MAKE YOUR FREE Data Retention Policy
What we'll cover
What is a Data Retention Policy?
A Data Retention Policy sets out how an organisation manages the personal data it holds, helping the organisation comply with data protection law by ensuring that it stores this data no longer than necessary. Data Retention Policies specify how and when personal data should be deleted or anonymised, and how this process is managed.
When should I use a Data Retention Policy?
Sample Data Retention Policy
The terms in your document will update based on the information you provide
About Data Retention Policies
Learn about making your Data Retention Policy
-
How to make a Data Retention Policy
Making your Data Retention Policy online is simple. Just answer a few questions and Rocket Lawyer will build your document for you. When you have all the information about your organisation’s data protection practices prepared in advance, creating your document is a quick and easy process.
You’ll need the following information:
Organisation and personnel
-
What is your organisation’s name?
-
Who holds overall responsibility for data retention within your organisation?
-
What are this person’s phone number and email address?
-
-
Who is your organisation’s key contact for administrative questions related to this Data Retention Policy? For example, the person from whom access to other data protection documents should be requested.
-
What are this person’s phone number and email address?
-
-
Which other data protection documents (eg policies and procedures) does the organisation have in place? (optional)
Retention periods
You’ll need to set separate retention periods for different types of personal data. For each, you need to identify:
-
The type of personal data.
-
What’s included in this type of personal data.
-
Why the organisation is processing this type of personal data.
-
How long this type of personal data should be stored for (ie its retention period).
-
Why this type of personal data should be stored for this long (ie the justification for the retention period).
-
Who is responsible for this type of personal data.
Reviews and approvals
-
If a staff member thinks personal data should be stored beyond the end of its retention period, do they need approval from the person responsible for data retention before they can do this?
-
How frequently will your retention periods be reviewed?
-
Does all personal data that the organisation stores need to be regularly reviewed?
-
If so, how frequently must it be reviewed?
-
Handling data that’s no longer needed
-
How should staff members delete personal data stored electronically? (optional)
-
How should staff members delete personal data stored in hard copy? (optional)
-
-
Common terms in a Data Retention Policy
Data Retention Policies help organisations to meet their legal obligation to appropriately and securely handle personal data. To do this, this Data Retention Policy template includes the following terms and sections:
Statement of purpose
The Policy starts by identifying the Policy’s purpose, ie helping the organisation to uphold the data protection and privacy rights of any individuals whose personal data it processes (eg uses or stores), with a particular focus on storage limitation. It identifies the person within the organisation whom staff members should contact if they have any general questions about the Policy.
Definitions, interpretation, and scope
This clearly defines key legal terms used within the Policy (eg ‘personal data’ and ‘processing’).
Legal justification for processing
This section highlights the organisation’s compliance with data protection laws and identifies the legal basis upon which the organisation is legally permitted to process the personal data it holds. It then highlights that all data processing activities are carried out in accordance with the organisation’s other data protection policies and procedures, identifying key such documents if you choose to include these.
Storage limitation
Next, the Policy explains the data protection principle of storage limitation and why upholding it is important (eg to reduce the risks of personal data being used incorrectly or of the data being subject to data breaches). The section then explains the organisation’s general commitments to upholding the storage limitation principle, for example:
-
ensuring compliance with the retention periods set out in the Policy
-
deleting or anonymising personal data that’s no longer required
-
regularly reviewing all personal data the organisation holds to identify unnecessary storage (if you choose to include this requirement), and
-
handling data deletion (ie erasure) requests appropriately
Retention periods
This section explains what retention periods are and how staff members should use them. For example, it explains what should happen if a staff member in charge of certain personal data believes that this data should be stored for longer than its retention period states.
Dealing with personal data that is no longer needed
Here, the Policy explains what staff members should do with personal data that no longer needs to be stored. It explains how electronic and hard copy data should be deleted and how anonymisation may, in some cases, be an appropriate alternative to deletion.
Responsibility
This is where the person with general responsibility for data retention within the organisation is identified. It’s also highlighted that all staff members are responsible for complying with the Data Retention Policy in relation to personal data that they handle or are responsible for.
Changes to the Policy and to retention periods
This section highlights how the Policy may change in response to changes in the personal data held or changes in relevant laws. It also requires that the person responsible for data retention reviews the retention periods set in the Policy at a specified interval (as a minimum).
Schedule - Retention periods
The actual retention periods applicable to different types of personal data the organisation processes are set out here. Each retention period will have a justification for the retention period and will highlight why the personal data is being processed, and responsibility for this type of personal data will be assigned to somebody.
If you want your Data Retention Policy to include further or more detailed provisions, you can edit your document. However, if you do this, you may want a lawyer to review the document for you (or to make the changes for you) to make sure that your modified Data Retention Policy complies with all relevant laws and meets your specific needs. Use Rocket Lawyer’s Ask a lawyer service for assistance.
-
-
Legal tips for organisations handling personal data
Complete your compliance with data protection laws
Storage limitation is only one of the key data protection principles. Complying with data protection laws requires ensuring that all data processing is carried out compliantly - with individuals’ privacy in mind - at every step of the way. For example:
-
transparency should be upheld by providing the individuals whose information is being processed with information about the processing
-
data minimisation and purpose limitation should be achieved by only collecting data for explicit, legitimate purposes, and only as much data as is required
-
integrity and confidentiality should be upheld by technical and organisational measures that ensure data security
A critical first step towards compliance is learning what’s required. To learn more, you can read the various legal guides in our Data protection for businesses legal centre.
Setting out, implementing, and monitoring data protection policies and procedures, and creating other data protection documents that communicate data protection considerations (eg to employees and customers) is essential. You can use our GDPR documents and FAQs to get started.
If you need additional help ensuring your business complies with data protection law, you can use our GDPR compliance advice service.
Understand when to seek advice from a lawyer
In some circumstances, it’s good practice to Ask a lawyer for advice to ensure that you comply with the law and are well protected from risks. You should consider asking for advice if:
-
you need help setting or justifying retention periods
-
you’re storing personal data in England, Scotland, and/or Wales and also elsewhere (eg in the EU or Northern Ireland)
-
this Data Retention Policy doesn’t cover everything you want or doesn’t meet your needs
-
Data Retention Policy FAQs
-
What is included in a Data Retention Policy?
This Data Retention Policy template covers:
-
the importance of the storage limitation principle and how the organisation upholds it
-
the organisation’s compliance with data protection laws more broadly
-
what should happen to personal data that no longer needs to be stored
-
responsibility for data retention
-
retention periods for different types of data
-
-
Why do I need a Data Retention Policy?
A Data Retention Policy clearly identifies an organisation’s understanding of the importance of the principle of storage limitation and how the organisation upholds this principle. It creates clearly communicated rules for staff members to follow when handling stored personal data.
This is vital to helping the organisation comply with data protection laws, conduct efficient data management, and uphold the information privacy rights of its staff, customers, and anyone else whose personal data it holds.
-
What is storage limitation?
Storage limitation is one of the 7 key principles that underlie UK data protection law and which guide compliance with it. The storage limitation principle requires that personal data be stored only for as long as is necessary for it to be used for the purposes for which it was collected. Once the data’s purpose has been fulfilled and there is no other legitimate justification for storing the data, it should no longer be stored (ie it should be securely deleted or anonymised).
This aims to minimise the risks posed to individuals by the processing of their personal data (and, in turn, the legal risks and administrative hassles posed to the organisation). For example, it reduces the risk of the data being subject to data breaches or being incorrectly or accidentally used.
For more information, read Data protection principles and Data retention and document destruction.
-
Which types of data should the Data Retention Policy cover?
An organisation’s data retention practices should cover all personal data that the organisation processes (eg collects, uses, or stores). In practice, this can cover a wide range of information, such as:
-
staff and contractor information (eg personal details, payment records, and family leave and pay records), including personal data related to job applicants
-
financial records (eg accounting records)
-
workplace health and safety data (eg accident reports)
-
customer data (eg payment details, contracts, and delivery addresses)
-
photos and video content (eg ID photos and security footage)
-
website visitor data (eg IP addresses and email addresses)
-
correspondence (eg emails and letters)
Extra attention should be paid to special category personal data (eg information about someone’s health) to ensure that it receives the higher level of protection that it is legally entitled to.
-
-
How do I determine the retention period for a type of personal data?
There isn’t generally a strict set time period for which a particular type of personal data should be retained. Essentially, personal data should not be stored for any longer than is necessary to enable it to fulfil the purpose(s) for which it was collected.
The retention period that should be set for a given type of data depends on various factors, including:
-
the purpose for which the organisation is processing (eg using or storing) the data (eg how long this purpose will continue for)
-
the level of risk the data poses to individuals' privacy (eg whether or not it is special category personal data)
-
specific legal and regulatory requirements related to the type of data
Laws and regulatory requirements subject organisations to various restrictions and allowances in relation to how long certain data can and should be stored for. For example, the following types of information should be retained for at least a certain amount of time:
-
pay records related to income tax and National Insurance contributions
-
information related to health and safety incidents
It’s also justified to retain some personal data for the purpose of defending potential future legal claims (eg employment law claims). In such cases, data can generally be retained until the relevant limitation period (ie the time limit for bringing the types of legal claims relevant to the data) has ended.
For more information, including details on some set minimum data retention periods, read Data retention and document destruction and the Information Commissioner's Office (ICO) guidance on storage limitation.
You can Ask a lawyer if you need help setting your retention periods.
-
-
What should happen to personal data after it’s no longer needed?
Personal data that’s no longer needed should be either:
-
deleted, or
-
anonymised
Electronically held data that’s deleted should be deleted as far as is technologically possible. The person carrying out the deletion must ensure that, after deletion, the data is beyond use (ie they must ensure that, if any traces remain, these traces cannot identify the person to whom the data relates). They should ensure that any offline or backup copies are also deleted.
Hard copy data that’s deleted should be destroyed to the extent that it is beyond use (eg shredded and mulched).
Anonymisation is an alternative to deletion. It involves personal data being altered into a form that does not allow identification in any way of the individual to whom the data relates. Anonymisation may be an appropriate alternative to deletion when it is useful for the organisation and the nature of the data and its anonymisation isn’t inappropriate (eg when the anonymised data doesn’t still pose a risk to the privacy of those to whom the data relates). For example, anonymisation may be appropriate for the purposes of conducting statistical analysis with a large, anonymous dataset.
For more information, read Data retention and document destruction.
-
-
How often should data retention periods be reviewed?
Data retention periods should be periodically reviewed. However, the regularity with which particular data should be reviewed depends on the nature of the data, its use, and the organisation that’s using it.
You can select how often your data retention periods should be reviewed. An appropriate approach could be to, for example, review retention periods thoroughly once every year but also keep track of any changes to the law that require retention periods to change (eg if the time period for which PAYE or family leave pay records must be retained were to change).
Our quality guarantee
We guarantee our service is safe and secure, and that properly signed Rocket Lawyer documents are legally enforceable under UK laws.
Need help? No problem!
Ask a question for free or get affordable legal advice from our lawyer.