3.7 Data storage periods
TABLE OF CONTENTS
- 3.7.1 How should a personal data retention period be determined?
- 3.7.2 How to implement the disposal / archiving of personal data?
Keep in mind
In compliance with the data minimization principle, it is essential to delete or anonymize personal data as soon as you no longer need it, for legal, contractual or operational reasons.
Implementation is not always simple and requires getting organised ahead of data collection with honed procedures / tools to allow for proper implementation when disposal is possible.
Among the GDPR’s guiding principles of personal data protection, a retention period must be set. This period must be “necessary to achieve the purpose (of the processing) that justified the collection/storing of the data” (Source: the French supervisory authority, the CNIL). In other words, setting a retention period amounts to setting a date for the disposal/erasure or permanent anonymization of personal data.
You will of course be held to comply with your legal requirements towards institutions and contractual obligations towards donors (for audits for example) and to reflect your own operational use, but it is essential not to let this data sleep on servers or hard drives indefinitely.
The GDPR calls for a “bare minimum” retention period, but no specific time indication is provided. It is the controller’s responsibility to set a retention period and the processor’s (if any) to make sure that it has been established and respect it.
The data retention period is different depending on the purpose of each processing operation and will vary: some periods are set by law (which is often the case for HR data for example), others by audit rules, others find their justification with regard to the specificities of each cause and each organisation.
In practice, it is almost impossible for an NGO to meet the demands of each stakeholder in this regard, so they need to develop a more macro approach with coherent institutional policies if they want to be able to implement them responsibly and effectively.
Good practices taken from the CNIL, questions to consider to help determine a data retention period:
- “How long does the organisation really need the data to achieve the purpose set?
- Does the organisation have any legal obligations to keep the data for a certain period of time?
- Does the organisation have to retain certain data in order to protect itself against possible litigation? Which ones?
- Until when can the organisation assert this legal action?
- What information needs to be archived? For how long?
- What are the data deletion rules?
- What are the data archiving rules? ”
For example, you can distinguish (as recommended by the French CNIL):
- Common use (active base): this phase corresponds to the daily use of personal data in the implementation of NGO activities – there is a need for easy and immediate access to the data by those in charge of processing it to deploy project activities, for example
- Intermediate archiving: the personal data has fulfilled “its initial role” and is no longer useful for the operational deployment of the project: the purpose of the processing has been achieved - on the other hand, “it represents an administrative interest” or meets a legal or contractual obligation, for accountability for example, reporting, auditing or feedback from affected populations – access is restricted to consultation and specific authorised recipients, and sorting the data to be retained should be done upstream.
Once the retention period (active database or intermediate archiving) has been determined and reached, the data is deleted. It is possible to anonymize them so as to retain them longer (either during archiving, or for reuse of another kind, such as internal learning or to inform future projects).
- The RAD guide by the Engine Room defines:
- Data archiving as “the intentional preservation of data in a format that makes it easy for collaborators to refer back to. The process of data archiving requires careful reflection about why your data might be needed in the future, who might need it and how you can store it”.
- Data disposal is “the process of deleting data in a safe and responsible manner.”
Implementing disposal, or even archiving operational personal data, is not always easy, mainly because of the life of the projects and associated teams. It is very rare for the project leader who initiated the collection and use of a dataset to still be present when the disposal/archiving date of the data in question arrives several years later (in view of audit requirements)- it is therefore up to the organisation to have specific processes and tools in place to ensure their quasi automatic disposal on the due date (depending on organizational choices).
Few organisations have such procedures in place, but NGOs should research and shift towards such practices to ensure that they see a minimalist approach through to completion in terms of data.
Good archiving practices:
- Select the data that represents a particular interest for the data controller, once the purpose of its use has been achieved
- Manage access rights to archived personal data: only approved persons are authorised
- Define an archiving period according to the legal or contractual obligation
- Define “the practical journey” of a data, from common use to intermediate archiving (Sources: The French CNIL and GDPR memento from France générosités)
Another, more global method, derived from the RAD guide by the Engine Room, proposes to set up a “RAD plan” that refers to the three stages of the data life cycle: Retention, Archiving and Disposal. “Having a streamlined process for Retaining, Archiving and Disposing of information shows care, respect and empathy for those an organisation works with, including the organisation’s own team, collaborators, partners, grantees and others”.
This process may seem cumbersome to implement, but it has positive effects on activities, especially on “knowledge and understanding of all the data you use in your work”. in particular, by maintaining the confidentiality of personal data and ensuring the organizational security of affected populations and relationships of trust.
In order to define a “RAD” plan, a good practice recommended by the guide is to map the data at each stage of the data lifecycle separately. Here are some questions to help start mapping your data, documenting each response:
- When do you collect data? Think back on your workflow and try to list the moments you usually collect data.
- Where do you store data? Consider the data you currently have and list all the places where it lives?
- When do you share data? Think about data sharing requests or opportunities: when does that usually happen?