Data retention is an important part of GDPR. Zero Waste Week, which has happened in the first week of September since 2008, emphasises the importance of preserving resources – and this applies to data protection too.
Once an organisation no longer has a fair and lawful reason to keep information, it should be removed. This could be through destroying the data, transferring it or archiving it.
All disposal of data should happen under clearly defined procedures that are outlined within a disposal schedule. This schedule should be accessible for everyone who has access to the data, such as in a data protection policy, privacy policy, or data retention schedule.
Data retention is essential to good records management, however deleting information that has already been requested, such as via a Freedom of Information (FOI) or Subject Access Request (SAR), could be a criminal offence.
Under the Environmental Information Regulations 2004 (EIR), it is unlawful to knowingly remove data that has already been requested, such as removal of data outside of your normal data retention schedule.
In March 2020, a council employee was fined £400 and ordered to pay costs of £1,493, as well as a victim surcharge of £40, for deleting an audio recording of a council meeting that was part of a Freedom of Information request.
Considering this, companies should be able to explain their disposal schedule to detail why information is no longer kept, with clearly defined policies to back up their reasoning. The defence is likely to stand if requested information has been deleted as part of the routine clearing of ‘waste’ data, and organisations can prove this through regularly updated policies.
Information that has been disposed of, through a normal data retention schedule, prior to a request being received does not apply, therefore if an FOI request or SAR is received for data that has already been removed as per company policy, it is acceptable to respond by stating that the company no longer holds the information, however it would be sensible to share a copy of the data retention schedule or data protection policy with the person who requested it.
More information is available on the ICO website regarding data retention and destruction as well as links to the legislation that applies. BLS Stay Compliant are regularly reviewing, rewriting or creating policies for our clients to ensure that their data protection is in line with data retention legislation. If this would be of assistance to you or your organisation, please get in touch and we would be glad to discuss your requirements.
