The ICO exists to empower you through information.

 Control measure: Storage periods for all personal information are documented in a retention schedule.

 Risk: Without a retention schedule, information may be retained for longer than necessary. This may breach UK GDPR articles 5(1)(a-f), 5 (2), and 32.

Ways to meet our expectations:

  • Produce a retention schedule that reflects business needs and legal requirements.
  • Document in detail how long to keep each category of personal information for and why.
  • Document the actions to take after the retention period (eg anonymisation, archiving, or deletion).

Options to consider:

  • Use an automated system that tags records with a retention date and automatically prompts for action at this date.
  • Publish the retention schedule.

 

Control measure: The retention schedule is reviewed regularly to check it meets all necessary requirements.

Risk: If processing is changed without updating the retention schedule, information may be held for an incorrect period. This may breach UK GDPR article 5(1)(e).

Ways to meet our expectations:

  • Regularly review the retention schedule so it continues to meet business needs and legal requirements.
  • Update the retention schedule quickly when a change is required.

Options to consider:

  • Have appropriate document and version control in the retention schedule.
  • Add the retention schedule review as a standing agenda item in relevant meetings.
  • Clearly communicate changes to retention periods to relevant staff.

  

Control measure: The retention schedule and process is owned by an appropriate staff member.

Risk: If there isn't a designated staff member responsible for retention, information may be kept too long or not saved. This may breach UK GDPR article 5(1)(e).

Ways to meet our expectations:

  • Assign responsibility for the retention schedule and deletion process to an appropriate staff member(s).
  • Provide specialised training for staff who handle retention or deletion. 
  • Record specialist training requirements in a training needs analysis or training programme for staff who handle retention or deletion.

Options to consider:

  • Document retention responsibilities in job descriptions.
  • Add retention and deletion processes as a standing agenda item in relevant meetings.
  • Record minutes of meetings where retention and deletion decisions are made.

 

Control measure: Retained physical records are converted into electronic form, where possible, and physical copies are securely destroyed.

Risk: When stored for long periods, physical records are at a higher risk of degradation, loss, or tampering.

Ways to meet our expectations:

  • Scan physical records or manually input information into electronic systems, where possible.
  • Destroy physical records securely after information is saved electronically.

Options to consider:

  • Use a third-party records management provider to scan physical records in bulk.
  • Keep confirmation of the destruction of physical copies with the electronic copy, to help you respond to individual rights requests.

 

Control measure: Information or records are weeded periodically to prevent inaccuracies or excessive retention.

Risk: Without periodic weeding, information may be retained when it isn't accurate, relevant, or required. This may breach UK GDPR articles 5(1)(a-f) and 5(2).

Ways to meet our expectations:

  • Document information weeding processes in policies.
  • Regularly complete weeding activities.
  • Ensure staff understand the importance of weeding and how it supports compliance with data protection law.

Options to consider:

  • Use system rules or automated alerts to highlight records for weeding.
  • Run regular staff awareness exercises.