Data Retention Policy
Eight&four Limited has a responsibility to look after the information which we collect about individuals, whether our employees, clients, business partners, or even people browsing our websites. Our Data Protection Policy sets out our 10 Data Protection Principles. Principle 6 (Retention) of the Data Protection Policy states that we will only keep personal data for as long as we need it. If we don’t need the personal data anymore, we must delete it or anonymise it.
This Policy and the Retention principle referred to above only apply in respect of personal data for which we are the “data controller”, and not a “data processor”. Our Data Protection Policy provides details regarding the distinction between a “data controller” and a “data processor”. However, in summary, we will generally be a data controller whenever we process the personal data of our staff and the staff of our business partners and clients as well as consumer personal data if we process it for our own purposes (such as when we build our own proprietary databases). We will generally be a data processor when we process personal data solely on a client’s behalf (such as when we run a direct marketing or paid advertising campaign for a particular client).
Where we are a data processor, even though the Retention principle does not directly apply to us, there is a requirement to include in our contracts with the client details of the duration for which any personal data will be processed under the contract. There is also an obligation on us, subject to certain exceptions, to delete or return all the personal data after the end of the provision of services.
This Data Retention Policy sets out a process for the retention and disposal of personal data in respect of which we are the data controller to help us comply with Principle 6. In practice this means ensuring we only keep such personal data for as long as it is needed for the purpose it was collected (or for a further permitted purpose) and also:
- retain potential evidence that may be required in the course of litigation;
- securely destroy outdated records;
- optimise the use of space; and
- minimise the cost of record retention.
Any employee who fails to comply with this Policy may be subject to disciplinary action, up to and including dismissal. You should immediately contact Kate Ross if you become aware of a breach or potential breach of this Policy.
Exceptions to this policy
We may be legally required to retain personal data for longer periods where the personal data relates to anticipated or current litigation or other legal proceedings. Often referred to as a ‘Litigation Hold’, this is a legal obligation which overrides any retention period which would otherwise apply to the personal data.
If you are aware of any anticipated or current litigation relating to the personal data, or in the event of a ‘Litigation Hold’, you should immediately suspend deletion of the personal data. Failure to comply with a Litigation Hold could expose us to serious legal consequences. Files and documents relating to current or pending litigation should be kept until any dispute is fully resolved and is not open to an appeal.
Statistical Analysis of Personal Data
Personal Data may be stored for longer periods where it will only be processed for statistical or research purposes and where appropriate technical and organisational safeguards are in place, for example, where the personal data is pseudonymised, and where the processing is not used to reach a decision affecting a particular individual. Where statistical analysis is applied to the personal data, and appropriate safeguards such as pseudonymisation are in place, then the retention periods stated below will not apply to that personal data and it may be kept for a longer period where there is an ongoing need to do so. Retention would still, however, be subject to important considerations such as retaining up-to-date records, optimising the use of space and minimising the cost of data retention.
Personal data which is anonymised is not subject to our Data Protection Policy and therefore the retention periods in this Data Retention Policy will not apply to it.
Retention of personal data
Under data protection law, we are prohibited from retaining personal data for longer than is necessary for the purpose or purposes for which is was obtained. As mentioned above, this legal requirement is reflected in Principle 6 (Retention) of the Data Protection Policy.
Retention periods for categories of personal data
The retention of personal data should be determined primarily by the application of the general Principle of Retention under our Data Protection Policy. This means that we should only keep the relevant personal data for as long as it is needed for the purposes for which it was collected or for a further permitted purpose. If you are unsure how to apply this principle and are unsure what the appropriate data retention period is for a certain category of personal data please contact Kate Ross.
Last updated: 12th December 2017