Data retention: Top tips for employers

Data retention practices should be informed, at every stage, by the reason the organisation is holding the personal data. Under the UK GDPR, there are six lawful bases for holding personal data:

• Consent
• Contract
• Legal obligation
• Vital interests
• Public task
• Legitimate interests

There are additional requirements where an organisation is holding special category data or criminal offence data.

“Special category data” refers to the more sensitive types of personal data, such as data revealing racial or ethnic origin, political opinions, religious beliefs, information relating to health, sexual orientation etc.  In these instances, organisations must identify both a lawful basis as set out above, plus an additional “condition” for processing under Article 9 of the UK GDPR.

Similarly, in relation to criminal offence data, organisations must identify both an Article 6 lawful basis, plus a specific processing condition in Schedule 1 of the Data Protection Act 2018, though there is an exception to this where the organisation has official authority to process criminal offence data (e.g. Disclosure Scotland or the courts).

Data controllers are required under the UK GDPR to adhere to the principle of “data minimisation”, meaning that the personal data which it holds must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Make sure that for every type of personal data you hold, you can identify why it is necessary to retain that data. Organisations should avoid holding any additional data “just in case”, as this is in breach of the principle of data minimisation.

Data controllers must not keep personal data, in a form which permits identification of individuals, for longer than is necessary for the purpose for which it was collected. This is known as the principle of “storage limitation” under the UK GDPR.

When the personal data is no longer required, it should be deleted or anonymised.

The UK GDPR is silent on what is an appropriate period, so this is a matter of judgement for the organisation holding the data. Taking account of the lawful basis identified, the organisation must assess how long they will need the information for that purpose.

For example, an employer will need to hold various types of personal data relating to employees, such as contact details, sickness records, bank details, and emergency contacts. When the employment comes to an end, some of that information will no longer be required and should be deleted. Some information may need to be retained, e.g. to defend possible future legal claims.  However that information should be limited to what is strictly necessary for that purpose and should be deleted once no longer needed for that purpose.

Organisations may also be under a legal/statutory duty to hold personal data for certain periods (e.g. telecoms providers must hold data for certain periods under the Investigatory Powers Act 2016).

There may be industry standard retention periods in some cases.  For example, credit reference agencies typically retain consumer credit data for six years. While reference to industry standards does not guarantee compliance with the UK GDPR, it can be a helpful guide in terms of what is a reasonable retention period.

The organisation should establish fixed time limits, after which periodic review and deletion/ anonymisation is actioned.  A retention schedule is the best way to capture this in one place and to demonstrate compliance with the UK GDPR.

In order to demonstrate that it is complying with its data protection obligations under the UK GDPR, it is essential for an organisation to adopt a data retention and disposal policy.

The policy should set out, among other things, the categories and type of data the organisation holds and how that information will be stored and destroyed and/or anonymised when it is no longer required. The retention schedule should be appended to the wider policy.

The UK GDPR requires controllers and processors to maintain a record of processing activities (known as a ROPA).  For the data controllers, this includes, where possible, the envisaged time limits for erasure of the different categories of data.  There is some clear overlap between this, and the information contained in a data retention schedule or policy. Connecting the ROPA with the retention policy and retention schedule is sensible to avoid duplication or inconsistency.

The key to the effectiveness of any policy is applying it visibly and consistently and to do that you need to have buy-in from senior stakeholders.

Appoint someone within the organisation to take ownership of the policy and have responsibility for carrying out periodic compliance checks and audits. This is key to ensuring that the policy is being adhered to and data is being disposed of and/or anonymised in accordance with its terms and the terms of the retention schedule.

Where an organisation is processing personal data of individuals, it should provide employees with information regarding that processing by way of privacy notice or privacy policy.

There are various statutory requirements in terms of what that notice should contain (set out in Articles 13 and 14 of the UK GDPR) and this includes information relating to retention periods.

The privacy notice should either set out what the retention periods are, or explain the criteria used to determine the period, where the period of retention depends on other factors.

Staff should also be trained in relation to their obligations under the data retention and disposal policy.

Training should be regularly refreshed and must go beyond signposting the policy on commencement of employment. In cases of a data subject complaint or a data breach, employers should be able to show that meaningful training has been given to employees to help them understand their obligations in terms of data retention and data protection principles more generally.

It is important to ensure that staff know how to report breaches of policy and that they are aware of the potential implications if they breach the policy. If the organisation decides that it may treat a breach of the policy as a disciplinary matter, the relevant policies (for example, the disciplinary policy) should confirm that.

Data deletion should be immediately paused if litigation is contemplated, if the organisation is on notice that a regulatory investigation may be commenced, or if it receives any other regulatory request.

Be mindful of any automated deletion processes which may be in effect and consider building in appropriate review processes to avoid inadvertent disposal of information which may be relevant to a litigation or investigation.

It is good practice to issue a document preservation notice to relevant employees, confirming the categories of data which should be retained throughout the duration of the period that the litigation/investigation is ongoing.

It can sometimes be difficult to get senior-level engagement on the issue of data retention.  However, getting it wrong can have serious, and potentially costly, consequences.

Firstly, if an employee is concerned about the way in which their employer is handling their personal data, they have a statutory right under the UK GDPR to request deletion, rectification or restriction of the way in which the employer processes that data. They can also make a data subject access request to understand more about what personal data is being processed by their employers. Organisations must be prepared in advance for handling requests of this nature.

Secondly, individuals can complain to the UK’s data regulator, the Information Commissioner’s Office (ICO) if they are unsatisfied with the way in which their personal data is being processed. An ICO investigation can be extremely revealing in terms of an organisation’s approach to data privacy as a whole, and sanctions from the ICO range from reprimands, to enforcement notices, to fines of up to £17.5 million or 4% of worldwide annual group turnover, whichever is higher.

Thirdly, there is a growing trend in data privacy litigation across the UK, including group litigation. Data subjects are increasingly conscious of their rights, and there is a fairly large market of legal firms offering to litigate on behalf of individuals whose personal data has not been properly protected by the data controller, particularly in the context of cyber breaches. If an employer suffers a cyber attack, during which employee personal data which ought to have been deleted was stolen, the prospects of successfully defending the action may be reduced.