Step 11: Delete and destroy
Step 11: Delete and destroy
Part of this obligation is to retain only the data you need and for only as long as you need it. At the point this period expires you should securely destroy/delete this data.
How long to keep data
This question is important and should be asked before the data is gathered. There are a number of reasons that can justify maintaining personal data and in some cases these will be easy to define, such as data required for tax purposes. In other cases the judgement of Executive Committee members collectively needs to be used to justify the retention period, this is best done using evidence or past experience. To assist, we have created a template retention policy. This has been created using a combination of the Scouts UK headquarters policy and examples from local Scouting. This template can be used by a local Scout Group, District, County/Area/Region (Scotland) but may need tailoring to suit local processing activities.
Data is useful and necessary for many things; however, it doesn’t always need to contain personally identifiable information (name, address, email etc…). For example, maintaining the details of numbers of attendees for an event is great insight into the success of that event, in this case you don’t require the names of those who attended.
The best practice way to manage the life cycle of data is as follows:
- Only retain personal data that is necessary
- Anonymise the personal data as soon as possible so it doesn’t contain anything personally identifiable (for example removing names and personal data relating to a Nights Away event, but keeping the number of young people in attendance for statistical purposes at a later date)
- Delete/destroy the data when it is no longer required, even of this is before the retention period
There are a number of ways that data can have the personally identifiable elements removed. The most common is simply delete the records that contain these elements, but there is also tooling that can reduce the admin burden of manually deleted records. These tools use techniques such as anonymising or pseudonymising. Anonymising is a technique of data cleansing that uses an irreversible program to scramble the data. Pseudonymising replaces the personally identifiable elements with dummy data, usually of the same type, for example a name gets replaced with a random name. In all 3 cases the result is a data set that can be retained without requiring a lawful justification and can be used for gaining historical insights or analysis from the data.
Care should be taken when deleting or destroying all personal data. When destroying physical documents this should be done using a shredder or secure paper waste bins that only allow access to the authorised disposer. Digital destruction of documents should be completed in line with the retention periods specified in the retention policy. Most delete capabilities that exist today for digital data do come with a recycle bin concept. This means that the data is not deleted straight away and allows the user some time to restore before permanent deletion, care should be taken to ensure the data is fully deleted.
The ICO have published guidance on the secure destruction of data here, this pre dates the GDPR and DPA 2018 but the advice is still relevant.