This article has been written by Rishabh Mishra, pursuing the Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho. The article has been edited by Prashant Baviskar (Associate, LawSikho) and Smriti Katiyar (Associate, LawSikho).
The word “data” needs no introduction as these are basically information that is gathered by an organization for their needs and wants. Data that is gathered by an organization whether it is a business or government entity or any other entity, it is gathered for a specific reason and for the purpose of the organization these data are required to be retained. Here comes the biggest question with respect to usage of retained data and this is where organizations need to prove their credibility by stating their usage and rights of the person whose data has been gathered. This trust is created by organizations through their data retention policy which has to be bestowed with all good qualities keeping in mind their needs and wants. Another aspect that needs to be looked into is that organizations must make sure their data retention policy is not infringing any privacy laws. These are the two broad aspects that need to be looked into while framing a good data retention policy, both these aspects are discussed further in this article while primarily understanding the meaning of data retention and the need for data retention by the entities.
What is data retention policy?
The word data retention is made up of two words, first is data which means information and the other word is retention which means the continued possession, use or control of something. Both words together mean “the continued possession, use or control of information” is data retention. We have one more word which is associated with “data retention” herein is “policy”. All these three words together means that an entity’s established protocol for keeping records for a set period of time. Data retention policy is also known as records retention policy or backup retention policy.
Broadly a data retention policy is required by companies or other entities for data security and to fulfill the needs of business and legal regulatory compliances. Below are some of the important needs for which data retention policy is required by entities, as follows:
- Regular Backups and Archiving—backups and archiving of data is required for unexpected events such as loss of data by hacking or system failure etc. a data retention policy helps to identify data which are required to be archived for the needs of the organization. Identification of data is important to avoid backup of too much data which may create confusion.
- Streamlined Data Management—data retained by an entity must classify the data according to its type, need, storage period, relevance and any other head as per the requirement of the entity. Here the policy plays a role of segregator by segregating duplicate and outdated data from useful and relevant data.
- Legal and Regulatory Compliance—entities cannot collect data as per their whims and fancies they have to work under a particular legal framework and data retention policy is basically an introduction of its compliance with the legal and regulatory framework. A whole policy is required to meet the needs of the legal and regulatory framework, in case otherwise and accordingly framed. In case otherwise the entity will be subject to unnecessary attention like we have seen in the case of “Twitter” in India in the recent past.
- Meet Business Needs—collection of data and its retention from the prospect of an entity is useful and relevant when it meets the needs and wants of a business. As earlier discussed, a data retention policy is an introductory of its compliance of legal and regulatory framework similarly it is also an introductory of its business requirements. Thus, it must mention the credentials of data such as its details of required information, need, usage etc.
Things to be kept in mind while framing data retention policies
Based on the above definition, needs and wants of collection of data and its usage for the furtherance of affairs of an entity the following points must be answered in “Data Retention Policy”:
- What data needs to be retained—here the policy must show the segregation of relevant and useful data from the data which is collected from data subjects.
- The format in which it should be kept—it clarifies the data owner how its data is kept with an entity and in which format i.e. physical or digital.
- How long it should be stored for—retention period must be mentioned in the policy with a proper justification for the longevity of the period. Different retention periods for different data must also be mentioned.
- Whether it should eventually be archived or deleted—the policy must mention the data which shall be archived and its reason thereof. In case, the data is deleted the policy must answer when and how it shall be deleted. The policy must also mention the procedure to be adopted for deletion of data at the instance of data owner and lastly, data archived even after deletion for statutory requirement.
- Who has the authority to dispose of it—the policy must clearly mention the final authority who has power to dispose of data as it helps the data owner to approach the appropriate authority of the organisation for its requests.
- What procedure to follow in the event of a policy violation—a mechanism plays a vital role in satisfying grievance as it is a roadmap for an aggrieved person. Thus, in the event of policy violation at the instance of an organisation or any other person a procedure or grievance redressal mechanism in the policy must be there for resolving the issues raised by the aggrieved person.
The above are the basic points that need to be answered while framing the data retention policy. All these points are interconnected as in order to determine appropriate data which is required to be retained all these points need to be read conjointly. A conjoint reading of the above points helps to understand the framework of an entity procedurally with respect to data retention and this procedure must be reflected in the data retention policy. In other words, if we see the procedure it explains its main steps in the following manner:
- Identify the data.
- Define the purpose of data collection.
- Classify the data.
- Period of retention.
- Grievance redressal mechanism.
- Archiving or deletion.
The above procedure must also fulfil the legal and regulatory requirements of concerned laws. While considering the compliance with legal and regulatory requirements the entity must identify the jurisdictional issue involved in their business at the first instance. It must be borne in mind that clarity on jurisdictional issues is a basic requirement for compliance with any law. In order to identify legal requirements following points must be checked:
- Operation of affairs—the entity must identify its operation is global, local or regional.
- Physical Presence—the physical presence of business like its offices or other physical establishments.
- Applicable laws—after identifying the place of operations and physical presence then the entity must identify applicable laws.
- Conflict of laws—for instance, the operation of affairs of an entity is global and the GDPR law of UK is in conflict in with the Cyber law i.e Information Technology Act, 2000 in India, then in this policy must firstly try to take mid-way to solve the issue and in case it is not possible they should clearly mention which part of their policy is applicable in India and which is not.
Another important aspect while understanding the legal and regulatory framework is that principles of law are not uniform in nature and there is a huge possibility that one has to make exceptions to be in accordance with laws. A legal aspect has to be framed in such a way that it complies with all the laws under which an entity is regulating.
Keeping in mind the usage and legal aspect the person should focus on writing the transparent policy as it is a matter of privacy in data collection because the more transparency the fewer the conflicts. Transparency in the collection of data is a must.
The basic minimum requirement for writing a good “Data Retention Policy” is very much clear from the above discussion. The suggestions made above may be applied as it is to every entity whether government or business entity. There are various operations that governments perform beyond their lands for which they retain data of individuals or other entities and accordingly they may also be required to comply with the requirements of such concerned jurisdiction unless they are specifically exempted, thus, in this situation, even government entities may have to comply with the requirements of law of the land of such country. It is also clear from the above discussion that framing of “Data Retention Policy” completely depends upon legal and regulatory requirements, it does not matter how much a good usage aspect of a policy is framed, the legal aspect of policy needs to be given priority at all costs.
Before framing a policy one has to identify the usage of data, then legal aspects associated with it and lastly one has to shape the usage to fit it in the legal framework. This exercise gives the outline for the framework of the policy. After noting down the framework a person must conspicuously mention each and every point in policy which shall necessarily include data’s collection, usage and retention period along with different procedures with respect to data’s retention, destruction, archival and exceptions. Moreover, a person must also keep in mind that it should not focus on framing a uniform policy for all its needs, he must segregate the collected data and accordingly frame different policies for different data.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: