Developing a good data retention framework
By Yomi Ajibade and Ridwan Oloyede
Many organizations rely on data that aid their daily operations, because we live in a data-driven world. As a result of this reliance, they must ascertain the data to keep and the ones to delete. This obligation is what necessitates the concept of storage limitation. Storage limitation is one of the principles of data protection provided under the Nigeria Data Protection Regulation (NDPR). The principles provides that personal data should not be kept in an identifiable form for no longer than it is necessary for the purposes for which the personal data are processed. The continuous storage is contingent on implementation of appropriate technical and organisational measures provided under the NDPR.
Understanding Data Retention
Personal data must be deleted or anonymised as soon as they are no longer needed for purposes for which they were collected. Consequently, it becomes the duty of the controller to find out, from various national legislations, the retention periods applicable to each type of data it processes, in order to formulate retention schedule and time limits. When the retention period has elapsed, such data should no longer be stored or preserved for business or any other purposes; such data should be destroyed, anonymised and in some instances archived. The destruction should be done in a manner that the data is incapable of being recreated.
Data Retention for Businesses
Data retention is one of the biggest headaches for businesses; resolving the basis to keep certain data longer or dispose of them could be a niggling question. There is another extra layer of complexity for businesses operating in multi-jurisdiction, as they have legal obligation to comply with different national laws in the countries they operate. Balancing business operational need and legal requirement not to keep data could be a complex challenge.
Data retention assist businesses to reduce the burden of record management, enables efficient management of records stored and control unrestrained growth of record volume, reduce storage cost, improve the ability to locate and retrieve record when required, limit exposure to liabilities, improve utilisation of resources, and also to comply with the provision of the law.
Lack of a viable basis to keep record longer or shorter timeline exposes an organisation to risk, such as litigation and sanction from the data protection authority. Storing record in excess imposes difficulty in location and identification of records when required for reference and legal compliance. A poor record management also gives a cloud of bad faith. Earlier this year, the Berlin and Danish Data Protection Authorities issued fines to organisations for not complying with storage limitation principle.
Data Retention Policy & Schedule
“A data retention policy is an organization’s system of rules for holding, storing, and deleting the information it generates and otherwise handles.” “Retention schedules establish guidelines regarding how long important information must remain accessible for future use or reference, as well as when and how the data can be destroyed when it is no longer needed.” “The records retention schedule captures all of the types of records created and used by a company in the course of its business and indicates how long these records are required to be retained.” The schedule outlines the type of data, the business reason or decision for retaining the data, and the retention period. The International Standards Organisation’s International Standards on Record Management (ISO 15489:2016) is a good instrument that could assist organisation.
Factors to Consider when establishing retention period
Data retention forms part of an organisation’s records management strategy. Practically, retention schedules are determined on the basis of types and categories of data you process, the geographical location of your businesses, business and operational value of the data, best practice and legal obligation as imposed by legislation. Structurally, you must determine the personnel in your organization who is responsible for data retention policy, e.g. CEO or Chief Privacy Officer (CPO). This is because someone has to be responsible for taking this operational risk decision. Additionally, you must determine what deletion actually means in such a way that the data deleted must not be reconstructable.
In Nigeria, NITDA’s Data Protection Implementation Draft Framework provides some factors to consider when determining storage limitation, and they are:
- The contract term agreed by parties;
- Whether the transaction type has statutory implication;
- Whether there is an express request for deletion by the Data Subject, where such Subject is not under an investigation which may require the data; and
- The cost implication of storage of such data by the Data Controller.
Data could also be retained if they are necessary and proportionate for pursuing legitimate aims; legitimate aims include protecting national security, prosecution of criminal offences, carrying out criminal activities, protecting the data subject and protecting the rights and freedoms of others. Some data also be stored for archiving purposes in public interest, scientific or statistical purposes and historical research.
The controller similarly needs to review the process periodically, and the rights of data subjects need to be considered more significantly, the right of erasure and access. Storage of data beyond the requisite time frame is a breach of the data protection law and other extant law establishing storage time limit.
| Statutory Data Retention Schedule under Nigerian Law | |
| Laws | Duration |
| Money Laundering Act | 5 years |
| Cybercrimes Act | 2 years |
| Regulation on Consumer Protection (2007) – Nigeria Communication Commission | 12 months |
| Guidelines for the Provision of Internet Service | 12 months |
| Framework for Mobile Payments Regulation -CBN | 5-7 years |
| Regulation for Direct Debit Scheme, 2018 – CBN | 6 years |
| Guideline on International Money Transfer Services in Nigeria (2014) – CBN | 7 years |
| Guideline on Point of Sale (POS) Card – CBN | 10 years |
| Guideline on Documents and Record Retention by the Medical Laboratory Science Council of Nigeria | Comprehensive retention schedule for different health records |
| Labour Act | 3 years |
| Credit Reporting Act – CBN | 6 years |
| Minimum Wage Act | 3 years |
| Dangerous Drugs Regulations | 2 years |
| Deep Offshore and Inland Basin Production Sharing Contracts Act | 5 years |
| Foreign Exchange (Monitoring and Miscellaneous Provisions) | 7 years |
| Companies and Allied matters Act (CAMA) | 6 years |
| The Police Act | Permanently (record of incidents) |
| Lawful Interception of Communications Regulations, 2019 – NCC | 3 years |
Conclusion
Creating an effective data retention schedule and policy is a cardinal aspect data processing for organisation. Organisation will need to conduct an audit to have a clearer picture of the personal data they currently process and apply the appropriate retention period to avoid sanctions.
Yomi Ajibade, CIPP/E is a legal practitioner and a data protection professional.
Ridwan Oloyede, CIPP/E leads the pr
