With increased data protection, various exemptions, legitimate interests, and many other areas of data protection to navigate post-GDPR, it can sometimes be difficult to know which records should be kept and which records need to be destroyed.
This can be difficult for law firms in particular due to variations in regulations for specific legal sectors. Knowing when to retain and destroy documents should be a top priority for law firms, as handling confidential client information comes with the responsibility to protect this information.
So, what documents do we need to keep?
Below are the information retention schedule regulations used by the Information Commissioner’s Office in August 2018. This is a good place to start when drawing up your own retention schedule.
Regulatory |
Retention trigger |
Retain for |
Action |
|---|---|---|---|
Appeals information tribunal |
Case closed |
6 years |
Destroy |
All criminal enforcement cases |
Case closed |
6 years |
Review |
Civil enforcement case where an action was taken |
Case closed |
6 years |
Review |
Civil enforcement case where no action was taken |
Case closed |
2 years |
Destroy |
Gathered intelligence |
Entered onto intelligence log |
6 years |
Review |
Data protection and FOI complaints |
Case closed |
2 years |
Destroy |
Data protection and FOI complaints physical items (items which cannot be scanned or returned) |
Case closed |
6 months |
Destroy |
Cases relating to Section 159 of the Consumer Credit Act 1974 |
Case closed |
6 years |
Destroy |
Audit reports |
Case closed |
6 years |
Review |
Advisory visits and supporting audit documents |
Case closed |
12 months |
Destroy |
IPA supporting audit documents |
Case closed |
Until the next audit or 3 years, whichever is sooner |
Destroy |
High priority case file supporting audit documents |
Case closed |
6 years |
Review |
Data protection fee information |
Case closed |
2 years |
Destroy |
Breach report – no action is taken |
Case closed |
2 years |
Destroy |
Internal regulatory activities |
Retention trigger |
Retain for |
Action |
|---|---|---|---|
Information created in relation to new policies, guidelines, and research. This information has been created internally to guide decision making. This relates to any final drafts and significant supporting information. |
Last action |
6 years |
Review |
Stakeholder engagement |
Retention trigger |
Retain for |
Action |
|---|---|---|---|
First line advice services |
Case closed |
2 years |
Destroy |
Engagement with significant stakeholders (including government departments, large companies, charities, and international work) |
Last action |
6 years |
Review |
Engagement with less significant stakeholders (advice provided to smaller organisations with the advice only affecting small numbers) |
Last action |
3 years |
Review |
Guidance for external use |
Superseded |
6 years |
Review |
Data privacy impact assessments |
Last communication |
6 years |
Review |
Finalised binding corporate rules |
End of contract |
6 years |
Review |
BCR initial assessment supporting documents |
National authorisation |
2 years |
Review |
BCR point of contact and legal representation details |
After each annual update |
12 months |
Review |
Consultations (The ICO gathers information externally through an open consultation in relation to policies they are developing) |
Policy published |
As soon as policy published |
Destroy |
Information requests including MP requests |
Last action |
2 years |
Destroy |
Corporate governance |
Retention trigger |
Retain for |
Action |
|---|---|---|---|
Health and Safety inspections, property management, and asset records |
Last action |
6 years |
Review |
Documents relating to IT system integral to their running and long-term use |
End of system life |
3 years |
Review |
Records and information management |
Last action |
3 years |
Review |
IT infrastructure |
Last action |
3 years |
Review |
Information security |
Last action |
6 years |
Review |
nformation requests (including MP requests not dealt with directly by the commissioner) |
Case closed |
2 years |
Destroy |
Projects and corporate programmes |
Last action |
3 years |
Review |
Building reports, risk assets, helpdesk and security reports |
Last action |
3 years |
Review |
IT backups |
Last action |
3 months |
Destroy |
System audit logs |
Last action |
12 months |
Destroy |
CCTV |
Last action |
1 month |
Destroy |
Reception sign-in book |
End of year |
2 years |
Destroy |
Google Analytics reports |
Last action |
38 months |
Destroy |
Finance |
Retention trigger |
Retain for |
Action |
|---|---|---|---|
Financial information |
End of the financial year |
6 years |
Destroy |
Payroll Capita reports |
End of the financial year |
6 years |
Destroy |
Legal |
Retention trigger |
Retain for |
Action |
|---|---|---|---|
Policy legal and legal advice |
Last action |
6 years |
Review |
Enforcement legal cases |
Case closed |
6 years |
Review |
Contracts |
End of contract |
7 years |
Review |
Unsuccessful tenders |
Last action |
400 days |
Review |
Building contracts and leases |
End of contract |
12 years |
Review |
Organisation-wide |
Retention trigger |
Retain for |
Action |
|---|---|---|---|
Significant draft versions (the draft versions of policies, advice and guidelines for significant areas of work) |
Last action |
3 years |
Review |
Less significant draft versions (general drafts of documents created for less significant work) |
Last action |
12 months |
Review |
Internal audits |
Creation |
3 years |
Destroy |
Internal guidance and lines to take |
Creation |
3 years |
Destroy |
Templates, procedures, team information, and team meetings |
Last action |
3 years |
Review |
Annually renewed documents |
End of the financial year |
3 years |
Review |
Department logs and registers |
Last action |
12 months |
Review |
Team administration |
Creation |
3 years |
Review |
Management information |
End of the financial year |
6 years |
Review |
General content types (SharePoint) |
Last action |
12 months, 3 years, 6 years |
Review |
Mobile device information for visitor wifi use |
Creation |
90 days |
Destroy |
Transfer to the National Archives |
Retention trigger |
Retain for |
Action |
|---|---|---|---|
Information detailing what has been sent to The National Archives (not transferred) |
Last action |
6 years |
Review |
Section 55 DPA and Section 77 FOI |
Case closed |
Prepare for transfer |
|
Publications and material |
Creation |
Prepare for transfer |
|
Management board minutes |
Last action |
Prepare for transfer |
|
Senior leadership team minutes |
Last action |
Prepare for transfer |
|
Upper Tribunal Case and Court of Appeal |
Case closed |
Prepare for transfer |
|
ICO constitution |
Superseded |
Prepare for transfer |
|
Office-wide strategic plans |
Superseded |
Prepare for transfer |
|
Department of culture, media, and sport |
Last action |
Prepare for transfer |
|
Delegated authority |
Last action |
Prepare for transfer |
|
Legal advice to the commissioner (where directly relevant to information rights policy) |
Last action |
Prepare for transfer |
|
High-profile casework |
Case closed |
Prepare for transfer |
|
PECR breach logs |
Superseded |
Prepare for transfer |
|
nteractions with key stakeholders in relation to interpreting Data Protection and Freedom of Information Act, Code of Practice relating to acts, legislative development, and significant internal advice |
Last action |
Prepare for transfer |
|
Civil monetary penalty cases |
Case closed |
Prepare for transfer |
These regulations ensure that data is not kept for longer than necessary, and any data kept for legal reasons is periodically reviewed.
What about data destruction exemptions?
In criminal law, there are many exemptions from data destruction. In England and Wales, the Police and Criminal Evidence Act of 1984 (Part 5) overrules GDPR and makes provision for the retention of DNA profiles and fingerprints, amongst other records. If a conviction has been made for a recordable offence, the individual’s DNA profiles and fingerprints may be kept on file indefinitely.
However, many records held by law firms, such as non-disclosure agreements, opinion letters and factual summaries in convicted cases, may have to be expunged if not required to pass onto The National Archives. This will usually happen once the convicted person has completed their court-mandated sentence, and is a means of protecting the individual as well as witnesses from further ramifications after they have fulfilled their societal obligations. This is why the review and destruction processes are so important.
How can I destroy legal documents safely?
Shredding documents that are no longer needed is the safest and most secure option law firms can take to protect their sensitive records. Another advantage of shredding is that it will reduce the costs of holding onto inactive records kept in long-term storage. Electronic files and digital media storage devices containing sensitive information must also be destroyed if no longer used, even if encrypted or wiped, as this information can still be recovered by an experienced data thief.
We hope this article has shed light on your obligations when retaining legal records, actions to take after retention periods, and implementing their destruction.
Here at Shred Station, we are fully accredited to securely handle the destruction of your confidential data. If you’d like to request a free e-brochure, call back, or a quick quote, you can do so via our Contact Us page.
---
Information correct at time of publication, 4th February 2019. If you would like further clarification with regards to retention and destruction periods for your specific industry, please seek further guidance from the Information Commissioner’s Office. Shred Station can accept no responsibility for any incorrect retention or review guidelines in the above text. These information retention schedule regulations are as detailed by the Information Commissioner's Office in August of 2018. To stay updated with industry guidelines after the date of publication, please contact the Information Commissioner’s Office.