We’re going for the hat trick here – but GDPR is really close now. Our last few posts have been all about the GDPR countdown, and today is no exception. But today, we’re going to focus more on a question we keep being asked – which is how long do businesses need to keep confidential data once they’re done with it. Attaining consent is very important but retaining confidential data and knowing how long you are legally obliged to store it before disposing of it is just as vital. With that in mind, we’ve pulled together some information elating specifically to public sector businesses.
Records And Information Management
When it comes to managing information and records, it’s important to understand the difference between normal documentation, and documents that need to be kept for a specific amount of time. There are numerous rules for public sector businesses around what information must be maintained for records and audit purposes for set periods of time, and your data controller needs to ensure that the storage and destruction procedures are appropriate to the sensitivity and form of the material.
Why Is Confidential Document Disposal So Important?
Put simply, because it could cause damage. If the wrong people got hold of the confidential data your business processes, they could use it to cause harm to that individual, either financially or otherwise. Not managing the documentation and data in your business properly will not only leave your business open to financial penalties, but also damage to your reputation and damage to your business.
What To Keep
Public sector organisations and departments have very specific criteria for the retention, storage and destruction of certain records – more so that the average business. A document can be identified it it’s content:
- Contributes to the policy or decision-making process, any actions taken or changes to policies or procedures
- Has financial or legal implications
- Is needed to support and help the running of the organisation
- Has been approved by or reported to another individual or internal/external body
- Sets a precedent or contains something unique of historical interest
- Had to be created as a result of specific legislation
If none of the above apply, then the document is not considered not relevant. And can be destroyed when it is no longer required.
Checklist For Confidential Document Disposal
To ensure that the correct procedures for GDPR are being met, all employees and senior management need to be on board. If anyone is unsure about whether a document should be disposed of, ask yourself the following questions:
- Where is the information currently being held?
- What value does this information have?
- How long should it be kept?
- Are the relevant people in the business aware?
- What is the trigger points for disposal?
- Is disposal built into your digital systems?
- Do you have a deletion policy?
- Is there a regular review process?
Awareness of what records an organisation has, how long they should be stored and at what point they should be destroyed or disposed of will help to reduce the potential risk of a data breach and the reputational harm it could cause.
And that’s that! Of course the public sector is a complicated area, and many of the ways that their document management works will be subtly different to those used by private businesses. But the destruction of the data is still important, and still falls under the same rules of GDPR. At Greenaway, we work with public an private sector businesses alike to help them comply with their document destruction obligations. For more information, please just get in touch with us today.