Keep data on the right side of the law

Businesses need to store data for a number of different commercial and practical reasons and the impact on a business if it destroys important data can be significant.

For example, certain data may need to be kept by human resources to ensure that if there is a dispute or claim from an existing or ex-employee, the relevant information is available. Similarly, a contractual relationship with a supplier or customer may result in the need for information being retained so the parties have records of equipment or goods sold or supplied, again in the event of a dispute.

Certain documents and items of information may also need to be kept for statutory reasons, for example records under the Companies Act 1985 and 2006 such as those concerned with the keeping of accounting and shareholder records.

Companies may also need to keep records relating to insurance policies and issues, in some cases for a long period or permanently where there is a potential claim under the policy.

An organisation may be forgiven for thinking that it should keep as much information and data received and produced as possible for as long as possible. The widespread availability and ease of use of email and differing document production packages within organisations has encouraged this retention. However, assessing how and under what circumstances an organisation retains data can be extremely beneficial to the development of good records management techniques.

Although the practical implementation of good records management may differ between hard copy and electronic copy information, data retention principles do not. The issues regarding creation, retention, identification, and retrieval of data are the same whether data is held in a physical or electronic form.

Key legislation
Specific legislative measures will impact on what and for how long data is retained. These include the Companies Acts 1985 and 2006, Data Protection Act 1998, Freedom of Information Act 2000, Limitation Act 1980 and Finance Acts. These various legislative provisions differ in whether they set any retention periods for data, and businesses should consider each in turn.

Each of the Companies Acts 1985 and 2006 sets out specific retention periods for certain documents and records. These more commonly relate to accounting and financial records and to both current and historical records regarding shareholders and their respective shares.

The Data Protection Act 1998 (DPA) regulates how organisations should handle personal data ­ – meaning data that relates to a living individual who can be identified.

Organisations processing personal data must do so in accordance with eight core principles. Of particular relevance to data retention are Principle 5 ­ – personal data should not be stored for longer than necessary ­ – and Principle 7 – ­ technical and organisational measures should be taken to prevent unauthorised or unlawful processing, loss or damage to personal data.

The DPA does not set out specific timeframes for how long specific types of personal data should be kept. It is therefore up to the individual organisation to determine how long certain personal data should reasonably be held for, although reference may be made to guidance produced by organisations in respect of specific types of data.

Public authorities will be required to retain information that is accessible under the Freedom of Information Act 2000 (FOIA). However, private companies should also consider if certain information they hold should be retained due to this legislation. Following a recent consultation, it was decided not to extend FOIA to some private-sector organisations, however whether FOIA should apply to certain private-sector organisations performing a public service will be kept under review.

In addition, where a private-sector organisation is contracting with a public authority, it may have a contractual obligation to provide information it holds on behalf of that authority within a certain timeframe to ensure the authority can meet its obligations under FOIA.

The Limitation Act 1980 sets out the time limits for the commencement of a claim and it is sensible to take into account these limits when deciding how long to keep information. General contractual claims can be brought up to six years after a breach or event of default and therefore documents relating to a contract should ideally be kept for six years after the contract is terminated. A 12-year period is advisable for deeds as the limitation period is longer.

Security and disposal of data
Businesses must always consider the security and confidentiality of data they hold. This is relevant both to retention and disposal of data. An organisation should always consider the potential damage caused by a data security breach.

When considering the security and disposal of personal data, an organisation processing personal data will be required to comply with the Principle 7 obligations set out above. Appropriate technical and organisational measures will include implementing tools such as firewalls, anti-virus software, disaster recovery planning and training of staff. Where a third party is appointed to provide these services there should be a contract in place that stipulates these data protection requirements and additionally, a mechanism to ensure compliance with these provisions, such as a right of audit.

Disposal of all data, whether personal or otherwise, should be done securely and should have regard for the sensitivity or confidentiality of the information. For example, contractual or confidential documents should ideally be shredded.

Accessibility of data
It is good business practice to know where data is located and stored to run businesses cost effectively on a day-to-day basis. Subject access requests under the DPA also highlight the cost benefits of good document management as the data subject can only be charged £10 for the retrieval of personal data regardless of the actual cost. Requests must also be satisfied within 40 days of receipt of the query, regardless of the size of the organisation or number of employees.

Next steps
Organisations that create and retain large amounts of data should consider putting in place a defined document retention and deletion protocol. This will aid in ensuring compliance with the provisions set out above and ensure that data is stored securely and is easily accessible in the event of a dispute or subject access request. The Chartered Institute of Personnel and Development produces guidance on document retention that should prove useful in this regard.

Rosemary Jay is partner and head of the information law practice at international law firm Pinsent Masons