Data Retention Requirements in the United Kingdom

When discussing the concept of data retention policy in the UK, we should first outline that data retention is part of a broader practice of records management, which entails the supervision and administrative management of hard-copy and electronic records.

Proper records management is considered a best practice for any organization, while it’s mandatory in highly regulated industries.

To help you understand this topic and stay compliant with all the local regulations, this guide will cover:

• General data retention requirements
• Legal requirements for document retention in the UK
• Specific data retention policy in the UK
• Best practices for complying

General Data Retention Requirements

When it comes to electronic records, here are some general data retention requirements:

• The data should be kept in a secure, reliable, and non-editable format.
• The methods of record-keeping need to allow quick access, search, and retrieval of digital documents for compliance and legal purposes.
• The storage space should be reduced through automatic deletions of all the records that no longer need to be preserved.

In the U.S., several major industries are strictly regulated, and various government and industry-unique laws and regulatory bodies (FINRA, SEC, GLBA, SOX, FOIA, or FERPA) provide guidelines for the retention and disposal of email and other electronic communication records.

Data Retention Laws and Requirements in the United Kingdom

There are 2 major data retention laws in the UK:

• Data Protection Act (DPA)/GDPR
• Freedom of Information Act (FOIA)

By taking a closer look at these laws, we’ll try to answer the most common questions about data retention policy in the UK, such as what the data retention periods in the UK are and whether data archiving is mandatory.

The Data Protection Act / UK GDPR (2018)

The 2018 Data Protection Act (DPA) is the UK’s implementation of the EU’s GDPR (General Data Protection Regulation), and it controls how an individual’s personal data is used by the government, businesses, and organizations.

Any business or government entity that has access to or uses personal data needs to abide by the following data protection principles:

• Ensure fair, lawful, and transparent usage of personal data.
• Use data for previously specified purposes only.
• Keep data accurate and up to date.
• Retain data no longer than necessary.
• Ensure that there are appropriate measures in place when it comes to security, including “unlawful or unauthorized processing, access, loss, destruction or damage.”

Protected data and sensitive information about an individual include a variety of biometric and personally identifiable information.

The UK GDPR defines personal data as “an identifier such as a name, an identification number, location data,” and other online identifiers like an email address. There are different categories of personal data, with stronger protection for more sensitive information like sex and sexual orientation, race, ethnicity, health information, religious beliefs, political stance, etc.

Under the DPA, individuals have the right to know how and what information the government and businesses are handling, processing, and storing.

You also have the right to have your data deleted or object if your data is being used for profiling — for instance, to predict your interests, purchasing decisions, or behavior.

You can get more information about the UK GDPR data retention legislation here.

The Freedom of Information Act (2000)

The UK Freedom of Information Act (2000), or FOIA provides members of the public access to the information held by the public authorities — government departments, the NHS, state schools, local authorities, and the police.

The types of records covered by the UK FOIA include paper documents and photos, as well as digital records like emails, images, telephone recordings, and video recordings.

The foundational principle of the FOIA is that the public has the right to know about the activities of public authorities.

Anyone can make a FOIA request — individuals, journalists, NGOs, companies, or whistleblowers and employees of the public authority receiving the request. Public authorities need to publish relevant information proactively and normally have 20 working days to respond to a request for information.

You can learn more about the UK Freedom of Information Act here.

These two laws mandate that the government, public authorities, and businesses need to be able to accomplish what we’ve outlined in the introduction:

• Capture and store data in an organized manner and in a format that allows easy search and production.
• Have data retention and data disposal policies in place to retain data in line with the relevant laws while adhering to the principles of data minimization, i.e., keep only the personal information that is relevant and necessary for a particular purpose and retain it not longer than necessary.
• Minimize the potential for breaches, theft, and unauthorized access to personal, protected, and business-critical information.

Other Data Retention Laws and Regulations in the UK

Some of the most notable UK data retention regulations that control specific sectors or types of data include:

BS ISO 15489-1:2016

This is an international standard that provides a framework for creating, capturing, and managing records. It outlines the principles and requirements necessary to ensure that records are reliable, authentic, and easily accessible.

The standard emphasizes the importance of effective records management practices to support organizational activities, ensure legal compliance, and preserve historical records.

Additionally, it defines metadata as structured information that describes, explains, locates, or otherwise makes it easier to retrieve, use, or manage an information resource.

The Limitations Act 1980

When crafting a data retention policy in the UK, it’s crucial to consider the implications of the Limitations Act 1980. This law sets statutory time limits for initiating various legal actions, directly influencing how long certain types of data should be retained.

For instance, under this legislation:

• Contractual data must be kept for at least six years after the termination or expiration of the contract.
• Tort and negligence claims require a similar six-year retention period to ensure that records related to potential tort claims are available if needed.
• Personal injury data should be retained for a minimum of three years from the date of injury or knowledge of the injury.
• Property records and land claims follow a longer limitation of at least 12 years.

The (EU) Data Retention Directive and the Investigatory Powers Act

There are two controversial pieces of legislation that deal with the retention of communications data in the EU and the United Kingdom.

Under the proposed EU Data Retention Directive, it would be obligatory for EU member states to store citizens’ communications data (telephone records, SMS, email, and web data) for 6–24 months, depending on the type of record.

However, the Directive was annulled in 2014 by the European Court of Justice as violating fundamental human rights.

Similarly, the UK’s Investigatory Powers Act (IPA), dubbed the “Snooper’s Charter,” gives public authorities “power to access vast databases of personal phone and computer data.” Additionally, telecommunications operators are required to retain Internet Connection Records (ICRs) and other metadata for up to 12 months. These records include details of websites visited, email headers, and IP addresses, but not the content of communications.

It’s clear there are a lot of conflicting interests in terms of respecting an individual’s privacy and the need to retain some communications data. This only highlights the need to carefully examine all the relevant regulations that apply to a particular organization or business and involve a legal expert when designing data retention policies.

Still, the Data Protection Act 2018 and Freedom of Information Act 2000 have highlighted the need to adopt more formal policies for data archiving. The laws impose significant fines and reputational penalties for failing to lawfully process and safeguard personal data.

One thing is certain — organizations in regulated industries in the UK (Transportation, Oil and Gas, Construction, Health, Education, Financial, etc.) need to define a data retention and data disposal policy to reflect the retention laws and meet the government’s data protection requirements.

Post-Brexit GDPR data retention legislation

Since Brexit, there have been some changes to the UK’s data protection framework, which resulted in the adopting of the UK GDPR, a version largely based on its EU counterpart but with some modifications. The UK GDPR is complemented by the Data Protection Act 2018, which continues to govern how personal data should be handled in the UK.

One significant post-Brexit development was the introduction of the Data Protection and Digital Information Bill (DPDI Bill), which aimed to provide businesses with more flexibility in using personal data while reducing compliance burdens. For example, it proposed statutory definitions for processing data for scientific, historical, or statistical research, potentially easing some requirements for these activities. Additionally, it sought to replace the role of the Data Protection Officer with a Senior Responsible Individual, who would be required to be part of the organization’s senior management. However, the Bill did not complete its passage through Parliament before the 2024 general election and was subsequently withdrawn.

Another notable change is the ability of the UK government to establish so-called “data bridges” with other countries to facilitate international data transfers by recognizing third countries that offer adequate data protection standards. This makes it easier for UK organizations to transfer data internationally without additional compliance hurdles.

What is a data retention policy?

A data retention policy is an established protocol that organizations use to:

• Specify the types of data that will be archived,
• How long it needs to be retained for regulatory, legal, and organizational purposes,
• Define data disposal schedules based on relevant government and industry regulations.

How to create an effective data retention policy?

• Explore all relevant regulations and define data retention schedules to reflect the retention periods specified by regulations (e.g., in the financial sector, the Financial Conduct Authority (FCA) demands that email records be available for 6 years.)
• Get your IT, legal, and compliance departments together in the same room. You’ll need technology experts to evaluate software, legal counsel to decipher the regulations, and compliance officers for input on audits, inspections, and your unique ecosystem and needs. The main aim of the data retention policy is to protect your business while providing efficiency for all your departments.
• Do not limit your data retention policy to email only. Make a list of all electronic channels used for work communication and include them in your records retention plan. Consider chat apps like WhatsApp, SMS, or official social media channels used to communicate with the public, like Facebook or Twitter.
• Remember that under the Civil Procedures Rules, it’s possible to make a claim for breach of contract within 6 years, so make sure that your records management policy addresses this as well.
• Digital continuity is key. Consider the formats that will be used to store and export records. Remember that all records need to be stored together with metadata that will be used to prove record authenticity and integrity.
• Consider the storage systems used for the retention of records. Long retention periods go hand in hand with the risk of record and storage medium deterioration.
• Check for automatic data deletion at the end of its lifecycle. Targeted and automatic data purging after the defined retention periods expire will limit your liability, create fresh storage, and minimize human error (known to be the number one reason for data breaches and loss).
• Be ready for edisclosure. Companies need to be ready to quickly segregate, freeze and produce electronic records (including email and chat app) for an ediscovery request. Which brings us to the next point.
• Get an ediscovery/data archiving solution. It’s perhaps wiser to opt for cloud data archiving software to prevent record degradation issues and accommodate massive data growth.

What to look for in a data archiving solution

When you’re shopping for data archiving software, pay attention to the following:

• Search speed and flexibility. Choose a solution with efficient search algorithms that allow users to quickly identify specific records, even within vast datasets.
• Multiple export formats. Ensure the software supports various export options, including direct export to PDF (essential for smaller, day-to-day exports) for easy sharing and other formats like CSV, XML, and PST to meet diverse reporting and analysis needs.
• Redaction capabilities. Look for a tool that offers automated and customizable redaction features. This will save you a lot of time you’d otherwise spend manually removing personally identifiable and sensitive information before data disclosure.
• Configurable retention policies. Since it’s not always wise to have a single, organization-wide data retention policy, it’s important to be able to define a larger number of policies based on record types and departments.
• Role-based access controls. Opt for a solution with robust role-based access control to limit user access to the archived data and unauthorized access and misuse of sensitive, business-critical, personal, or protected information,
• Reliable technical support. Choose a provider that offers 24/7 technical support, lots of resources, and training to ensure smooth operation and quick resolution of any issues.

Summary of the Main Points

Here’s a TL;DR version to quickly recap what we’ve learned:

• Data retention is an essential aspect of records management, involving the supervision and administration of both hard-copy and electronic records. It’s considered best practice for any organization and mandatory in regulated industries.
• General data retention requirements include secure and reliable storage, quick access and retrieval, and automatic deletion.
• The main data retention laws in the UK are the Data Protection Act (DPA), which is the UK’s implementation of the GDPR, and the Freedom of Information Act (FOIA).
• Other relevant pieces of legislation include BS ISO 15489-1:2016, the Limitations Act 1980, and the Investigatory Powers Act.
• Post-Brexit changes to the data retention regulations are the introduction of the UK GDPR and data bridges. The proposed DPDI Bill wasn’t adopted.
• Having an effective data retention policy in place is essential for staying compliant with all these laws and avoiding penalties.
• Implementing a data archiving solution can help you navigate all the complexities of the UK GDPR retention requirements.

Jatheon is a global leader in on-premise and cloud data archiving solutions with proven experience in working with organizations in regulated environments and countries like the United States, Canada, the United Kingdom, and the EU. If you are a UK organization looking to retain your business email, social media, WhatsApp, chat apps, or phone records for GDPR, DPA, FCA, and other compliance and legal requirements, check out our cloud data archiving software or reach out to us directly for more information, custom quote or a free, no-commitment demo.

FAQ

What is the maximum length of time you can hold data for?

According to the UK GDPR, there’s no specific time limit for how long you can keep personal data. However, you must be able to justify the length of time you retain data and ensure it’s not kept longer than necessary for the purposes for which you collected and processed it.

What are the penalties for violating legal requirements for document retention in the UK?

These include fines of up to £8.7 million or 2% of annual global turnover for less severe breaches and up to £17.5 million or 4% of annual global turnover for serious infringements. Additionally, organizations suffer reputational damage, such as losing customer trust and potential business opportunities.

Does GDPR still apply in the UK?

The EU GDPR is an EU Regulation that no longer applies to the UK.

What is the UK equivalent to GDPR?

If you operate inside the UK, you need to comply with the Data Protection Act 2018 (DPA 2018), also known as the UK GDPR.

Is there a difference between GDPR and UK GDPR?

While the UK GDPR largely mirrors the EU GDPR, there are minor variations in areas like data breach notification requirements and exemptions for certain public authorities.

What are the UK GDPR principles?

These are UK GDPR principles to follow: fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, and accountability.

About the Author

Bojana Krstic

Bojana Krstic is the Head of Content and SEO at Jatheon and an experienced writer on topics like data archiving, ediscovery, and compliance. When AFK, you’ll find her hiking, discovering new music, or road-tripping.