You have an appropriate retention schedule outlining storage periods for all personal data, which you review regularly.
Ways to meet our expectations:
- You have a retention schedule based on business need with reference to statutory requirements and other principles (for example the National Archives).
- The schedule provides sufficient information to identify all records and to implement disposal decisions in line with the schedule.
- You assign responsibilities to make sure that staff adhere to the schedule and you review it regularly.
- You regularly review retained data to identify opportunities for minimisation, pseudonymisation or anonymisation and you document this in the schedule.
Can you answer yes to the following questions?
- Are staff aware of the retention schedule?
- Do they adhere to it?
- Could staff explain what their responsibilities are and how they carry them out effectively?