| Author: | Alasdair Taylor |
|---|
| Updated: | 28 March 2018 |
|---|
| Length: | 20 pages |
|---|
| Notes: | 7 pages |
|---|
| Format: | MS Word (.DOCX) |
|---|
This document helps organisations to systematise their policies and procedures with regards to the deletion and archiving of information, including both electronic and manual records
The motive behind the creation of many retention policies is the General Data Protection Regulation (GDPR), which regulates the processing of personal data. However, because in practice personal and non-personal data are not easily separable, this template covers both.
The relevant data will have to be categorised in order for the policy to be used effectively. Although this policy includes a set of proposed categories, it is advisable to adjust the categorisation scheme to the relevant organisation.
Under the GDPR, personal data should only be retained by an organisation for so long as necessary for particular and lawful purposes. However, the duration of data retention will be influenced by other legal requirements: many pieces of legislation require that data be retained for minimum periods. When determining retention periods, the possibility that data will be needed to pursue or defend legal matters should also be considered. Limitations periods will be relevant here.
Because the applicable data retention periods will differ substantially from one institution to another, this policy does not suggest particular periods; instead, it provides the structure for defining those periods.
Where an organisation acts as a controller with regards to personal data, then the organisation will need to directly disclose information to data subjects the retention periods or the way they are calculated - usually by way of a privacy policy or data protection information notice.
This is a management-level policy and is not designed to be part of staff handbook.
