Data Retention Requirements in the United Kingdom

Data retention is a part of a broader practice of records management, which entails the supervision and administrative management of hard-copy and electronic records. Proper records management is considered a best practice for any organization, while it’s mandatory in highly regulated industries.

When it comes to electronic records, here are some general data retention requirements:

• The data should be kept in a secure, reliable and non-editable format.
• The methods of record-keeping need to allow quick access, search and retrieval of digital documents for compliance and legal purposes.
• The storage space should be reduced through automatic deletions of all the records that no longer need to be preserved.

In the US, several major industries are strictly regulated, and various government and industry-unique laws and regulatory bodies (FINRA, SEC, GLBA, SOX, FOIA, FERPA and others) provide guidelines for the retention and disposal of email and other electronic communication records.

In the UK, there are 2 major data retention laws – the Data Protection Act (DPA)/GDPR and the Freedom of Information Act. By taking a closer look at these laws, we’ll try to answer the most common questions about data retention requirements in the UK and whether data archiving is mandatory.

Data retention laws and requirements in the United Kingdom

The Data Protection Act / UK GDPR (2018)

The 2018 Data Protection Act is the UK’s implementation of the EU’s GDPR (General Data Protection Regulation) and it controls how an individual’s personal data is used by the government, businesses and organizations.

Any business or government entity that has access to or uses personal data needs to abide by the following data protection principles:

• They need to ensure fair, lawful and transparent usage of personal data.
• The data can be used for previously specified purposes only.
• The data should be kept accurate and up to date.
• The data should be limited to only what is necessary and retained no longer than necessary.
• The entity needs to ensure that there are appropriate measures in place when it comes to security, including “unlawful or unauthorised processing, access, loss, destruction or damage”.

Protected data and sensitive information about an individual include a variety of biometric and personally identifiable information. The UK GDPR defines personal data as “an identifier such as a name, an identification number, location data” and other online identifiers like an email address). There are different categories of of personal data, with stronger protection for more sensitive information like sex and sexual orientation, race, ethnicity, health information, religious beliefs, political stance etc.

Under the DPA, individuals have the right to know how and what information the government and businesses are handling, processing and storing. You also have the right to have your data deleted or object if your data is being used for profiling – for instance, to predict your interests, purchasing decisions or behavior.

You can get more information about the UK GDPR here.

Freedom of Information Act (2000)

The UK Freedom of Information Act (2000) provides members of public access to the information held by the public authorities – government departments, the NHS, state schools, local authorities and the police. Types of records covered by the UK FOIA include paper documents and photos, but also digital records like emails, images, telephone and video recordings.

The foundational principle of the FOIA is that the public has the right to know about the activities of public authorities. Anyone can make a FOIA request – individuals, journalists, NGOs, companies or whistleblowers/employees of the public authority which is receiving the request. Public authorities need to publish relevant information proactively. They also normally have 20 working days to respond to a request for information.

You can learn more about the UK Freedom of Information Act here.

There two laws mean that the government, public authorities and businesses need to be able to accomplish what we’ve outlined in the introduction:

• Store data in an organized manner and in a format that allows easy search and production.
• Have data retention and data disposal policies in place in order to retain data in line with the relevant laws while adhering to the principles of data minimization (keep only the personal information that is relevant and necessary for a particular purpose and retain it only for as long as necessary, not longer)
• Minimize potential for breaches, theft and unauthorized access to personal, protected and business-critical information.

Other laws, regulations and data retention best practices

There are other UK data retention regulations that control specific sectors or types of data.

BS ISO 15489-1:2016 is the international standard that provides a framework for record-keeping for companies. It defines metadata for records, specifies details of monitoring, as well as the creation, retention, management and disposal of records.

The Limitations Act is another piece of legislation which controls retention periods for contracts and agreements and stipulates that the retention period should be “the length of the employee’s contact plus 6 years after they leave.”

The (EU) Data Retention Directive and the Investigatory Powers Act are two controversial pieces of legislation that deal with the retention of communications data in the EU and the United Kingdom.

Under the proposed EU Data Retention Directive, it would be obligatory for EU member states to store citizens’ communications data (telephone records, SMS, email and web data) for 6-24 months, depending on the type of record. However, the Directive was annulled in 2014 by the European Court of Justice as violating fundamental human rights. Similarly, the UK’s Investigatory Powers Act would give public authorities “power to access vast databases of personal phone and computer data”.

All in all, we’re seeing a lot of conflicting interests in terms of respecting an individual’s privacy and the need to retain some communications data, which only highlight the need to carefully examine all the relevant regulations that apply to a particular organization or business and involve a legal expert when designing data retention policies.

Still, both the Data Protection Act 2018 and Freedom of Information Act 2000 have highlighted that it is timely to adopt more formal policies for data archiving. The laws impose significant fines and reputational penalties for failing to lawfully process and safeguard personal data.

One thing is certain – organizations in regulated industries in the UK (Transportation, Oil and Gas, Construction, Health, Education, Financial etc.) need to a define data retention and data disposal policy to reflect the retention laws and meet data protection obligations mandated by the government.

What is a data retention policy?

A data retention policy is an established protocol that organizations use to specify the types of data that will be archived, how long it needs to be retained for regulatory, legal and organizational purposes and define data disposal schedules based on relevant government and industry regulations.

Here are some basic rules and steps when creating a data retention plan:

• Explore all relevant regulations and define data retention schedules to reflect the retention periods specified by laws (e.g. In the financial sector, the Financial Conduct Authority (FCA) demands that email records be available for 6 years).
• Get your IT, legal and compliance departments together in the same room. You’ll need technology experts to evaluate software, legal counsel to decipher the regulations and compliance officers for input on audits, inspections and your unique ecosystem and needs. The main aim of the data retention policy is to protect your business while providing efficiency for all your departments.
• Do not limit your data retention policy to email only. Make a list of all electronic channels used for work communication and include them in your records retention plan. Consider chat apps like WhatsApp, SMS or official social media channels used to communicate with the public like Facebook or Twitter.
• Remember that under the Civil Procedures Rules, it’s possible to make a claim for breach of contract within 6 years, so make sure that your records management policy addresses this as well.
• Digital continuity is key. Consider the formats that will be used to store and export records. Remember that all records need to be stored together with metadata that will be used to prove record authenticity and integrity.
• Consider the storage systems used for the retention of records. Long retention periods go hand in hand with the risk of record and storage medium deterioration.
• Check for automatic data deletion at the end of its lifecycle. Targeted and automatic data purging after the defined retention periods expire will limit your liability, create fresh storage and minimize human error (known to be the number one reason for data breaches and loss).
• Be ready for edisclosure. Companies need to be ready to quickly segregate, freeze and produce electronic records (including email and chat app) for an ediscovery request. Which brings us to the next point.
• Get an ediscovery/data archiving solution. It’s perhaps wiser to opt for a cloud data archiving software in order to prevent record degradation issues and accommodate massive data growth.
• When choosing a data archiving system, pay attention to the following software features:

1. 1. Search speed, together with a wide variety of search criteria, settings and ease of use and retrieval.
   2. Export formats (direct export to PDF is a bonus for smaller, day-to-day exports)
   3. Redaction (you might need to redact personally identifiable and sensitive information prior to disclosure)
   4. Configurable retention policies, since it’s not always wise to have a single, organization-wide data retention policy. Flexibility will allow you to define a larger number of policies based on record types and departments.
   5. Access controls, to limit user access to the archived data and unauthorized access and misuse of sensitive, business-critical, personal or protected information.
   6. Technical support, if anything goes awry.

Conclusion

To sum it all up, it’s becoming a priority to be able to locate all types of structured and unstructured data reliably and swiftly, while carefully balancing between data retention and data privacy laws.

Unless the processes, systems and data retention policies are effectively designed, organizations risk facing penalties. 60% of companies in a recent Bluesource research highlighted “better speed of searching, filtering and retrieval” as the key areas of improvement when it comes to their compliance and ediscovery efforts, as well as GDPR requests.

About the Author

Bojana Krstic

Bojana Krstic is the Head of Content and SEO at Jatheon and an experienced writer on topics like data archiving, ediscovery, and compliance. When AFK, you’ll find her hiking, discovering new music, or road-tripping.