Data Protection Rule 7
Retention of personal data
- section 2(1)(c)(iv) of the Act
Nowadays information can be kept cheaply and effectively on computer. This requirement places a responsibility on data controllers to be clear about the length of time for which data will be kept and the reason why the information is being retained. If there is no good reason for retaining personal information, then that information should be routinely deleted. Information should never be kept "just in case" a use can be found for it in the future.
You should pay particular attention to old information about former customers or clients, which might have been necessary to hold in the past for a particular purpose, but which you do not need to hold any longer. If you would like to retain information about customers to help you provide a better service to them in the future, you must obtain the customers' consent in advance. The same applies to paper records. Good housekeeping would also dictate that your regularly review the need to retain records.
Retention of personal data: Test Yourself
You should be able to answer YES to the following questions:-
- Is there a defined policy on retention periods for all items of personal data kept?
- Are there clerical and computer procedures in place to implement such a policy?
- Is information about old customers routinely purged from our systems?
Practical steps
Assign specific responsibility to someone for ensuring that files are regularly purged and that personal information is not retained any longer than necessary.
Some Case Studies relevant to this topic:
The following Case Studies, which have appeared in Annual Reports of the Data Protection Commissioner over recent years, may be of some interest. Click on the Case Study details to see the full text.
| MENU | Select Page No. | <- Previous Next -> |
