When we are retained by clients to guide them through a cyber-attack in which information has been stolen by a threat actor, we almost always find that the client has unnecessarily stored sensitive information far beyond the period for which it required that data. There are two key problems with this approach (or lack thereof) to data retention: (1) in the face of a cyber-attack where criminals steal your information, the organization is incurring unnecessary costs and potential exposure to claims by retaining information it does not need, and (2) when it comes to personal information, retention beyond the required period can itself give rise to regulatory investigation and penalties, and to litigation claims.
The practice of over-retention can be particularly costly if the organization is storing, for example, social insurance numbers of all past employees going back decades, or copies of drivers’ licenses that it no longer needs. By storing this information beyond the required period, the organization exposes itself to increased costs in the face of a data breach. In particular, it may incur increased expert costs to review and determine the scope of compromised information, costs of notifying more individuals than it otherwise would have had to, and possible credit monitoring costs. Moreover, the relationship to the data subject can impact how they receive a data breach notification. A notification is likely to be received very differently by a current employee who has a sense of loyalty to the employer as compared to a former employee who did not know that the former employer continued to retain their information.
In addition to an increased headache and costs of dealing with a breach of information the organization did not need to retain, the organization may have regulatory exposure for retention of information beyond the period it reasonably required the information. Under privacy legislation, organizations are obliged to limit retention of data for the period of time required to meet the appropriate purpose for which the data was collected or generated, and which purpose was identified at the initial time of collection. That is, an organization can only retain information for the specified purpose disclosed to the data subject at the time of collection. When the information is no longer required to fulfill that purpose, or it is not otherwise required to retain the information by law or contract, the organization is obliged to permanently destroy the information.
In circumstances where organizations notify a privacy commissioner of a data breach, questions are often asked by the privacy commissioner that reveal whether the organization is offside its obligations to minimize data retention. That is, the failure to minimize data retention will often quickly surface during an inquiry by a privacy commission office. The failure to minimize data retention can give rise to regulatory fines or orders, and litigation claims. In a scenario of a class action arising from a data breach, the class size may be larger than it needed to be had the organization appropriately limited data retention.
Determining the Appropriate Retention Period
The appropriate retention period for personal information is not dictated as an exact number to be used across every circumstance of collection. It is the responsibility of the organization which determines the purpose for which information is collected to determine what is the appropriate retention period. The purpose for the collection/generation of information typically guides this determination. Subject to regulatory or contractual obligations to retain information, personal information that is no longer required to fulfil the identified purposes should be destroyed, erased or made anonymous. For example:
- Personal information that has been used to render a decision about the individual may no longer be appropriately retained after the decision has been made and the period within which the individual could challenge the decision has expired; or
- Information used to administer an individual’s employment may not be appropriately retained after termination of the employment relationship.
Good Governance Take-aways
In developing protocols to put your data minimization into action, here are questions your team should be asked to address:
- For each category of information we collect or generate about an individual, what purpose have we identified to the data subject for the collection or generation of that information? Based on that answer, what is the trigger for destruction of the information?
- Are there any legal or contractual provisions which require that we retain the information for a period beyond that which is required to fulfil the designated purpose?
- Where is the information stored within the organization and to which third parties have we transferred the information?
- What mechanisms can we put in place so that we identify information that can be destroyed whether in our custody or in the custody of a third party to which we have disclosed it?
