If you meet the criteria to apply the journalism exemption, you no longer have to comply with the requirement to keep personal information only for as long as you need it. This section of the code sets out what the legislation says and how to comply when you are not applying the journalism exemption (See Apply the journalism exemption).
What does the legislation say?
10.1 You must only keep personal information for as long as you need to. How long it is appropriate to keep personal information for varies depending on the circumstances, however you must be able to justify how long you keep it.
10.2 You must also consider the risk of harm to a person if you keep personal information. You must only keep it if it is fair and lawful to do so (see Use personal information fairly, Use personal information lawfully and Use personal information transparently).
10.3 You must record how long you expect to hold different types of personal information, where possible, and review this at appropriate intervals (see Demonstrate how you comply).
How do we comply?
10.4 There are no specific time limits, so you should consider why you are using the personal information to decide how long it is reasonable to keep it. You are best placed to decide this, based on the circumstances, but you should establish time limits to delete or erase personal information and to conduct a periodic review.
10.5 If it is appropriate to delete personal information from a live system, you should also delete it from any back-up system.
Research and background materials
10.6 Research and background details, such as contact details, are vital to journalism, so you may often be justified in keeping this personal information for long periods of time or indefinitely. You should review any personal information you decide to keep to make sure you still need it.
Reference notes
These reference notes support the Data protection and journalism code of practice (the code) but are not part of the statutory code itself.
10.3 Recording how long to keep personal information
A retention policy or schedule may help you to record how long you expect to keep different types of personal information. If you have 250 or more employees, you must record your use of personal information including, where possible, how long you expect to keep it.
10.4 Deciding how long to keep personal information
To help you judge how long to keep personal information, it may be helpful to consider the following factors:
- how likely you are to use the information in the future, taking account of the public interest;
- whether you may need to keep information to defend possible future legal claims;
- any legal or regulatory requirements (eg limitation periods for claims); and
- relevant industry standards or guidelines.
Key legal provisions
UK GDPR article 5(1)(e) – the storage limitation principle
UK GDPR article 17(1)(a) – the right to erase personal data when it is no longer necessary to hold it
UK GDPR article 30(1)(f) – requirement to record time limits for erasure of different categories of data where possible
Further reading
UK GDPR guidance and resources: Storage limitation
UK GDPR guidance and resources: Right to erasure UK GDPR guidance and resources: Documentation