Data Protection - Staff Handbook
11. Fifth Principle - Retention and Disposal of Data
11.1 Personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose or those purposes.
11.2 This principle covers the retention of data for the purpose concerned and its subsequent disposal.
11.3 No data must be kept for longer than is necessary to carry out the purpose concerned. The length of time will vary greatly with the type of data being held; in some cases it might be appropriate to retain it for only a very short time, in other cases it might be necessary to retain it indefinitely. Some retention periods are even governed by statute. The important point is that a retention policy should be devised by the data users concerned for each main purpose for which data is held and procedures put in place to ensure that it is carried out. It might also be useful to inform data subjects of the policy at the time of collection of the data; it is certainly something which should be made known to data subjects on request. Advice on appropriate retention periods can be obtained from the Records Manager.
11.4 Once a retention policy is in place, appropriate procedures to dispose of the data must also be put in place. Security is very important in the disposal of personal data and this should be borne in mind. Consideration should be given to the shredding of manual data while computer data must be completely eliminated, minimally by reformatting or over-writing.