Disposal and deletion
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Control measure: Electronic records are disposed of in line with the retention schedule.
Risk: If the disposal of electronic records is not planned in the retention schedule, information may be accidentally retained for too long. This may breach UK GDPR articles 5(1)(e-f) and 32.
Ways to meet our expectations:
- Delete electronic records containing personal information permanently in line with the retention schedule.
- Move electronic records out of reach and restrict access, where system functionality prevents deletion or deletion isn’t possible.
- Obtain and log management approval prior to deleting records.
- Have a process to delete emails in line with the retention schedule.
- Report failure to delete electronic records in line with the retention schedule as an incident and take appropriate action.
Options to consider:
- Delete electronic records in archives, recycle bins, and back-ups.
- Use built-in system retention periods to purge electronic records and emails automatically once the retention period has expired.
Control measure: Electronic records are destroyed using appropriate methods that prevent disclosure before, during, and after disposal.
Risk: If personal information in electronic records is not destroyed securely, it may be recoverable. This may breach UK GDPR articles 5(1)(f) and 32.
Ways to meet our expectations:
- Use and document secure disposal methods (eg device wiping, degaussing, or hardware shredding).
- Store electronic devices or hardware awaiting destruction securely (eg in a locked area with restricted access).
- Keep a log of all devices awaiting destruction and their location.
Options to consider:
- Maintain an access log to show who has accessed electronic devices awaiting destruction.
- Check areas with devices awaiting destruction on site walks.
- Use a third-party secure hardware destruction provider.
Control measure: Physical records are disposed of in line with the retention schedule.
Risk: If the disposal of physical records is not planned in the retention schedule, information may be accidentally retained for too long. This may breach UK GDPR articles 5(1)(e-f) and 32.
Ways to meet our expectations:
- Destroy physical records containing personal information permanently in line with the retention schedule.
- Destroy records held in record archives, satellite locations, or by third-party storage providers.
- Obtain and log management approval prior to destroying records.
- Report failure to delete physical records as an incident and take appropriate action.
Options to consider:
- Keep a checklist in each team or department showing how long to keep each record for, when the retention time was last checked and by who.
Control measure: Physical records are destroyed using appropriate methods that prevent disclosure before, during, and after disposal.
Risk: If physical records are not destroyed securely, personal information may be recoverable. This may breach UK GDPR articles 5(1)(f) and 32.
Ways to meet our expectations:
- Use and document secure disposal methods (eg cross-cut or micro-cut shredding).
- Store physical records awaiting destruction securely (eg in a locked area with restricted access).
- Keep a log of all physical records awaiting destruction and their locations.
Options to consider:
- Use secure confidential waste bins.
- Check areas with physical records awaiting destruction on site walks.
- Use a third-party secure shredding or incineration provider.
Control measure: Appropriate contracts are in place with all third parties used to dispose of personal information.
Risk: If disposal is not appropriately controlled, personal information may be used or disclosed inappropriately by third parties. This may breach UK GDPR articles 5(1)(f) and 32.
Ways to meet our expectations:
- Ensure contracts are signed by an appropriate senior manager.
- Ensure contracts include all required clauses and details, including security measures, accountability, and your right to audit providers.
Options to consider:
- Schedule annual visits to third-party records storage providers as part of relationship management processes.
- Ensure contracts are timebound and reviewed regularly.
Control measure: Evidence of secure disposal is obtained from third parties used to dispose of personal information.
Risk: If evidence is not obtained, personal information may not be secure during disposal or not disposed of at all. This may breach UK GDPR article 5(2).
Ways to meet our expectations:
- Check periodically that the security of third-party services is to the agreed standard.
- Assign a staff member to check destruction certificates match what you sent for destruction.
Options to consider:
- Store electronic confirmations of destruction in a dedicated folder or email inbox.