How long should we keep personal information for and how do we keep it secure?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
In detail
- How long should we keep personal information that is used and generated by our profiling tools?
- How do we ensure the security of personal information used in our profiling tools?
How long should we keep personal information that is used and generated by our profiling tools?
You must not keep personal information that your profiling tools use and generate for longer than you need it. Data protection law does not set specific time limits for different types of information. It is up to you to determine, depending on how long you need the data for your purposes.
You must not hold personal information indefinitely, ‘just in case’ it might be useful in the future.
You must establish a retention period for the personal information you process in your profiling tools. You must erase or anonymise personal information when you no longer need it. You should review your retention periods regularly.
You may also have to follow other laws that set out how long you need to keep certain information for.
Further reading
How do we ensure the security of personal information used in our profiling tools?
You must process personal information securely. This means you must put appropriate technical and organisational measures in place to ensure a level of security appropriate to the risk your processing poses.
The precise measures necessary for you to achieve this depend on factors like the context of your processing activities and the potential harms that may arise if personal information was compromised.
When considering what measures to implement, you must consider:
- the state of the art;
- costs of implementation; and
- the nature, scope, context and purpose of your processing.