Setting Up a Document Retention Policy for Your Business
If your office filing cabinets, cupboards and desks are overflowing with paper, or if your archive storage bills are mounting as old paperwork gathers cobwebs in a distant warehouse, it may be time to look at how you’re managing document retention.
Although the Data Protection Act (DPA) doesn’t set out specific minimum or maximum periods for retaining personal data, it does set standards that you must meet before you can use (or ‘process’) this information. The DPA is governed by eight principles and particularly relevant to document retention are principles 3, 4 and 5, which outline your responsibility for ensuring any personal data you hold is adequate, relevant, accurate, up-to-date and not excessive, and that any data shall not be kept for longer than is necessary for the purpose it was collected in the first place.
A document retention policy will help ensure that the DPA principles can be clearly understood and followed by everyone in your organisation, and it is key in ensuring a secure and efficient flow of information within any business.
So what does this mean in real terms for your business? And what are the advantages of having a retention policy in place?
In practice, it means you will need to:
- Set out your own guidelines for how long certain key types of documents should be held
- Follow to the letter established standard guidelines on keeping data for specific purposes (for example, tax records, banking information, company records, etc.) - contact the ICO and/or your relevant trade organisation for their recommended guidelines
- Consider the purpose you hold the data for when deciding whether (and for how long) you need to retain it
- Put in place secure destruction procedures for deleting/destroying information that is no longer needed
- Delete, update or archive information if it goes out of date
- Keep the retention policy up-to-date to reflect changing business needs and new legislation
The advantages of a retention policy are manifold. There will be less risk of not adhering to data protection legislation requirements (unwittingly or otherwise), and less risk of data loss and information security breaches. If you keep data for too long, it is difficult to ensure its accuracy and relevancy and there is a chance this out-of-date information may be used in error. It is also inefficient for a business to hold more information than is necessary.
A document retention policy also helps foster good business practices including:
- Regular reviews of the data being held
- Established standard retention periods are put in place for the different categories of information held
- Professional rules and regulatory requirements are taken into account
- Compliance with the law
- Regular audits of the policy are conducted to ensure the organisation keeps to the specified retention periods
- Data is securely disposed of or archived
For more information on this subject, the ICO website is a useful resource. They provide detailed guidance on document retention and deleting personal data, and set out how organisations can ensure compliance with the DPA and its principles when archiving or deleting personal information.
You can also learn more about the basics of document and data retention in our handy guide.