The records and information management world has experienced a gradual yet seismic ideological shift in recent years. Long gone are the days of thinking solely in terms of HOW LONG MUST WE KEEP this information. Today, companies also think strategically, practically, and with privacy legal compliance in mind when it comes to managing their records and information. In this day and age, special considerations such as big data and privacy increasingly drive initiatives. Companies are now asking an equally important question of HOW SOON SHOULD WE DELETE this information, as well as HOW MUST WE DISPOSE OF IT?
Why does privacy data deserve its own deletion policy?
Organizations replete with privacy data increasingly recognize that the traditional records retention schedule alone is not sufficient to address privacy data for several reasons.
- Data typically resides within systems and can easily get lost in the mix; this also makes it difficult to locate and recover this data!
- Data is not considered a “record” per se; but, rather it is the outputs from the data’s system that typically qualify as records subject to the traditional records retention schedule;
- With the exception of privacy data, data is not typically subject to legal retention or mandatory deletion requirements, and are primarily governed by business and operational requirements;
- Pressing “Delete” is not good enough! The deletion or anonymization treatment of privacy data must meet specific criteria to satisfy the legal requirements and guidelines;
- Privacy data may now be subject to deletion requests, requiring companies to track down the location of any piece of data related to an employee, consumer, patient, etc., wherever it may reside whether internally or with third parties.
Important Components and Where to Start
1. Personal Data Information Collection
If you are going to set up privacy data governance, it is important to get a handle on your organization’s privacy data. An important first step is to create an inventory of all personal data maintained by the company. Include descriptions and definitions of the data, its location, method of storage including types of systems and applications, and other information related to the processes surrounding the data and its flow through the organization. This is also an opportune time to glean details surrounding the business and operational value of the information and how long the record owners legitimately need to hold on to the data. This fundamental information collection is important in the proper governance of privacy data: the data cannot be properly managed unless the company knows the what, where, and how of its privacy data.
Asking questions about record outputs and business processes that utilize and rely on the privacy data is vital knowledge. Understanding the records that relate to the privacy data is helpful in building a bridge between the data and the records retention schedule categorization and determining the appropriate retention period for these data and records.
2. Personal Data Categorization
Once you have a good handle on your organization’s privacy data and its output record, this information will facilitate an alignment or mapping of the privacy data to the records retention schedule for purposes of determining the appropriate retention period and ongoing maintenance. Your organization’s retention schedule can be leveraged to manage retention periods for privacy data!
3. Retention Period Determination
Determining the appropriate retention periods for privacy data is an important part of the equation. Privacy laws, and principles in general, limit the amount of time that PII may be kept to the amount of time necessary to satisfy the purpose for which it was collected. Seemingly straightforward, the lines may be blurred where privacy data is collected to serve multiple purposes. For instance, privacy data related to an employee’s social security number will likely need to be retained for the duration of employee’s employment and is a fundamental component of a personnel record to be retained for the Duration of Employment + x Years. But this data may also support the payment of pension benefits which may extend many years beyond the employee’s employment and until that last benefit payment. In this case, the privacy data would need to be considered within both categories. The longest retention period of the two would ultimately support the appropriate retention period for the ongoing processing of that data. Ultimately, the appropriate retention period satisfies the minimum applicable legal requirements as well as supporting business, operational, or other legitimate basis for maintaining such information.
Finally, that good old “Delete” key may suffice for erasure of certain data, but for privacy information, this is simply not good enough. With regards to methods of deletion, the standard age-old approach for end-user deletion includes deleting the file and emptying the recycling bin. Taking this a step further involves deleting and reformatting the computer drive that keeps the data files. Unfortunately, neither approach is necessarily sufficient for privacy data according to privacy laws including the GDPR. Although deleted, these files have not been erased completely and are still recoverable from the hard drive, and potentially vulnerable in the case of a malware or other type of cyber-attack. Further steps must be taken to ensure the information is truly deleted and not recoverable.
In summary, if your organization is concerned about their privacy data, including where it is, how long it is being maintained, etc., a privacy data deletion policy should be considered. The foregoing includes several components to get you well on your way. Please reach out to Zasio’s professionals and we can assist you and your organization with your privacy initiatives.