BLS Stay Compliant

News and Information

A stick figure is drawn on a dark background using white ink, it appears to show a person throwing a piece of paper into a waste paper bin.
Picture of Helen Clifton

Helen Clifton

Data retention – how long should we keep data?

  • • News

Data retention is an important part of GDPR. Zero Waste Week, which has happened in the first week of September since 2008, emphasises the importance of preserving resources – and this applies to data protection too.  

Whilst many organisations collect, use and hold data for processing, it would be impossible to indefinitely retain every piece of data a company holds, particularly from a resourcing perspective. The Information Commissioner’s Office(ICO) states that data should always be stored only where it is fair and lawful to do so and every organisation should know what information is held, why it is held, how sensitive the data is and how it should be managed.  

Once an organisation no longer has a fair and lawful reason to keep information, it should be removed. This could be through destroying the data, transferring it or archiving it. 

All disposal of data should happen under clearly defined procedures that are outlined within a disposal schedule. This schedule should be accessible for everyone who has access to the data, such as in a data protection policy, privacy policy, or data retention schedule.  

Data retention is essential to good records management, however deleting information that has already been requested, such as via a Freedom of Information (FOI) or Subject Access Request (SAR), could be a criminal offence.  

Under the Environmental Information Regulations 2004 (EIR), it is unlawful to knowingly remove data that has already been requested, such as removal of data outside of your normal data retention schedule.  

In March 2020, a council employee was fined £400 and ordered to pay costs of £1,493, as well as a victim surcharge of £40, for deleting an audio recording of a council meeting that was part of a Freedom of Information request. 

Considering this, companies should be able to explain their disposal schedule to detail why information is no longer kept, with clearly defined policies to back up their reasoning. The defence is likely to stand if requested information has been deleted as part of the routine clearing of ‘waste’ data, and organisations can prove this through regularly updated policies.  

Information that has been disposed of, through a normal data retention schedule, prior to a request being received does not apply, therefore if an FOI request or SAR is received for data that has already been removed as per company policy, it is acceptable to respond by stating that the company no longer holds the information, however it would be sensible to share a copy of the data retention schedule or data protection policy with the person who requested it.  

More information is available on the ICO website regarding data retention and destruction as well as links to the legislation that applies. BLS Stay Compliant are regularly reviewing, rewriting or creating policies for our clients to ensure that their data protection is in line with data retention legislation. If this would be of assistance to you or your organisation, please get in touch and we would be glad to discuss your requirements.  

Share this post

More News