What is data retention?
Data retention considerations are those related to the storage of personal data (ie information about individuals from which they may be identified) by organisations that process (eg use or store) this data. Ensuring strong data retention practices is an important way of ensuring compliance with the UK’s data protection laws (eg the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR)).
To achieve good data retention practices, a business should focus on 2 of data protection law’s key guiding principles: data minimisation and storage limitation.
What is data minimisation?
The principle of data minimisation refers to the process of an organisation ensuring that they only process personal data that is adequate, relevant, and limited to what is necessary to use for the purpose for which it’s being used.
To adhere to this principle, an organisation could consider scaling down personal data use. In practice, this involves the continuous and consistent review of personal data to ensure that collecting and using it is still necessary.
Stored information should be relevant and should not include extraneous information that does not relate to the intended purpose. For example, if you’re collecting customers’ names and email addresses for the purposes of sending them marketing emails, you should not collect this using a form that also asks for customers’ postal addresses and birthdays, unless you have a reason (and justification) for doing so.
What is storage limitation?
The storage limitation principle essentially requires that an organisation does not keep (ie store) personal data for longer than necessary.
To adhere to this principle, organisations should determine when they should destroy records of data that they possess. Achieving this requires deciding on and managing the retention periods of various different documents. To do so, businesses tend to create data retention policies, which help them to organise review periods and comply with various rules or decisions on how long particular types of documents and data should be stored for.
If you store personal data for longer than is necessary, your data storage will be unnecessary and will likely breach data protection laws (ie as you’ll no longer have a ‘lawful basis’ for processing the data).
How long should I store personal data for?
There is no finite rule in UK data protection law that sets out how long personal data can be stored for. The organisation that’s processing personal data must determine how long it is appropriate to keep specific data for. Key factors to consider when determining how long specific personal data should be kept for include:
-
the purpose for which the data was collected and used in the first place - it should only be kept as long as it’s necessary for this purpose
-
whether the organisation’s relationship with a data subject still needs to be recorded (eg to keep a customer’s name on a marketing opt-out list)
-
any legal or regulatory reasons for keeping certain data - for example, for taxation or healthcare purposes. Specific minimum retention periods are sometimes imposed
-
any standards or guidelines for data retention in your industry
-
whether the data is necessary to enable the business to navigate or protect against potential future legal disputes
-
whether you still need this data - if it doesn’t relate to business records, clients’ information, or staff records, it’s less likely that compulsory or guideline retention periods will be applicable
-
whether you have back-up copies of data
You should regularly evaluate whether specific data or types of documents need to be kept. If they do not, the data should not be kept.
You should also be prepared to delete personal data on request. A person to whom personal data relates has the right to request that their personal data is deleted. So, if a client or customer requests to have their data deleted, you are required by law to follow through with this. For more information, read Making data deletion requests.
Also consider whether you have more copies of data than is necessary. For example, hard copy documents are often digitised by businesses as a way of minimising the risks of the data being stolen. This can be a great cybersecurity strategy. However, the hard copies may then be unnecessary. If you want to dispose of your hard copy documents, this is generally perfectly fine providing that you are sure that you have backup copies before you do so.
The archiving, research, and statistical purposes exception
Personal data can be kept for long-term storage where doing so is in the public interest or it serves scientific, statistical, or historical research purposes. If you store personal data for these purposes, it is advised that you record in writing the purpose for which the data is being kept.
When data is kept for this reason, it’s often appropriate for names to be pseudonymised (ie recorded under different names or initials) so that the data cannot be used to identify distinct individuals (at least not without additional information).
Retention periods for common business documents
Some key types of business documents and records have minimum time periods that they should be kept for. These rules help uphold laws that fulfil purposes other than data protection (eg pay gap reporting, ensuring employment laws are upheld, and enforcing tax and payroll rules). These legal minimum record-keeping periods should always be complied with.
Remember that, for any data that’s not subject to specific minimum retention periods, the final call on how long it’s appropriate to retain any particular personal data is in the hands of the organisation responsible for processing it, and will depend on the unique situation. For example, retention periods may be affected by your local area, business’ industry, and the nature of your work.
Some key retention periods for certain types of business documents, which may sometimes contain personal data (eg employees’ details), are as follows:
Key business and employment documents that should be kept for a minimum of 6 years
Certain business documents have mandatory retention periods of 6 years (unless an exception applies). For example:
-
company accounting records (eg records of assets, debts, stocks owned, goods bought and sold, and money spent) should be kept for 6 years from the end of the last company financial year to which they relate
-
records proving that an employer has been paying staff members at least the minimum wage should generally be kept for at least 6 years
-
company records including details of directors, shareholders, and people with significant control, and records of company promises, should be kept for 6 years from the end of the last company financial year to which they relate
-
personnel and training records (including redundancy records and sickness absence records) should be kept for at least 6 years following the end of an individual’s employment
Key business and employment documents that should be kept for a minimum of 3 or 4 years
Other business and employment documents have mandatory retention periods of 3 or 4 years (unless an exception applies). For example:
-
payroll records (eg salary, overtime, and income tax payment details) should be kept for 3 years from the end of the tax year that they relate to
-
accident records should usually be kept for at least 4 years from the date an accident was reported (or until a young person who was involved reaches 21 years of age)
-
maternity, paternity, and adoption pay records should be kept for at least 3 years from the end of the tax year to which they relate
-
income tax records and any correspondence with HMRC should be kept for at least 3 years from the end of the relevant financial year
Documents with shorter retention periods
-
job applications and other recruitment records and interview notes should generally be kept for at least 6 months or, for unsuccessful candidates, for 12 months
These guideline retention periods are subject to change and to various exceptions and conditions. If you need help working out how long to retain particular documents or data for, you can Ask a lawyer.
What should I do with personal data that’s no longer necessary?
Generally, there are 2 options:
-
erasure - the data can be deleted, at least as far as it technically can be with regard to the format that it’s held on (eg some electronic data may always leave traces, but personal details can be deleted to the point of no longer being able to be used to identify individuals), or
-
anonymisation - ie changing the data into a form that no longer allows it to be used to identify the individuals to which it relates (eg collating it for statistical purposes, or removing names and just keeping records of items sold and the counties into which they were delivered)
Either option may be appropriate, depending on your organisation’s needs. What’s important is that the data stops being stored as personal data, ie it stops being able to be used to identify individuals to which it relates.
In practice, businesses should put specific measures into place for the destruction of sensitive documents, in order to prevent data from being misused. Having the correct measures in place and destroying confidential documents in the right way will ensure that you comply with the data retention rules. For example:
-
ensure that confidential and sensitive information is not seen by anyone who doesn’t need to see it
-
if you have digital copies of the documents - be sure that you completely delete them and that there is no way for people to get hold of them (eg by pulling them out of a desktop ‘bin’)
-
if you have hard copies - be sure that you completely destroy the documents. This is best done by using a professional and confidential document destruction service
Consequences of improper data retention practices
Organisations can be fined for the improper retention, review, or destruction of company records. For example, improper retention of accounting records can lead to a fine of up to £3,000.
A company director can also be disqualified for failing to correctly retain company records.
The Information Commissioner’s Office (ICO) may also impose other penalties, eg other fines, for illegal data protection practices.