Keep data on the right side of the law

Businesses need to store data for a number of different commercial and practical reasons and the impact on a business if it destroys important data can be significant.

For example, certain data may need to be kept by human resources to ensure that if there is a dispute or claim from an existing or ex-employee, the relevant information is available. Similarly, a contractual relationship with a supplier or customer may result in the need for information being retained so the parties have records of equipment or goods sold or supplied, again in the event of a dispute.

Certain documents and items of information may also need to be kept for statutory reasons, for example records under the Companies Act 1985 and 2006 such as those concerned with the keeping of accounting and shareholder records.

Companies may also need to keep records relating to insurance policies and issues, in some cases for a long period or permanently where there is a potential claim under the policy.

An organisation may be forgiven for thinking that it should keep as much information and data received and produced as possible for as long as possible. The widespread availability and ease of use of email and differing document production packages within organisations has encouraged this retention. However, assessing how and under what circumstances an organisation retains data can be extremely beneficial to the development of good records management techniques.

Although the practical implementation of good records management may differ between hard copy and electronic copy information, data retention principles do not. The issues regarding creation, retention, identification, and retrieval of data are the same whether data is held in a physical or electronic form.

Key legislation
Specific legislative measures will impact on what and for how long data is retained. These include the Companies Acts 1985 and 2006, Data Protection Act 1998, Freedom of Information Act 2000, Limitation Act 1980 and Finance Acts. These various legislative provisions differ in whether they set any retention periods for data, and businesses should consider each in turn.

Each of the Companies Acts 1985 and 2006 sets out specific retention periods for certain documents and records. These more commonly relate to accounting and financial records and to both current and historical records regarding shareholders and their respective shares.

The Data Protection Act 1998 (DPA) regulates how organisations should handle personal data ­ – meaning data that relates to a living individual who can be identified.

Organisations processing personal data must do so in accordance with eight core principles. Of particular relevance to data retention are Principle 5 ­ – personal data should not be stored for longer than necessary ­ – and Principle 7 – ­ technical and organisational measures should be taken to prevent unauthorised or unlawful processing, loss or damage to personal data.

The DPA does not set out specific timeframes for how long specific types of personal data should be kept. It is therefore up to the individual organisation to determine how long certain personal data should reasonably be held for, although reference may be made to guidance produced by organisations in respect of specific types of data.

Public authorities will be required to retain information that is accessible under the Freedom of Information Act 2000 (FOIA). However, private companies should also consider if certain information they hold should be retained due to this legislation. Following a recent consultation, it was decided not to extend FOIA to some private-sector organisations, however whether FOIA should apply to certain private-sector organisations performing a public service will be kept under review.

In addition, where a private-sector organisation is contracting with a public authority, it may have a contractual obligation to provide information it holds on behalf of that authority within a certain timeframe to ensure the authority can meet its obligations under FOIA.