline.
If you hold more than small amounts of personal data, it is good practice to establish standard retention periods for different categories of information. You will need to take account of any professional rules or regulatory requirements that apply. It is also advisable to have a system for ensuring that your organisation keeps to these retention periods in practice, and for documenting and reviewing the retention policy. For example, if any records are not being used, you should reconsider whether they need be retained.
If you only hold a modest amount of personal data, you may not need a formal data retention policy. You must still comply with the law, of course, so it is good practice to conduct a regular audit, and to check through the records you hold to make sure you are not holding onto personal data for too long, or deleting it prematurely.
What determines the length of a retention period?
Personal data will need to be retained for longer in some cases than in others. How long you retain different categories of personal data should be based on individual business needs. A judgement must be made about:
- the current and future value of the information;
- the costs, risks and liabilities associated with retaining the information; and
- the ease or difficulty of making sure it remains accurate and up to date.
What the information is used for
How long you should keep personal data depends on the purpose for which it was obtained and its nature. If it continues to be necessary to hold the data for one of the reasons set out in Schedules 2 and 3 of the Data Protection Act (such as the performance of a public function or compliance with employment law), then you should retain it for as long as that reason applies. On the other hand, information with only a short-term value may have to be deleted within days.
A bank holds personal data about its customers. This includes details of each customer’s address, date of birth and mother’s maiden name. The bank uses this information as part of its security procedures. It is appropriate for the bank to retain this data for as long as the customer has an account with the bank. Even after the account has been closed, the bank may need to continue holding some of this information for legal or operational reasons.
Images from a CCTV system installed to prevent fraud at an ATM machine may need to be retained for several weeks, since a suspicious transaction may not come to light until the victim gets their bank statement.
In contrast, images from a CCTV system in a pub may only need to be retained for a short period because incidents will come to light very quickly. However, if a crime is reported to the police, the images will need to be retained until the police have time to collect them.
Where personal data is held for more than one purpose, there is no need to delete the data while it is still needed for any of those purposes. However, personal data should not be kept indefinitely “just in case”, or if there is only a small possibility that it will be used.
A tracing agency holds personal data about a debtor so that it can find that individual on behalf of a creditor. Once it has found the individual and reported to the creditor, there may be no need to retain the information about the debtor – it should be removed from the agency’s systems unless there are good reasons for keeping it. Such reasons could include if the agency has also been asked to collect the debt, or because the agency is authorised to use the information to trace debtors on behalf of other creditors.
There may often be good grounds for keeping personal data for historical, statistical or research purposes. The Data Protection Act provides that personal data held for these purposes may be kept indefinitely as long as it is not used in connection with decisions affecting particular individuals, or in a way that is likely to cause damage or distress. This does not mean that the information may be kept forever – it should be deleted when it is no longer needed for historical, statistical or research purposes.
The surrounding circumstances
If personal data has been recorded because of a relationship between you and the individual, you should consider whether you need to keep the information once the relationship ends.
The individual may be a customer who no longer does business with you. When the relationship ends, you must decide what personal data to retain and what to delete.
You may not need to delete all personal data when the relationship ends. You may need to keep some information so that you can confirm that the relationship existed – and that it has ended – as well as some of its details.
In the previous example, you may need to keep some personal data about the customer so that you can deal with any complaints they might make about the services you provided.
An employer should review the personal data it holds about an individual when that individual leaves the organisation’s employment. It will need to retain enough data to enable the organisation to deal with, say, providing references or information about the individual’s pension arrangements. However, personal data that is unlikely to be needed again should be removed from the organisation’s records – such as the individual’s emergency contact details, previous addresses, or death-in-service beneficiary details.
A business receives a notice from a former customer requiring it to stop processing the customer’s personal data for direct marketing. It is appropriate for the business to retain enough information about the former customer for it to stop including that person in future direct marketing activities.
In some cases, you may need to keep personal data so you can defend possible future legal claims. However, you could still delete information that could not possibly be relevant to such a claim. Unless there is some other reason for keeping it, personal data should be deleted when such a claim could no longer arise.
An employer receives several applications for a job vacancy. Unless there is a clear business reason for doing so, the employer should not keep recruitment records for unsuccessful applicants beyond the statutory period in which a claim arising from the recruitment process may be brought.
Any legal or regulatory requirements
There are various legal requirements and professional guidelines about keeping certain kinds of records – such as information needed for income tax and audit purposes, or information on aspects of health and safety. If an organisation keeps personal data to comply with a requirement like this, it will not be considered to have kept the information for longer than necessary.
Agreed industry practices
How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices. For example, we have agreed that credit reference agencies are permitted to keep consumer credit data for six years.
What should happen to personal data at the end of its retention period?
At the end of the retention period, or the life of a particular record, it should be reviewed and deleted, unless there is some special reason for keeping it. Automated systems can flag records for review, or delete information after a pre-determined period. This is particularly useful where many records of the same type are held.
However, there is a significant difference between permanently deleting a record and archiving it. If a record is archived or stored offline, this should reduce its availability and the risk of misuse or mistake. However, you should only archive a record (rather than delete it) if you still need to hold it. You must be prepared to give subject access to it, and to comply with the data protection principles. If it is appropriate to delete a record from a live system, it should also be deleted from any back-up of the information on that system.
The word ‘deletion’ can mean different things in relation to electronic data. We have produced detailed guidance, Deleting personal data, which sets out how organisations can ensure compliance with the DPA, in particular the fifth data protection principle, when archiving or deleting personal information.
What about keeping shared information?
Where personal data is shared between organisations, those organisations should agree about what to do once they no longer need to share the information. In some cases, it may be best to return the shared information to the organisation that supplied it, without keeping a copy. In other cases, all the organisations involved should delete their copies of the information.
Personal data about the customers of Company A is shared with Company B, which is negotiating to buy Company A’s business. The companies arrange for Company B to keep the information confidential, and use it only in connection with the proposed transaction. The sale does not go ahead and Company B returns the customer information to Company A without keeping a copy.
The organisations involved in an information-sharing initiative may need to set their own retention periods, because some may have good reasons to retain personal data for longer than others. However, if shared information should be deleted, for example because it is no longer relevant to the initiative, then all the organisations with copies of the information should delete it.