How long must a business keep personal data for? The third instalment of our series on data protection.
How long does the business need to keep personal data for? u2028
The Data Protection Act 1998's fifth data protection principle requires that personal data is not kept for longer than is necessary, and what is necessary depends on your specific circumstances.
For this reason, your business will need a data retention policy to determine how long each type of data can be kept for, and to ensure that it is disposed of in a secure manner at the end of that period.
Bear in mind that you may well need to retain data for a period of time after your relationship with the individual has ceased, for example to defend potential legal claims and for taxation purposes.
The crucial factor is to be able to justify why you are holding on to the information, as it is not acceptable to retain it "just in case".
How long you retain personal data is likely to depend on:
- what the information is used for;
- the surrounding circumstances, eg, when the relationship with the customer has ended;
- legal or regulatory requirements; and
- agreed industry practice.
Tomorrow: Are we allowed to transfer our customer data abroad?
Peter Harthan is a solicitor at Riverview Solicitors.