Fifth Principle - time for keeping data

"Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes"

The Data Protection Act does not state any period of time for data retention - this is due to the fact that retention periods will vary between different organisations and for different types of data.

In many cases the retention period is determined by legislation relevant to the nature of the information.

Regard should be had to statute and any specific provisions relating to the retention of data of a particular type, e.g. contracts, accounting, or health and safety records etc.

Information does not therefore have to be deleted once a relationship ends if it necessary to retain that information for further purposes, e.g. an employment record.

Only in exceptional and justifiable circumstances should data be held indefinitely.

There should be a system in place for removal of different categories of data from systems when, for example, only a limited record needs to be retained.

The fifth principle applies to both manual and electronic records and data controllers should adopt a systematic review policy for personal data and delete information if it is no longer required.

Data retention policies and review schedules for different categories of personal data are important to assist with compliance with this principle.

The Information Commissioner frequently receives questions related to data retention. Whilst the Act does not specify any time periods, there are numerous resources based on UK legislative requirements and industry best practice standards available on the internet. Such resources may provide a suitable starting point for developing a data retention and destruction policy, not only for 'personal data' but also for other types of business documentation.

These resources, whilst not endorsed by the Commissioner, include the Isle of Man Financial Supervision Commission, the UK's National Archives and the Chartered Institute of Personnel and Development and the UK Government's BusinessLink. Other resources are also available.

Further guidance on the fifth data protection principle is available below.