Intangibles always seem to generate the biggest concerns and the matter of retention of documents is right up there amongst them.
The Data Protection (Jersey) Law 2018 does not nor can it prescribe the definitive retention formula for personal information. If the law defined retention as one year or fifteen years as blanket approaches, groans could be heard from one side of the Bailiwick to the other as, for example, the small beautician salon is burdened with retaining client data for years beyond their usefulness or point of accuracy. Similarly, the large family hotel required to jettison all the personal information they collect and use on an annual basis would be excused for openly weeping as their customer information is deleted at the beginning or end of a season.
So how does an organisation figure out the magic retention formula?
Organisational retention schedules are bespoke and specific to each organisation and the personal information they process. In some instances, as in the legal profession, the regulator will specify the minimum period of time that client files must be retained.
Every data controller must have a clear understanding of the personal information they process – what and how they collect it, how it is used, who it may be shared with, how its accuracy is maintained, where it is stored and of course why they have it – the basis for processing. Retention is a vital part of risk management.
The Data Protection (Jersey) Law 2018 specifies that personal information must ‘be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed’. You should know what personal information you collect and use in the course of your business or charity, not forgetting customer, staff, supplier or stakeholder information. Track through what you do with it and why you have it.
Organisations, businesses and charities will also be subject to other legislative and regulatory requirements, which will shape your retention schedule; for example taxation provisions, contract law, health and safety etc. If you keep personal information to comply with requirements like these, you will not usually be considered to have kept the information for longer than necessary but should be able to justify why you have kept information for a particular length of time.
Looking back to the fundamental of data protection being fair, transparent and lawful, retention provisions should reflect a proportionate approach, balancing your needs with the impact of retention on individuals’ privacy. Don’t forget your retention of the data must also always be fair and lawful. It is also good practice to review your retention of personal data at regular intervals before this, especially if the standard retention period is lengthy or there is potential for a significant impact on individuals.
Retention is part of risk management, good records management and data protection compliance.
For more guidance, contact the Jersey Office of the Information Commissioner.
