Want to watch this video? Sign up for the course here. Or enter your email below to watch one free video.

Unlock This Video Now for FREE

This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.

Principle 5 states that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes.   Under principal 5 organisations should not keep data on a person for longer than is necessary.

In practice, this means that they need to review the length of time that personal data is held for and consider the purposes or purposes of it in deciding whether to and for how long it needs to be retained.

Keeping personal data for too long in itself can cause problems because, all of the data act requirements still apply, even if the data is no longer required.

Examples of issues with keeping data for too long are:-

  • There is an increased risk that the data will go out of date and then this information may be used in error
  • As time passes it is more difficult to prove the information is still accurate
  • Even if the data is no longer required it must still be kept securely.

Organisations must securely delete information that is no longer needed and personal data must either be updated, archived or securely deleted if it goes out of date.

There must be provisions to dispose of or destroy data after it is no longer required.   Care should be taken when computer equipment is disposed of as all personal information will need to be completely deleted so that it will not fall into third-party hands.

Records should only be archived if they still need to be kept. If a record is to be deleted from a live computer system it should also be deleted from any backup files.  It is good practice for organisations to make it clear to people if when their information is no longer required whether it is deleted irretrievably from a computer system or simply deactivated.  Archived and deactivated accounts will still have to comply with all of the data protection acts principles.