The Fifth Data Protection Principle
"Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes"
The Data Protection Act does not state any period of time for data retention - this is due to the fact that retention periods will vary between different organisations and for different types of data.
In many cases the retention period is determined by legislation relevant to the nature of the information. Regard should be had to statute and any specific provisions relating to the retention of data of a particular type, e.g. contracts, accounting, or health and safety, records etc.
Information does not therefore necessarily have to be deleted once a relationship ends if it necessary to retain that information for further purposes, e.g. an employment record.
Only in exceptional and justifiable circumstances should data be held indefinitely. There should be a system in place for removal of different categories of data from systems when, for example, only a limited record needs to be retained.
To comply with the fifth principle, data controllers should adopt a systematic review policy for personal data and delete information if it is no longer required. You should therefore set up data retention policies and review schedules for different categories of personal data to help you comply with this principle.
The ODPS frequently receives questions related to data retention. Whilst the Act does not specify any time periods, there are numerous resources based on UK legislative requirements and industry best practice standards available on the internet. Such resources may provide a suitable starting point for developing a data retention and destruction policy, not only for 'personal data' but also for other types of business documentation.
These resources, whilst not endorsed by the Supervisor, include the UK's National Archives and Financial Services Authority and the Chartered Institute of Personnel and Development and the UK Government's BusinessLink. Other resources are also available.
Click here for further guidance on the fifth principle.
Material on the Data Protection Supervisor's site is independent of that hosted by the Isle of Man Government and is protected by copyright. The copyright owner is the Isle of Man Data Protection Supervisor. You may not make alterations or additions to the material on this site, or sell it or misappropriate it. Material may be downloaded or copied for personal use. However, appropriate acknowledgement of the copyright owner is required if material is re-published in any format.