In this blog first published in Business Brief, Deputy Data Protection Commissioner Rachel Masterton discusses understanding your data and how to ensure your approach to handling it does not leave your organisation exposed.
“How long should we hold this information for?” is a frequent question posed to data protection officers, administration staff and regulators, and the fact there is rarely a simple, ‘x years’ answer is a source of much confusion and concern.
And I get it! I have been that data protection officer who has had to answer with ‘it depends – but for no longer than is necessary’ and then watch the face of the questioner fall as they realise there is no quick answer.
Sometimes, there is legislation that outlines exact periods. An example is the Data Protection (General Provisions) (Bailiwick of Guernsey) Regulations, 2018 that states clearly that records relating to a personal data breach must be kept for six years from when the organisation realises the breach has occurred.
Sometimes, a professional body will have produced guidance on retention that contains a reasoned justification for the length of time stated. And sometimes, it simply comes down to considering why you might need that information and how long that need may last.
However, straightening out the gnarly subject of retention periods is not the aim of this article. There is something more fundamental to get to grips with first, and that is separating the purpose for which personal data is used from the form of the data. Let me explain.
The theme for this month’s Business Brief is Tax, Trusts and Telecommunications and these lend themselves helpfully to explain my point. Every organisation with paid staff will collect, create and handle information for the purpose of complying with their obligations under tax legislation.
Organisations in the fiduciary sector will process an amount of personal data for the purpose of setting up and administering trusts. And all organisations will process some personal data to ensure they have IT and telecoms services in place.
Therefore, in each of the above scenarios, consideration will need to be given to, amongst other things, how long that information is kept for. There will likely be a line on the organisation retention schedule for each purpose (tax, trusts or telecoms) that documents that duration and the reasons for it.
Now underlying each of those purposes, and all the myriad of other purposes for using personal data, is how that personal data is processed; hardcopy or electronic, database or flat filing system; audio or visual recordings.
This means that whilst information processed for the purpose of tax may be held for six years from the end of the year in which the tax was paid, the actual data could be spread across several systems and the six-year retention period needs to apply across them all. And it is here that things can get sticky…
We have seen several examples where how long something is kept is based on the manner in which the information is stored, rather than guided by the purpose for which it is used. This is most commonly, it seems, the case for email.
Organisations may decide to delete a former employee’s email account and all its content six months after the person has left; long enough to pick up anything that was ongoing at the point of their departure but not so long that the account is taking up a user licence indefinitely.
And that makes a degree of sense, until such time as it does not, and by then it is too late.
By way of an example, consider the following. An employee emails a member of the HR team about problems they are having with a colleague. This grievance launches the relevant process and results in some form of admonishment for the colleague.
The HR team member subsequently moves on and the related email account is deleted.
A year later, there is a promotion opportunity and both employees involved in that grievance process are in the running for the job. When reviewing the HR file of the admonished employee, it is clear that some sort of grievance process took place, but there is no record of the initiating email.
It was never moved into the HR system and is now gone. As such, the basis for the grievance process is unclear and taking it into account as part of the promotion consideration could be problematic.
All too often we have seen cases where decisions have been made or action has been taken on the basis of an email or an email chain but this has remained within the inboxes of one or two staff and not moved into a more appropriate location.
This means, after a while, it is difficult to explain why things happened and there is no complete and accurate record of what went on. Should this matter then become part of a civil claim, or in data protection terms, someone exercise one of the rights they have under the Law, it becomes difficult to justify why what was done was done, leaving the organisation exposed.
In addition to the above, your own staff may not then have access to all the information that they need to do their job and errors may occur as a result.
If you have negotiated special rates with a client by email but have not made sure that all those involved in the billing process can see that information, how would they know to alter the usual rate?
What about if you receive instruction from a client not to send anything to their home address and this isn’t passed on to the rest of the team? This could leave the client open to risk of identity theft or worse.
To add a little more peril, it is not just email where these problems can arise. We are all using collaboration apps like Teams or Slack these days where whole conversations can happen between people but the outcome isn’t officially recorded.
And don’t get me started on the use of messaging apps like WhatsApp and Signal on individuals’ own devices, where whole work-related conversations can happen, for which the organisation is responsible but has no knowledge of and no access to.
So, it is imperative to think holistically about how your organisation uses personal data and for what purpose, and to implement processes and procedures make sure the right information is in the right place, accessible by the right people and kept for the right length of time.
Think purpose, not system.