How long should I keep personal data? How long is a piece of string…
We are often asked by clients how long they should or can keep personal data in their control and largely our answer is that it should not be kept for longer than is necessary for the purposes for which they are holding the data. Such an answer reflects the fifth data protection principle enshrined in the Data Protection Act 1998 (the Act) by which all data controllers must abide but it is often as useful an answer for clients as if we had replied to them, "how long is a piece of string….?"
It is commonly the case with data protection queries that there is no black and white answer to what should or shouldn't be done given the way in which the over-arching EU Directive (95/46/EC) and the Act are constructed. They are drafted in a general way so as to enable a huge range of circumstances to be covered under the general principles and to be technology and fact neutral. That flexibility is very beneficial in many circumstances and helps with the longevity of the legislation but it can also leave lawyers and clients alike without a definitive answer to a particular query in some situations; something not always appreciated by those involved.
Another difficulty in this area is the fact that, unlike most of the other eight data protection principles where the Act provides interpretation of what those principles entail for data controllers, no such interpretation is given for the fifth principle. It was perhaps thought to be fairly self-explanatory but we are accordingly left to look at general guidance given by the ICO on the topic, industry or sector norms, or legal or regulatory requirements in order to answer the question. This may seem like a burdensome and challenging task but, considered properly in the context of a detailed assessment, it will generally provide a robust answer to the question of how long should you keep personal data within your particular organisation. And, perhaps more surprisingly for some readers, it may allow a much longer retention period than you might expect as can be seem from the recent case of R v Northumberland County Council and The Information Commissioner  EWHC (Admin) 2134.
The facts of the case largely did not impact on the decision, but they focused on a judicial review claim against Northumberland County Council that sought the destruction of various child protection papers held by the Council about the claimant's family, an order quashing the Council's child protection records policy and/or a declaration that the policy was unlawful. The individual papers relating to the claimant's family were subsequently destroyed by the Council upon request and so could no longer be used in relation to forming any decisions about his family. However, following on from that particular instance, the Council had requested one of its senior managers to consider and advise on the period for which child protection papers should be retained in general going forwards and it was this policy upon which the judgment focused.
The manager consulted widely with relevant bodies in the sector, considered the statutory framework in which the Council's child protection teams operated, reviewed the purposes for which the data was held but also reviewed wider less obvious purposes for which data may be required long into the future. Having done so, he submitted a policy paper for review and following consideration by the relevant committees within the Council it was approved. This policy was to retain such papers for 35 years after the case to which they related was closed, unless the child is or became looked after e.g. in foster care (in which case they were retained for 75 years from the date of the child's birth) or the child was adopted (in which case they were retained from 100 years from the date of the adoption order).
The claimant brought a claim objecting to such a policy and the ICO was given leave to intervene as an interested party, given their extensive experience and authority in data protection matters. (Somewhat peculiarly, the ICO originally gave its blessing to the policy before changing its mind at the time of the judicial review being brought and this seemed to have been one of the deciding though not determinative factors on the part of the judge). The arguments brought by the parties focussed on the length of time the papers were to be held and the purposes for which they would be held; the latter largely informing the former.
Arguments were brought for the claimant and the ICO that these types of papers should only be kept for such periods of time as relevant to the individual case in hand e.g. for 6 years after the child turned 18 and for the purposes of the Council being able to defend itself against any claims that children involved might bring against it. Only if the facts of any particular case merited longer retention should papers of this nature be kept. However, for the defendant, it was argued (and argued successfully) that the purposes for which child protection papers might be held a party such as the Council were much wider. These included the interests of now grown-up children wanting to come back to find out information about their birth families or siblings (if they had been adopted) or wanting information about their past to help come to terms with abuse they may have suffered (having understandably not be able to or wanting to do so while much younger) or the Council being able to track patterns of abusive behaviour that would not have been evident from isolated instances (were data about possible previous similar occurrences to have been destroyed).
The claimant and the ICO also argued that the Council should undertake periodic reviews of their archives to see whether retained papers should be destroyed but the judge was of the opinion that such a suggestion would involve a disproportionate use of labour and unproductive use of resources which would be better devoted to protecting children. Their suggestion that the Council could also carry out such a review at the end of the suggested 6 year period after the 18th birthday to consider whether papers should be retained was also rejected by the judge on the basis that trying to predict future utility would be cumbersome and burdensome and would necessarily err on the side of caution. He also pointed out that such a policy would overlook one of the wider purposes for which the Council wanted to retain data i.e. to search for any patterns of undesirable behaviour.
Having considered all of the arguments, the judge rejected the claim and concluded that the Council's policy was in accordance with the law, carefully considered, adapted to the purposes for which it was required and was applied proportionately and flexibly.
So, what does this mean for other organisations considering their data retention policies? It doesn't, of course, mean that data can be held for as long as liked and for purposes that were perhaps not apparent or pointed out at the point of collection of the data. However, it does highlight the fact that organisations are free to set their own policies that are tailored to their specific needs and requirements without being subject to prescriptive legislative regimes that may simply not be suitable.
For organisations looking to create or update their retention or destruction policies, an analysis of your particular needs should therefore be carried out looking at:
- the current and future value of the data you hold or want to retain
- the costs, risks and liabilities associated with retaining the data and
- the ease or difficulty of making sure it remains accurate and up to date (if not being held for research, historical or statistical purposes).
- Combining that analysis with a review of
- what the data is used for (including possible future uses)
- the surrounding circumstances
- any legal or regulatory requirements that determine the retention period eg as for medical records, social work records etc and
- agreed industry practices
- this should lead organisations to a sound, justifiable policy that sets out what you will hold, how you will hold it and how long it will be retained.