Data retention in the UK: How long should you keep data?

What laws and regulations affect UK organisations?

UK organisations’ data compliance is governed by numerous laws and regulations.

Core to these are the UK equivalent of GDPR, as enacted by the Data Protection Act (2018), and guidance and directives from the Information Commissioners Office (ICO).

Beyond that, there is company law, employment law, health and safety law and so on, all of which come with requirements about data retention.

What data retention periods do UK laws and regulations specify?

It’s hard to overstate the importance of the Data Protection Act to data protection and retention practices in the UK - but, importantly, it does not specify precise retention periods.

Having said that, the core requirement is that organisations must establish reasonable policies and schedules around each category of data they process.

So, for each category they must show:

• For what purpose they process the data;
• How long the data must be kept for that purpose;
• What legal or regulatory requirements stipulate a retention period;
• That they have in place a periodic review mechanism to check whether data must still be retained.

And while reasonable, documented practices around processing and retention are key, numerous recommendations for how long to keep data do exist.

Common recommendations include:

• Six years from the end of the financial year for company records subject to the Companies Act 2006, HM Revenue & Customs (HMRC) tax laws, the VAT Act 1994, payroll and wages under HMRC guidance, and personnel files from the date of employment ceasing under Employment Rights Act guidance.
• Three years for health & safety accident records.
• Up to 40 years for hazardous exposure cases under COSHH guidance.
• 10 years after cases close or court orders cease for client records in legal firms.
• 12 years or more for contracts and deeds under the Limitation Act and contract law.
• Six or seven years for employee records that might be subject to claims.

NHS guidance specifies eight years after conclusion of treatment or the patient’s death for adult hospital records, 10 years for GP records, and 25 years after the birth of the last child for maternity records.

In financial services, the Financial Conduct Authority says records must be kept for five years from their creation, while anti-money laundering law specifies five or 10 years of business transaction data be kept.

For personal data, in any category of sensitive data - even for archiving for research or historical purposes - the guidance is all about what can be reasonably justified, that policies and review procedures exist and that appropriate levels of caution are applied.

What are the key elements of a data retention policy?

The key action organisations need to undertake is to create a data retention policy that lists:

• Categories of data held;
• The purpose for holding each category of data;
• How long it should be held, with reference to any legal or regulatory obligations regarding the data retention period;
• If there is no minimum set then documented justification is key;
• What to do with the data after its retention period expires, such as deletion or anonymisation – that is, so GDPR no longer applies.
• At the time it expires to build in checks that no litigation, complaint or other procedure means it should be kept for longer, and;
• Regular reviews of the policy.

What are the key features of software tools that can help with data retention?

Numerous software tools exist that can build on an organisation’s data policy to help track and manage data, and alert staff and leadership about decisions that need to be made.

Key functionality in tools that can help with data retention include:

• Being able to define categories and types of data and assign retention periods, based on policy.
• Automating retention period events, such as providing alerts when a retention period is over, plus deletion workflows and archival transitions.
• Logging full traceability of data through its lifecycle, including when it passed through key stages and personnel responsible during those changes.

It’s clear these functions map more broadly onto data management in general, so it’s likely you will want them to integrate with systems like document management, email archives, file servers, possibly even a physical records inventory.

Metadata support is a useful area of functionality that can help you know what data you hold, where it is, how long it’s been kept, its risk classification, and so on.

Who provides software that can help with data retention?

Cleardox AMS by ClearData Group manages archived records with automated destruction notifications when retention dates expire.

iGMapware is a software-as-a-service application aimed at records, data retention and metadata management that can help create retention schedules, map information assets and govern when data should be disposed of.

Iron Mountain’s Retention Policy Management Platform helps organisations manage retention and privacy obligations, implement schedules and ensure data is disposed of when no longer needed.

Zebsoft compliance management software is a UK-based platform that helps organisations map personal data, define retention periods, manage policy, consents, and subject access requests that includes workflows and audit trails around retention and deletion.