What is a Data Retention Policy?

A Data Retention Policy establish guidelines for how long an organisation retains different types of data, and how they are disposed of once their retention period is over.

A comprehensive Data Retention Policy should include a schedule that sets out how long each category of data is retained. Examples of these categories include employee data, candidate data, resident data, supplier data etc.

‍

Does my Council Need a Data Retention Policy?

A Local Council in the UK would need a Data Retention Policy to comply with UK GDPR. It's worth noting however that UK GDPR doesn't specify retention timescales for different types of data. Instead, it says that data can be held for as long as needed, for the reason it was initially collected. Therefore, it's essential for a Council to justify and document its retention periods in a Data Retention Policy.

‍

Key Features of a Data Retention Policy:

1. Policy Objective: This explains the purpose of the policy and why it exists - to ensure the Council complies with legal requirements and best practices related to data storage.
2. Scope: The types of data the policy covers. It can range from personal data, like names and addresses, to non-personal data like anonymised or general data.
3. Roles and Responsibilities: Who's overall responsibility is this document? What's the employees' roles? What are the details of the Data Protection Officer or Data Compliance Manager?
4. Special Categories of Data: This refers to data that is more sensitive and requires extra protection, such as health records or information about someone's ethnicity, sexuality, or political views. The retention period for this type of data should be less, as it's unlikely you'll need to hold this type of data as much as you would someone's name, employment history etc.
5. Retention Period: The length of time data is stored by the Council for each category. The retention period can vary depending on the type of data and its relevance to the Council's operations.
6. Disposal: This details how data is discarded after the retention period has ended. Methods can include deleting electronic records or shredding physical ones.
7. Reporting: Details of who someone can go to with regards to any questions or in the event of a breach.

‍

Remember, the specifics can vary depending on the Council and its data usage. A well thought out data retention policy is a cornerstone of an effective data protection strategy. It ensures compliance, enhances efficiency, minimises potential risks, and contributes to the Council's overall data governance framework.

‍

Take a look at other key legal documents your Council should have here.