As with other aspects of the data lifecycle, the Data Protection Act 2018 sets out clear rules for the storage of personal data. In particular organisations must not keep personal data for longer than they need to — and they need to be able to justify the length of time they hold the data for.
Policies are needed for setting standard retention periods for data. Organisations must review the data they have, and erase or anonymise it when they no longer need it. Individuals also have the right to ask for their data to be erased.
It’s worth noting that there are some exceptions to these rules. Organisations are allowed to keep data for longer periods if they are keeping it for public interest archiving, scientific or historical research, or statistical purposes.
Before you begin storing data, here are three things you should consider
1) Data retention — the length of time you’ll store your data
It’s fairly obvious that data needs to be stored and protected with the appropriate level of security, with backup and recovery procedures that protect key information. But beyond this, there are ethical considerations relating to storage too. One of the main ones is how long organisations should store data for, or data retention. This should encourage organisations to have a clear purpose for collecting data in the first place and be very precise about its use.
The GDPR states that data should be stored for the shortest time possible. However, in practice things are not always as clear cut.
- Do you need to keep this data at all? Has it already served its purpose?
- Should the data be anonymised? Even though it’s not the law, would this be safer — do you really need to store personally identifiable information (PII)?
- Are you storing out of date or redundant data? Could this be generating faulty insights leading to biased and poor decision making?
- How often will you review stored data and decide whether it’s still necessary to keep it? There are no hard and fast rules here, so think about upping your review periods to ensure an ethical approach.
2) Who will have access to the data you’ve stored?
Data protection and security is vital for storing and managing data, especially personal data that must not be disclosed to unauthorised people. Securing data means several things, including preserving its integrity, controlling access to it to reduce breaches and unauthorised access, and protecting the privacy of data contributors through techniques which de-identify or anonymise it. (Data subjects also always have the right to ask you what data you hold on them — and for this to be deleted.)
With this in mind, there’s an obvious tension between keeping data secure and ensuring the people who need to view it have access. Data is valuable because it enables us to generate insights and in turn improve services or save time and money. To achieve this, it must be shared. The principles of open data and data democratisation will always need to be finely balanced against the need to keep data secure.
- How can you balance the security, privacy and access elements of the data you are storing?
- Do you have a plan for providing different levels of access to data so that data in your organisation can be used effectively and ethically?
- How quickly can the data be made available to data subjects should they request it? The legal requirements state this must happen as soon as possible and definitely within one month. Can you put a system in place to ensure that you respond as quickly as possible?
Learning lessons from Ocado
In June 2021, retailer Ocado settled its litigation with two former employees accused of retaining confidential documents when they left the business and using them to support the development of a new, rival operation. While it was found the two men breached their obligations of confidence to Ocado, more robust data storage and access principles could have prevented the employees from taking the files in the first place, producing additional hard copies or retaining them after leaving the company.
Top tips for more ethical data storage
- Store multiple copies of key datasets on different media formats (depending on short or long term storage), for redundancy, accessibility and retention.
- Review databases multiple times a year to understand what data you still need to keep and what can be securely disposed of.
- Make sure you are aware of your legal obligations — many organisations provide free resources such as checklists for effective data retention policies.
Our next article will cover the ethics of data usage — being clear about its role in decision making processes, assessing whether or not it is fair, and mitigating bias. Or you can download the full report containing the full series below.
Our recent insights
What the aviation industry's recent mishap can teach us about the importance of good data governance
In this final part of our data ethics series, we look at what data destruction is and how you can comply with GDPR required actions.
In the final part of the Discussions on Data Ethics series, Professor Paul Clough, TPXImpact and Lucy Knight, ODI, discuss data literacy, effective community involvement and the value of bad news.