One of the questions we get asked regularly is when should files be deleted. The answer is sadly that it depends on a whole range of things. Firstly the General Data Protection Regulation states that information should not be kept for longer than required. Sounds simple doesn’t it. But how long should you keep files. Accountancy records are usually 7 years but what about something like a display screen equipment assessment?
Sometimes there is a judgement to be made around the files a business holds because there is no good practice to reference. Things to consider when that is the case. Would the person whose information you are holding consider the length of time reasonable? I once met an osteopath whilst networking. He told me he had patient records going back 20 years, despite people not necessarily returning to him during that period. I doubt anybody who had visited him 20 years ago would expect that their details were still being held. Under GDPR there is also a requirement to keep the information up to date, which wasn’t happening here either.
You also have an obligation to keep records securely for as long as they contain personal information so you need to make sure that you have processes in place to make sure the security is appropriate.
A client recently asked whether all records should be kept for the same period. The answer is no, each record will have a period that it should be retained for and not all business records you hold will be retained for the same period.
Whatever the period you decide to keep records, you should create a retention schedule stating what your records will be retained for. If there is no best practice retention period available, then put your reasoning into a document so that you know how you arrived at that length of time.
By the way, display screen equipment assessments should be kept for between 40 and 60 years according to the latest guidance.