While many businesses and public organisations in the UK are familiar with GDPR - the European Union's General Data Protection Regulation - some still struggle to fully understand the concept of document retention periods and how they might apply to a particular industry or type of data.
Do you know, for example, how long a bank should retain an individual’s accounting details after they cease to be a customer? Furthermore, is that duration legally mandatory or simply a recommended guideline that is at the discretion of the bank’s compliance officer? And finally, does a bank’s retention period differ from a hospital’s or a school’s, or do all institutions - public or private, handling sensitive or non-sensitive data - have to follow the same rules as everyone else?
If you find yourself in a position of uncertainty - in response to any or all of the above questions - you are not alone. In fact, just 34% of EU citizens can claim to have a clear understanding of what the data protection legislation entails.
In this blog post, we will explore what is meant by the term ‘retention periods’ and outline why it is considered to be a cornerstone of GDPR compliance. We will also discuss how retention periods are determined, the factors that influence them, and why they often differ from one industry to another.
As a starting point, let’s define what we mean by retention periods.
A retention period is the length of time that an organisation is expected to store data relating to an identifiable individual as dictated by legal standards, industry best practice, and the needs of the business. The retention period typically starts at the moment the data is collected (such as when a website visitor gives their permission to allow cookies or submits a form) and continues until it is no longer needed for the original purpose for which it was collected or when your legal obligation to store it expires.
Throughout the retention period you - as the custodian - are expected to maintain the integrity, confidentiality and accessibility of the data, preventing unauthorised access whilst also encouraging the ‘data subject’ to exercise their rights over their personal data.
Generally speaking, there is no single rule for how long you are legally obligated to store data according to GDPR. Instead, the EU legislation simply requires the data controller (you) to store it for as long as is strictly necessary to complete the task for which the data was gathered in the first place. Once the data has fulfilled its purpose and is no longer needed, most forms can be responsibly disposed of, completing the lifecycle of data management.
Putting the concept of legally storing data for only as long as it is strictly necessary into practice, if you collect an individual’s contact information for a competition that you are running, it would be inappropriate to hold onto it for several years after the competition comes to an end. It might, in fact, be considered a breach of GDPR rules, leaving you liable to potential fines and even legal action.
Beyond that general legal responsibility to store an individual’s data for only as long as it serves an authorised purpose, specific industries often establish retention periods of their own.
Retaining medical files - such as appointment notes, test results, scans, and dental records - for a longer period of time gives doctors and other professionals access to a patient’s previous medical history, often making the process of diagnoses far easier than it might be if no such records were kept beyond the duration of an illness or injury. Furthermore, this kind of data contributes towards potential research that could help others in the future.
It is for these two reasons that the NHS advises facilities and personnel within the Trust to retain medical files for - typically - eight years after a patient’s last treatment. GP records, on the other hand, are retained for far longer (until 10 years after the patient’s death). The British Medical Association also requires maternity records to be kept for 25 years after the birth of the last child, and children’s records to be stored until the patient's 25th birthday or 26th if a young person was 17 at the conclusion of treatment, or 8 years after death.
According to The Strategic Partner - who say that a ‘robust records management strategy is crucial for law firms due to the volume of sensitive documents they handle’ - the retention period for legal documents is agreed to be at least six years. That duration is determined by the Limitation Act 1980 which outlines the time limits within which certain legal actions can be brought.
A six-year minimum storage period might seem like the end of the matter, but it is in fact quite a bit more complicated. Client Due Diligence documents should be retained for at least five years, insurers often ask that legal documents be retained for seven years, the six-year retention period for minors starts when they reach 18 years of age, and files related to claims of negligence should be kept for 15 years.
The minimum retention period that you, as a law firm, need to adhere to is six years, but it is important to get tailored guidance depending on the specific data that you are handling.
Documents relating to education are second only to medical files in terms of sensitivity. Depending on the institution, the data might relate to minors, so an element of safeguarding exists that must be taken very seriously.
It is, therefore, perhaps no surprise that nurseries, schools, academies, colleges and universities are all subject to strict record retention requirements. But the retention requirements vary depending on the type of data being handled, as well as where the institution is located. For example, in Kent, the county council asks educators to store examination papers for six years after it has been taken, a pupil educational record should be retained for 25 years after the child’s DOB, a school admission appeal should be retained for two years after the appeal has been resolved, and certain daily registers should be kept for six years after the date they were taken. On the other hand, schools in Essex are likely to be given slightly different guidance, and the same goes for those in London’s different boroughs.
If you are a limited company, government guidelines state that you must keep records ‘for at least 6 years from the end of the last company financial year they relate to, or longer if:
For all other organisations that handle personal data, the general agreed-upon retention period is six years for tax returns, financial statements and accounting records, and a minimum of three years for HR documents like an employee’s hours worked, any disciplinary paperwork, and records of absences.
With so many files and rules within different industries and districts, most educators, businesses, medical practitioners and institutions have two options: store files indefinitely, potentially breaching their GDPR agreement to only keep data for as long as it has served its purpose, or approach specialist document management consultants who are familiar with the nuances of retention periods and retention schedules.
For a new organisation navigating the world of data management, the prospect can be a daunting one. It is, therefore, a good idea to speak to experienced professionals who can make the task far more management, storing only the data you need, whilst confidentially destroying that which is obsolete.
If you would like to know more about your specific data retention obligations, speak to our team today.