Hi Mark



I agree with what Phil has to say.  DP is not my specialist area per se but retention is something I do work with.



There are, I think, five key considerations in arriving at an effective retention decision.



1. The first and foundation key consideration is that every record has a retention period.  This may be 'permanent' but the key thing here is that each and every record series needs to have had a consideration taken and a retention period put in place.



2. The second key consideration is that retention is primarily about context rather than about record type.  What I mean by this is that it is not whether a record is a letter, report, email or, in this case PIA, that dictates its retention period but rather a combination of what the document is and the context (and importance) of the record series that is all important. Thus, the email about lunch on Friday with a friend is a very different thing from the email from the CEO authorising your spend of £1.5m on GDPR implementation.



3. The third key consideration is to see whether there is any legislative requirement retention relating to the business area of which the records series is a part. If there is, then as an integral part of the delivery of that area of business, the PIA will, in the first instance, be tied to that retention.  Of course, and mindful of the audience for this posting, DPA/GDPR is a key piece of legislation here but there are often also specific retention requirements that govern areas of business. Where these exist, business practice sees such periods slot into the (and forgive my non-specialist phrasing here) 'as long as legitimately required for the business purpose for which the data has been gathered' criterion of DP.



4. The fourth key consideration re-enforces the business need criterion identified above. DP allows for this and, where there is no business legislation requirement, business best practice should be followed.  Aa good way of developing this is to set a period based on the Organisation's experience and then hold that up to peer comparison.  



There are numerous ways of doing this- including consulting sector schedules on line (e.g. JISC for Higher Education) or the IRMS LGCRS for Local Authorities in England and Wales (or SCARRS in Scotland) or the IRMS retention wiki- although legislative retention picked up from these should ALWAYS be checked before being used and a screenshot taken of any citation used so as to evidence the entry at date taken). 



Another effective method is asking 'around the houses' to see what sibling organisations are doing. A good place to find out what the profession think on things can be the JISC Records Management list (although in this instance the poster was guided from there to here because of the nature of the PIA).



5. The fifth key consideration is 'write it down'!  Put simply- always record how you have arrived at a retention decision.  This is valuable for two main reasons.  Firstly, corporate (and, speaking personally, personal :)  ) memory- i.e. if you don’t write it down, in a couple of years' time, the Organisation (and like as not you yourself) won't remember how you arrived at the decision. The second reason is 'defendability'  should either something goes wrong or someone requesting information queries why a particular record no longer exists. 



6. The sixth and final thing to remember is to review decisions periodically. This should ideally be at no longer than every two years- and change automatically if legislation/regulation changes.



Following these steps will give you a retention period that offers compliance and which is both reasonable and defendable.



The key messages are that 



- retention is a combination of document type and the context of its use;

- legislative requirements come first with business coming second; 

- do not re-invent the wheel- look for what others have done; 

- the reasons for the period arrived at should be records; and

- decisions should be reviewed periodically and at time of legislative/regulatory change.



I hope this assists.



Regards



Meic



Meic Pierce Owen FIRMS FIIM AMIRMS

Fife Council Records Manager





-----Original Message-----

From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Phil Bradshaw

Sent: 12 January 2018 17:01

To: [log in to unmask]

Subject: Re: [data-protection] (D)PIAs and GDPR - retention periods



Any retention period should run from either the cessation of the processing to which the PIA relates, or it being superseded by a later PIA e.g. where there is a triggering material change in the processing requiring a fresh / review of the PIA.



The period is really for you to assess having regard to the factors you have described and the nature of your business and risk. I doubt whether you would ever need 12 years. Six is certainly safe. I could probably justify three in some scenarios.



On the other hand for the specific scenario you mention, assuming an end point of "review" as opposed to "auto dispose" I can see a strong argument for transfer to permanent archive.



In practice I have already seen several database implementations linked to an Information Asset Register where there is in fact no disposal mechanism or procedure. An asset may be decommissioned along with associated objects such as PIAs but the records are simply retained.



I see no problem with that.



^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

     All archives of messages are stored permanently and are

      available to the world wide web community at large at

      http://www.jiscmail.ac.uk/lists/data-protection.html

     If you wish to leave this list please send the command

       leave data-protection to [log in to unmask] All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html

 Any queries about sending or receiving messages please send to the list owner

              [log in to unmask]

  Full help Desk - please email [log in to unmask] describing your needs

        To receive these emails in HTML format send the command:

         SET data-protection HTML to [log in to unmask]

   (all commands go to [log in to unmask] not the list please)

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^



**********************************************************************

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed and should not be disclosed to any other party. 

If you have received this email in error please notify your system manager and the sender of this message.



This email message has been swept for the presence of computer viruses but no guarantee is given that this e-mail message and any attachments are free from viruses.



Fife Council reserves the right to monitor the content of all incoming and outgoing email.



Fife Council

************************************************





^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

     All archives of messages are stored permanently and are

      available to the world wide web community at large at

      http://www.jiscmail.ac.uk/lists/data-protection.html

     If you wish to leave this list please send the command

       leave data-protection to [log in to unmask]

All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html

 Any queries about sending or receiving messages please send to the list owner

              [log in to unmask]

  Full help Desk - please email [log in to unmask] describing your needs

        To receive these emails in HTML format send the command:

         SET data-protection HTML to [log in to unmask]

   (all commands go to [log in to unmask] not the list please)

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^