For those of you looking at the Accuracy Principle (Art 5(1)(d) and Storage Limitation Principle (Art 5(1)(e)) and wondering where to start updating your retention schedule, stop right there. You’re already way ahead of a lot of organisations. In relation to records management, GDPR Principles are not materially that different to the current existing principle under the 95 directive.
I’m often being asked whether I know if the NHS Code of Practice for Records Mangement 2016 or if the IRMS Schools Toolkit V5 is being updated in line with GDPR and my response is; What part of it would you like to be updated? which then a tumbleweed passes between us. The only thing that may need to change with GDPR is if 1998 Act is mentioned which is basically an update of the wording and also the review of any research data as you have the ability to retain data for longer if its for research purposes – that said; all retention periods in a retention schedule are a minimum and are subject to review. SO no, published retention schedules are very unlikely to change in the near future or at least not because of GDPR.
GDPR does not set out any specific minimum or maximum periods for retaining personal data. Instead, the ‘Accuracy Principle’ says:
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
Combined with that of the Storage Limitation Principle (Art 5(1)(e), In practice, it means that you will need to:
- review the length of time you keep personal data;
- consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
- securely delete information that is no longer needed for this purpose or these purposes; and
- update, archive or securely delete information if it goes out of date.
When creating a retention schedule, the dates that you are giving are a guideline for when you are expecting to destroy the information but like any sensible professional, you must be review records before automatically destroying them because you may find that they are active again, have a further purpose or have historical importance.
This isn’t to say that you should not look at retention scheduling at all if you do not have one. Get one. Start with the free resources that I mentioned above because even if you aren’t a school or aren’t an NHS body, you will certainly have corporate records that have the same retention period and then you only have to focus on getting the retentions for your actual service/specialist area. The two documents I speak of, I’m part of the authoring team and so I highly recommend them as a starting point. Once you break the back of doing such a policy, it becomes much easier.
Retention periods are created by simply looking for a statutory or legal instrument or regulatory requirement, followed by whether you are keeping it longer than necessary (in line with data protection), followed by business best and historical importance. In relation to historical importance, this is why you involve archivists and records managers in the making of retention schedule because they have the know-how.
Moreover, once you have a completed schedule, please make sure it has an escalation point and is signed off by senior management, it needs to be agreed by an organisation that you can start the shredder after a while because records, after all, are extremely important and are worthing of keeping.
Whilst we’re on the topic; organisations should obviously consider the expanded set of rights data subjects enjoy under the GDPR – I’ve been on the unfortunate end of a very strange HR webinar in which the delegates were told they would need to delete HR data if requested but the exemptions were not mentioned causing people to flap…. – just because there is a right to erasure doesn’t mean its automatically granted that an organisation has to destroy the information. Otherwise, every one would be walking up to the police and tax man asking them to get rid of any data about them. I mean people can ask you but doesn’t mean it actually has to happen.
Erasure (Article 17) only applies to the legal basis processing of consent, and only partially applies to Contract Necessity, Vital Interests, Legitimate Interests and Member State Law. It does not apply to Legal Obligation or Public Interest processing. On top of it not applying to legal obligation and public interest there are exemptions for erasure such as freedom of expression, archiving for public interest, scientific/historical/statistical research and/or legal claims (also see Article 12). It only partially applies in the situation where the records are no longer necessary, the records are irrelevant, they are out of date, they are being unlawfully processed or you have a legal obligation to erase.
So no, just because someone requests erasure, doesn’t mean it actually has to happen and people should calm down about looking for updated retention schedules and actually start putting them into action. Focus on getting authorisation to destroy records that are past retention as I’ve seen many records being kept ‘just because’ or ‘out of sight out of mind’ in an offsite storage somewhere or because an information asset register hasn’t been completed so they didn’t know they had them in the first place.
GDPR should stand for Good Documented Practice (with) Records and so here is your opportunity to sort the records management out in your organisation. You cannot be compliant with GDPR if you don’t know what you have, why you have it and how long you need to keep it.