Can I hold on to personal data?
SA writes: We have a number of business documents that might contain personal information on people employed by the company or with whom the company has had a business relationship. What is the statutory retention period for these documents and is it possible to keep them indefinitely? How long should the company’s other records be held?
The holding of personal data is governed by the Data Protection Act 1998, which applies to most businesses and organisations, writes Jon Sutcliffe, partner at Kingston Smith LLP. The fifth principle of the act states that personal data processed for any purpose shall not be kept for longer than is necessary for that purpose. In practice, it means that you will need to:
- Review the length of time you keep personal data;
- Consider the purpose for holding the information in deciding whether (and for how long) to retain it;
- Securely delete information that is no longer needed;
- Update, archive or securely delete information if it is out of date.
It is therefore necessary to look at what law or industry guidelines apply. The Companies Act requires a private company to keep its records for three years from the date they were made. Public companies must keep them for six years. For corporation tax, records may need to be kept for up to six years. This can be longer where a return is filed late or is subject to inquiry or amendment. For VAT, the general rule is that you must keep all relevant records for at least six years. If this causes you problems in terms of storage or costs, then HMRC may allow you to keep some records for a shorter period.