Data Retention Policy: How Long Should You Keep Records?

All organisations generate information about their Customers, Staff, Suppliers, Finances and so on. It can become confusing when trying to decide what would be an ‘appropriate’ length of time to retain the information kept within an organisation.

Of course, such length of time should be in-line with business requirements, Data Protection Legislation and Statutory Duty – but what does that mean?

Here’s some guidance on how to approach your Data Retention Policy…

Why Have a Data Retention Policy?

You may not have a dedicated Data Retention Policy, but it is still important to consider how long you intend to keep records, how you will protect them, and then how you will securely dispose of records when they are no longer required.

Therefore, the policy on retention of data may be contained within other company policies for example a Data Protection Policy or a Records Management Policy.  

How ever you document the Retention Policy, it is important to be clear and communicate the policy to those in the organisation and other interested parties.

Deciding on what your policy is should be done with these two things in mind:

  1. What is the Legal Obligation placed on the organisation to keep records?
  2. What is the Organisation’s Requirement to have the records?

Legal Obligations

Data Protection Requirements for Personal Identifiable Information

Principle 5 of the Data Protection Act 1998 states that data should be retained “no longer than necessary for the purpose you obtained it”.

This means thinking carefully about the purpose for which you have obtained personal information and ensuring that the data subject has given consent.

Statutory Obligations for Health, HR and Financial Information

There are other statutory obligations including health surveillance data which should be kept for “40 years from the date of last entry”.

This is because health surveillance is often implemented in areas where there is a risk to health, and it can take a significant period of time before ill-effects are seen.

More on Health Data: http://www.hse.gov.uk/health-surveillance/record-keeping/index.htm

Data such as employee personal records, performance appraisals, employment contracts and so on, should be held for 6 years after an employee has left the organisation.

More on HR Data: https://www.peoplehr.com/blog/index.php/2014/05/20/how-long-should-employee-records-be-kept-for/

Financial data for both Limited Companies and Sole Traders should also be kept for 6 years from the end of the last financial year.  HMRC notes that you can currently be fined £3000 or be disqualified as a director if you fail to keep accounting records.

More on Accounting Records: https://www.gov.uk/running-a-limited-company/company-and-accounting-records

Organisational Requirements

Aside from your legal obligations, the data generated by your organisation has an inherent value in providing your products and services to your customers, so it should be protected and controlled.

There are also many opportunities to learn from the information created in the organisation, including Product Development and Process Improvement.

Control of Documented Information in ISO

The recent transition to Annex SL Based Management System standards have moved away from the term ‘Records’, replacing it with clause 7.5 ‘Control of Documented Information’.

However, the principle is the same and organisations should define their approach to managing documented information including processes for creating, reviewing, protecting and of course, retaining data.

For help with Data Protection Compliance or ISO Management Systems please contact Assent.