contact us

Use the form on the right to contact us.

You can edit the text in this area, and change where the contact form on the right submits to, by entering edit mode using the modes on the bottom right.

Palmer on Security

Information Security & Privacy

how long should information be kept?

Matt Palmer

In the last week we've discussed the astronomically high cost of keeping unnecessary data and the need for a clear records retention policy if the information mountain every organisation now produces is to be manageable. Ultimately, a suitable retention period needs to be established for every information asset. However, that's easier said than done. In addition to costs and benefits of retaining the data, there are plenty of legal and regulatory requirements that often impact this decision.

Here's isrisk.net's quick reference guide to the ten key factors to consider when determining data retention periods:

Current or future operational requirements

Do you need the information? If so, do you need all of it? Will you still need it in 5 years time, or only for the next few weeks?

The cost of maintenance and risk of obsolescence

Information is not free. Ensuring the continuing integrity of data means procedures to keep it up to date and verify it's accuracy, and remove it if required to do so. Some information never changes, but it's subjects do: National Insurance / Social Security numbers for example. Other data changes all the time - preferences, financials, addresses, emails, even names. If your information is wrong, you may now be required by law to correct it.

The cost of storing, archiving, and retrieving the information

Storage comes at a cost, but often a low one. More important perhaps are all those back-ups, test restores, archiving and retrieval processes you need, and the associated hardware, processing capacity and bandwidth.

Forensic requirements

Known as 'discovery', the process of obtaining and disclosing information to support a commercial dispute has become an industry in itself. How do you find out whether person X every wrote or said anything about company Y? By spending a lot of money, so much that defending an action can become so prohibitively costly that there's an added incentive to settle when you'd rather not. The only way to ensure information is not subject to discovery is to know for certain you don't have it in the first place.

Customer expectations

You contract may say you may send marketing literature to former customers, but do you really want to? How would you react to being harassed by a company you parted ways from ten years ago? And did you really expect them to keep a record of your trade union membership and sexual orientation?

Contractual rights and obligations

You have contracts with customers and with suppliers of data. If that marketing list is licensed for 12 months, that's how long you can keep it. Keeping it longer is just a waste of resources because you can't use the information, anyway. The same applies to your customer list from 1927. In the bin with it!

Maximum or minimum retention periods identified by legislation or regulation

It helps not to be in a regulated industry, but often that's not up to you. If you operate in the public sector, financial services, or some other highly regulated sector you may have requirements that are specific, detailed, and possibly even contradictory. Compliance is the name of the game here - sometimes that means keeping information longer than you'd like, other times deleting ii when you'd rather keep it.

Regulatory guidance and expectations

I know the law says you can have it, but do they really expect you to? Guidance may not be mandatory, but if you're not going to follow it be sure to know why, and be ready to justify it.

Internal policies and standards

The truth is out there, but it's not just yours. Your organisation will have many expectations already established in board reports, policies, standards and procedures.

The risks involved in retention or deletion

Holding data carries a risk but so to the processes involved in deleting it. How do you make sure you delete the right records at the right time? What controls do you have in place to make sure you don't get it wrong - and what will you do when it does go wrong?