Retention – What’s the secret formula?
Intangibles always seem to generate the biggest concerns and the matter of retention of documents is right up there amongst them.
The Data Protection (Jersey) Law 2018 does not nor can it prescribe the definitive retention formula for personal information. If the law defined retention as one year or fifteen years as blanket approaches, groans could be heard from one side of the Bailiwick to the other as, for example, the small beautician salon is burdened with retaining client data for years beyond their usefulness or point of accuracy. Similarly, the large family hotel required to jettison all the personal information they collect and use on an annual basis would be excused for openly weeping as their customer information is deleted at the beginning or end of a season. So how does an organisation figure out the magic retention formula? Is there a formula or secret ingredient? Let us consider this for a moment reflecting on the intense moment in Kung Fu Panda where Po is faced with a shocking truth:
Mr Ping: The secret ingredient is... nothing!
Mr Ping: You heard me. Nothing! There is no secret ingredient.
Po: Wait, wait... it's just plain old noodle soup? You don't add some kind of special sauce or something?
Mr Ping: Don't have to. To make something special you just have to believe it's special.
[Po looks at the scroll again, and sees his reflection in it]
Po: There is no secret ingredient...
Po realises his perceived magic ingredient is his own understanding and reality. Organisational retention schedules, just like the legendary dragon scroll which contains the secret to ‘limitless power’, are bespoke and specific to each organisation and the personal information they process. That said, there is a special ingredient when it comes to retention which is vital. Every data controller must have a clear understanding of the personal information they process – what and how they collect it, how it is used, who it may be shared with, how its accuracy is maintained, where it is stored and of course why they have it - the basis for processing.
The Data Protection (Jersey) Law 2018 specifies that personal information must ‘be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed’. Retention can feel overwhelming and in desperate need of that secret, instead look back to your personal information ‘audit’ or at the simplest list out the personal information you have. You should know what personal information you collect and use in the course of your business or charity, not forgetting customer, staff, supplier or stakeholder information. Track through what you do with it and why you have it. Your secret ingredient is beginning to come to life.
Organisations, businesses and charities will also be subject to other legislative and regulatory requirements, which will shape your retention schedule; for example taxation provisions, contract law, health and safety etc. If you keep personal information to comply with requirements like these, you will not usually be considered to have kept the information for longer than necessary but should be able to justify why you have kept information for a particular length of time.
Looking back to the fundamental of data protection being fair, transparent and lawful, retention provisions should reflect a proportionate approach, balancing your needs with the impact of retention on individuals’ privacy. Don’t forget your retention of the data must also always be fair and lawful. It is also good practice to review your retention of personal data at regular intervals before this, especially if the standard retention period is lengthy or there is potential for a significant impact on individuals.
Remember Po in his quest for becoming the all-elusive dragon warrior afforded his quest time, acquired a good mentor and got the job done.
- We know what personal data we hold and why we need it;
- We carefully consider and can justify how long we keep personal data;
- We have a policy with standard retention periods where possible, in line with documentation obligations;
- We regularly review our information and erase or anonymise personal data when we no longer need it;
- We have appropriate processes in place to comply with individuals’ requests for erasure under ‘the right to be forgotten’;
- We clearly identify any personal data that we need to keep for public interest archiving, scientific or historical research, or statistical purposes.
*JOIC welcomes suggestions for future blog topics. Have you got a suggestion? Please email firstname.lastname@example.org