Protecting personal information extends to the methods of its storage and destruction. Whether you like it or not, it’s part of the legal framework. You have to work out how to do this in a way that work for you not whether you follow the guidance.
So, let’s get the geeky bit out of the way early and refer to the parts of the legal framework that covers these aspects.
- The principle of Storage Limitation.
- The principle of Integrity & Confidentiality.
- The rights to:
- be informed.
- have access.
- Data Portability.
So, as an organisation, you will have to balance these aspects to your risk appetite, or to the guidance from your professional body – if they issue them.
Let’s look at each topic briefly.
How long can I store personal information before it’s destroyed?
You’re going to hate this, but…. it depends. The length of time you store information depends on the purpose you collected it for in the first place and what is attached to that process. Here’s two examples:
I know I mentioned this only last week, but, for the purpose Track & Trace the storage period is just 21 days. That’s really short.
I have supported people that supply products with a 25 year guarantee. So, they would need to store any personal details a lot longer to support any potential claim under that guarantee.
Lastly, no matter how long you store it for it must stay in a state where it can be accessed, and read, until it’s destruction date.
How secure does the storage need to be?
Actually, there’s more actual guidance available here, but there’s still an element of choice. In my minds eye there are options of putting a padlock around something to utilising a bank vault. Excessive? Not really.
Always remember that the essence of the regulation is that you take appropriate steps to protect an individual from having their rights and freedoms impacted.
Nevertheless, the one thing you must appreciate is that certain types of data require more secure methods of storage. The two types of data mentioned in the regulation for this type of treatment are; Special Category Data and data relating to children.
Again, how you do it is up to you. However, the larger/more sophisticated your organisation is the ICO will expect the processes to be more sophisticated as well.
What is the difference between deleting, erasing and destroying personal information?
The basic driver for this question is terminology used in certain sectors of business.
For example, the word “delete” can translate to “archive” in some areas. This is why the regulations use erase and destroy to endorse the intention for a permanent removal of information.
Rather than dealing with these like the principles it may be easier to do it this way.
- Right at the start, individuals should be sure about why you are collating and storing their data.
- Individuals must be able to access their data, either in its original form or as a photocopy, scan etc.
- Upon seeing it there must be a way to rectify any discrepancy. As the organisation you can ask to see evidence to proceed with certain changes in your records. This could be a household bill, a passport, etc.
- An individual can ask for any of their personal information to be destroyed. You do not have to agree if you believe there is a legal reason to keep it, like accountancy regulations.
- In some cases, the data has to be stored so that data can be transferred electronically. The best example of the right data portability is used by banks when they transfer direct debits and standing orders when you move accounts.
In case you didn’t know, based on my previous blogs, this one is quite light on detail. Feel free to look through the other blogs and see if the information you want is provided. Some of what I provide is very detailed. You can see them all at https://eyebray.com/category/gdpr/
There’s always the ICO to visit https://ico.org.uk/ for more information direct from them.