Welcome to another edition of Privacy Notes!
Today our focus will be on the “Retention Policy”, bearing in mind the key terms defined in the last post on the “Right to be Informed” which is accessible here – https://blog.ndpracademy.ng/privacy-notes.
According to the NDPR, the principles of processing personal data which must be observed by a Data Controller before, during and after processing the personal data of a Data Subject include: lawfulness, specificity, legitimacy, consent, non-prejudice, accuracy, storage, adequacy and security.
The Retention Policy falls under the storage principle. The NDPR reiterates that Personal Data must be stored or retained only for as long as necessary and only for the purpose for which it is collected. The duration of such retention of his Personal Data must be clearly communicated to the Data Subject. The NDPR even states that prior to obtaining personal data, the Data Controller must inform the Data Subject among other things of the period for which the Personal Data will be stored or if the period cannot be ascertained, the criteria used to determine such period of retention of the Personal Data.
From the above, it is necessary that Data Controllers should consider the legal or regulatory implication of retaining Personal Data and accordingly adopt a Data Retention Policy which should be in conformity with the provisions of the NDPR and any other applicable legislation.
What then is a Data Retention Policy? A ‘Data Retention Policy’ or ‘Records Retention Policy’, is an organisation’s established protocol for retaining information relating to its operations.
It is best practice that data security be updated to include an active document retention and destruction policy which is critical for any business and must be considered a priority for today’s retail enterprise.
Typically, when conducting investigations on compliance in this regard, regulators would among other things assess the Data Controller’s established retention policy as well as its retention and disposal schedule. The data retention period must as ever be linked to the purposes for which data is collected and processed. The data retention period must as well be conveyed to the Data Subject whose data is being collected and processed.
In the course of assessing compliance by a Data Controller with the regulations particularly on retention of data, the regulators would typically carry out their assessment in line with questions such as:
- Is there a legislation containing provisions regarding retention of the Personal Data?
- How long is the data to be retained by a Data Controller? (Minimum retention period should be expressly stated)
- What action does a Data Controller take regarding personal data upon expiration of the retention period? (State action to be taken – for example, Data is anonymised, pseudonymized, etc.)
A record retention policy not only assists the organisation in determining the records to be retained, it also serves as a guide for determining when certain records are to be destroyed due to conditions such as physical or electronic space constraints, requests by data subjects for such records to be destroyed or that information on such records are outdated and no longer relevant.
Next week, we would continue with key elements governing compliance with the principle of retention and claims and limitation periods in data retention policy.
Thank you for reading to this point!
Till Next Privacy Notes Friday,
Uwemedimo Atakpo Jnr.