The ICO exists to empower you through information.


More information

Good record keeping supports good data protection. For example, having the right amount of accurate and up-to-date personal data helps you comply with data protection principles. It helps you to effectively handle requests from people exercising their rights under data protection law. It also makes good business sense. Having someone to make sure your business has robust systems in place to maintain your records saves you time and money, as poor record keeping can be costly. Consider the financial cost of recovering lost data, the staff time spent looking for historic information and the reputational damage if customers are negatively affected.


More information

Good record keeping starts when you create records and continues through to deletion. Manual and electronic records should be easy to find, manage and dispose of, when necessary. Classifying, titling and indexing new records can help with this. It also helps to keep a record of where you store information. For example, if you store records off-site, a record of what the information is, a unique reference, where it’s stored and name and contact details for the storage company can help you track and retrieve the information when you need to.

You should transfer personal data to and from the off-site facility securely.

More information

Your records containing personal data must be:

  • factually correct and not misleading;
  • enough to help you fulfil your reason for having it; and
  • not more than you need.

Everyone in a business has a key role to play in making sure all personal data you hold is of good quality.

Each customer interaction, whether by phone, face-to- face or email gives your staff the opportunity to check the quality of the personal data you hold.

Quality checks or audits are other ways you might use to improve the standard of the personal data you hold.

If you find potential problems, check them carefully. If they are incorrect, then correct without delay.

You should also periodically check records containing personal data (whether current or archived) to reduce the risk of having inaccuracies and keeping information for longer than you need it.

More information

You can only keep personal data for as long as you have a valid reason to have it. You may need some types of information for longer than others. This depends on what you’re doing with it and why you need it.

For example, your sector may have laws or standards, which mean you need to keep personal data for a certain length of time. An example of this is tax information, which you should usually keep for six years.

Having a retention schedule helps you to know when to delete or dispose of the personal data you hold. The lead person can’t help your business comply with data protection rules on their own. Share your retention schedule with everyone in your business so they know when to delete or dispose of personal data they have.

More information

Deciding the right time to delete or destroy personal data is important; but, you also need to make sure you get rid of it safely.

There are different ways to destroy paper and electronic records.

All personal data must be put permanently beyond use when you no longer need it

If you use a third-party contractor to destroy your personal data, you must put appropriate contracts in place. You should receive assurances your personal data has been destroyed as agreed, for instance audit checks or destruction certificates.

You should log any equipment or confidential waste sent for destruction.

Read our guidance on practical methods for destroying documents you no longer need for more information.