Retention of Personal Data
The guidance document, UCD ODPO General Data Retention Guidance for Personal Data, sets out the obligations of University College Dublin regarding the retention of records containing personal data. Whilst the General Data Protection Regulation (GDPR) does not specify standard retention periods, it is still a requirement to only retain personal data when there is a valid legal reason to do so in relation to the data’s use in a specific processing operation.
Data Retention periods are important for UCD’s compliance with the following data protection principles:
- Purpose Limitation
- Storage Limitation
- Data Minimisation
- Integrity and Confidentiality
- Accountability
The retention of personal data, and the retention periods for the processing of personal data listed in retention schedules, relate to the UCD 'key business owner' of that processing activity, which in some cases might not be your School/Unit.
Key Business Owners
If your School/Unit is the key business owner, and responsible for the master copy of the personal data for a particular processing activity, they will need to find out what the retention period is and delete as directed. The following needs to be factored in:
- Original purpose for having the personal data
- Legal requirements (i.e. how long UCD is entitled to lawfully keep a specific data set)
- Sector standards
- Governance and accountability purposes of the organisation overall
- Quality control purposes
Temporary Hosts
If your School/Unit is not the key business owner, then they would be considered 'temporary hosts' of the personal data and should not keep it beyond what it was they originally processed it for (i.e. the processing activity). When another School/Unit is responsible for the master copy, it is your School/Unit’s responsibility to delete any local or transient copy, including any duplicates, when you no longer need it for the day-to-day operation of the School/Unit. Note: ideally local copies should be avoided from the outset and data should remain in the dedicated /central system.
Further information is also available in our (opens in a new window)Short Guide to Retention of Personal Data.
FOI Record Retention Schedules vs GDPR Data Retention
Freedom of Information (FOI) applies to a broad range of records that can include information – such as statistics, inventories or records of decisions – that do not contain personal data. The FOI related records retention schedules specify the length of time that records must be maintained for organisational, legal, fiscal and historical purposes, irrespective of processing activities.
Under GDPR, data minimisation and storage limitation are key principles and require organisations, such as UCD, to determine appropriate retention periods. This means that personal data should not be kept in a form that permits identification of data subjects for longer than necessary for the purposes for which the personal data is processed. If the purpose for which the information was obtained has ceased and the personal information is no longer required, the data must be deleted or disposed of in a secure manner.