Retaining Personal Data
The GDPR does not specify periods for the retention of personal data. It is left to data controllers to decide how long personal data should be retained, taking into account the Data Protection Principles, business needs and any professional guidelines. In the context of Swansea University, the following factors need to be taken into consideration:
- The need to balance the requirement of the fifth Data Protection Principle - that personal data should not be kept for longer than necessary - against the need to prevent the premature or accidental destruction of data which would damage the interests of data subjects, contrary to the sixth Data Protection Principle.
- The exemptions provided by the GDPR which allow longer retention periods for data held specifically for historical, scientific and statistical research
- The fact that the GDPR does not override provisions in other legislation (e.g. health and safety legislation) which specify retention periods for personal data.
Staff should note that under the Freedom of Information Act, it is a criminal offence to deliberately alter, deface, block, erase, destroy or conceal data which has been the subject of an access request under the GDPR or the Freedom of Information Act with the intention of preventing the release of the data. However, data may be amended or deleted after receipt of the access request but before disclosure of the data, if the amendment or deletion would have taken place regardless of the request (e.g. under a retention schedule).