Data retention policy
This management-level data retention policy should be used to codify the policies and procedures of an organisation in relation to the archiving and deletion of data. The driving force behind the adoption of many retention policies is the General Data Protection Regulation (GDPR), but the suggested drafting in this document covers non-personal as well as personal data.
To make effective use of this policy, you will need to categorise the data concerned. The policy includes some suggested categories, but the best categorisation scheme will vary from organisation to organisation. With respect to each category (and where applicable sub-category) of data, the following issues should be considered: (i) the periods for archiving the data; (ii) the methods of archiving the data; (iii) the periods for deleting/destroying the data; and (iv) the methods of deletion/destruction.
Under the GDPR, there are general obligations to minimise the processing of personal data and to retain personal data only for so long as necessary for the purpose or purposes for which it was collected. Data retention periods will, however, be affected by other legal requirements. For example, employment law and tax law both include minimum data retention requirements. There are also a range of sector-specific laws and codes of practice affecting data retention.
One general consideration when determining data retention periods (including archiving periods) is the possibility that data may be needed to pursue or defend legal proceedings. Limitation periods - the periods during which a claimant may pursue a claim following the accrual of that claim - are frequently relevant and often decisive when setting minimum retention periods.
Some categories of data will need special treatment. For example, data disclosed by third parties under confidentiality agreements will often be subject to specific contractual treatment rules. Similarly, personal data with respect to which the organisation is a processor (as opposed to a controller) will be subject, under a GDPR-compliant data processing agreement, to deletion obligations after the completion of the relevant services.
Because the appropriate data retention periods will vary significantly from organisation to organisation, this data retention policy does not suggest specific periods. Rather, it provides a framework for specifying those periods. Given the diversity and complexity of the issues affecting retention periods, you are likely (even if you are a lawyer) to need to take specialist legal advice on some or all aspects of retention periods when editing this data retention policy.
Where the organisation is acting as a controller in relation to personal data, then retention periods, or the basis of calculating retention periods, should also be disclosed directly to data subjects. Accordingly, you should review your organisation's privacy policies and data protection information notices once retention periods have been decided.
As this is a management-level policy, it is not designed to form part of a staff handbook.
Ask about this documentData retention policy contents
- Introduction: purpose of data retention policy; background to data retention policy.
- Definitions: definitions (appointed person, deletion).
- Data retention, archiving and deletion: obligation to archive and delete data; exceptions to data archiving periods; exceptions to data deletion periods; legal hold instructions.
- Data subject to contractual deletion obligations: categories of data that are subject to contractual deletion obligations; deletion of confidential information; deletion of processed personal data; register of contractual deletion obligations.
- Default archiving and deletion methods: default archiving methods; default deletion methods.
- Reviewing and updating this policy: persons responsible for reviewing and updatingpolicy; annual review ofpolicy; ad hoc review ofpolicy; matters to be considered during review ofpolicy.
SCHEDULE 1 (DATA RETENTION PERIODS)
- Introduction: Introduction to data deletion periods; order of precedence of sections in part.
- Permanent data: retention and archiving: definition of permanent data; no deletion of permanent data; archiving periods for sub-categories of permanent data; archiving methods for permanent data.
- Corporate data: retention, archiving and deletion: definition of corporate data; storage of corporate data; archiving periods for corporate data; archiving periods for sub-categories of corporate data; archiving methods for corporate data; deletion periods for corporate data; deletion periods for sub-categories of corporate data; deletion methods for corporate data.
- Accounting data: retention, archiving and deletion: definition of accounting data; storage of accounting data; archiving periods for accounting data; archiving periods for sub-categories of accounting data; archiving methods for accounting data; deletion periods for accounting data; deletion periods for sub-categories of accounting data; deletion methods for accounting data.
- Payroll data: retention, archiving and deletion: definition of payroll data; storage of payroll data; archiving periods for payroll data; archiving periods for sub-categories of payroll data; archiving methods for payroll data; deletion periods for payroll data; deletion periods for sub-categories of payroll data; deletion methods for payroll data.
- Health data: retention, archiving and deletion: definition of health data; storage of health data; archiving periods for health data; archiving periods for sub-categories of health data; archiving methods for health data; deletion periods for health data; deletion periods for sub-categories of health data; deletion methods for health data.
- Employee data: retention, archiving and deletion: definition of employee data; storage of employee data; archiving periods for employee data; archiving periods for sub-categories of employee data; archiving methods for employee data; deletion periods for employee data; deletion periods for sub-categories of employee data; deletion methods for employee data.
- Property data: retention, archiving and deletion: definition of property data; storage of property data; archiving periods for property data; archiving periods for sub-categories of property data; archiving methods for property data; deletion periods for property data; deletion periods for sub-categories of property data; deletion methods for property data.
- Intellectual property data: retention, archiving and deletion: definition of intellectual property data; storage of intellectual property data; archiving periods for intellectual property data; archiving periods for sub-categories of intellectual property data; archiving methods for intellectual property data; deletion periods for intellectual property data; deletion periods for sub-categories of intellectual property data; deletion methods for intellectual property data.
- Insurance data: retention, archiving and deletion: definition of insurance data; storage of insurance data; archiving periods for insurance data; archiving periods for sub-categories of insurance data; archiving methods for insurance data; deletion periods for insurance data; deletion periods for sub-categories of insurance data; deletion methods for insurance data.
- Contract data: retention, archiving and deletion: definition of contract data; storage of contract data; archiving periods for contract data; archiving periods for sub-categories of contract data; archiving methods for contract data; deletion periods for contract data; deletion periods for sub-categories of contract data; deletion methods for contract data.
- Supplier data: retention, archiving and deletion: definition of supplier data; storage of supplier data; archiving periods for supplier data; archiving periods for sub-categories of supplier data; archiving methods for supplier data; deletion periods for supplier data; deletion periods for sub-categories of supplier data; deletion methods for supplier data.
- Customer data: retention, archiving and deletion: definition of customer data; storage of customer data; archiving periods for customer data; archiving periods for sub-categories of customer data; archiving methods for customer data; deletion periods for customer data; deletion periods for sub-categories of customer data; deletion methods for customer data.
- Service data: retention, archiving and deletion: definition of service data; storage of service data; archiving periods for service data; archiving periods for sub-categories of service data; archiving methods for service data; deletion periods for service data; deletion periods for sub-categories of service data; deletion methods for service data.
- Electronic communications data: retention, archiving and deletion: definition of electronic communications data; storage of electronic communications data; archiving periods for electronic communications data; archiving periods for sub-categories of electronic communications data; archiving methods for electronic communications data; deletion periods for electronic communications data; deletion periods for sub-categories of electronic communications data; deletion methods for electronic communications data.
- Residual data: retention, archiving and deletion: definition of residual data; storage of residual data; archiving periods for residual data; archiving periods for sub-categories of residual data; archiving methods for residual data; deletion periods for residual data; deletion periods for sub-categories of residual data; deletion methods for residual data.