JISCMail - DATA-PROTECTION Archives

Doesn't the data subject get a say in how long is reasonable?

Jo Archer

----- Original Message -----
From: Ian Welton <[log in to unmask]>
To: <[log in to unmask]>
Sent: Friday, July 30, 2004 1:30 PM
Subject: Re: [data-protection] Scientific Principle 5 measurement mechanisms


Roland Perry on 30 July 2004 at 11:13 said:-

> A lot of work has been done in this area with respect to CSP data, for
> which there is a mixture of forces at play.

What is CSP?

> Some of the data is required for installation of the service,
> and others
> for billing. Accountants and taxmen can say how long you need to keep
> the latter (7 years, or is it Oftel's old recommendation of "3 Billing
> periods"; in any event, how long after a customer has paid
> the bill will
> he expect you to be able answer questions about it?) And the engineers
> will say you have to keep the former until at least 1
> quarantine period
> after the customer has left (eg BT quarantines an outgoing
> householder's
> phone numbers for 6 months where possible). Operationally, to catch
> fraudsters, abusive callers (incl spammers) and so on, how long after
> the event is the trail likely to have gone cold? (eg. many say about 2
> weeks for spammers).

Very clearly there is a close link to the purpose data is held, and the
differing purposes may well have different retention periods.

I am aware a simplistic answer frequently adopted is to keep all the data
for the period necessary for the purpose requiring the longest retention.

The enquiry was of a generic nature though, and focused on purpose specific
data which would provide the information necessary to determine even those
general simplistic retention period decisions.

> The police, who use much of the same data for investigating crimes,
> would like everything kept for ever (there is, after all,
> still someone
> on the Suzy Lamplugh case), but have agreed various more practical
> periods with industry. .....

With my background as a police force DPO the 'retain everything forever' is
familiar, but that debate becomes facile when carefully considered. e.g. An
ongoing investigation clearly requires to retain relevant data it has
collected for that particular case.  Identifying the specific purpose of use
for specific data is an important issue, and that purpose may change in
certain circumstances, such change in the purpose of particular items of
data does not, in my opinion justify retention of all data 'just in case'.

..... There is
> anecdotal evidence
> regarding how often the police come looking for data and find it's too
> late (although they also argue that this figure is artificially low
> because their expectations, after a year or two have passed, are also
> low).
>
> The Criminal Cases Review Commission would like evidence preserved for
> as long as they are allowed remit to investigate, which is 7 years I
> think.
>
> On the other hand, collecting CCTV tapes from the possible scene of a
> crime, before they are recycled, seems to down to a pragmatic
> deployment
> of quick-witted police rather than interminable requests for a bigger
> supply of blank tapes. Is CSP data retention always asked to
> be longer,
> just because [people think] the industry "can" ??

Retention of widely based, comprehensive and detailed data for excessive
periods can be convincingly argued as an indication of a lack of careful
thought or focus on the particular matter in question, leading to slower and
less effective outcomes, so the necessity for the type of methodology I seek
should be well perceived in those areas where effectiveness is important.

> (The UK is currently trying to shift a
> bastardised version of that through the EU).

There should have been much consultation and debate at both the national and
EU level then.  I will have to check out the EU website to obtain the link
and details to see if anything there is of help.

Ian W

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^