What every organisation should know about the Retention limitation Obligation
As soon as the purpose for which the personal data was obtained is no longer fulfilled and retention is no longer required for legal or business purposes, an organization must cease retention of any documents (both digital and physical) holding personal information.
This is inscribed under Section 25 of the PDPA, which states that an organization must cease retaining its documents containing personal data or remove the means by which the personal data can be associated with specific individuals as soon as it is reasonable to assume that the purpose for which the personal data was collected is no longer being served by retention of the personal data and retention is no longer required for legal or business purposes.
How long can personal data be retained?
The Retention Limitation Obligation prohibits organizations from holding personal data indefinitely if there are no legal or business justifications for doing so. The risk of violating the Data Protection Provisions increases if personal information is kept for an indefinite amount of time. Due to the fact that each organization has its own unique business requirements, the Retention Limitation Obligation does not stipulate a predetermined period of time for which an organization may preserve personal data.
Instead, the length of time for which an organization may lawfully retain personal data is evaluated based on a reasonableness standard, taking into account the purposes for which the personal data was collected and other legal or business purposes for which retention of the personal data may be required.
Notably, although the PDPA does not impose a set retention time for personal data, enterprises must comply with any applicable legal or industry-specific retention obligations. In practice, the PDPA’s retention duration for personal data will rely on the following factors:
a. The reason(s) why the personal information was gathered. That is: (i). personal data may be stored as long as one or more of the purposes for which it was obtained remain valid; and (ii). personal data must not be retained by an organization “just in case” it may be required for other purposes that have not been disclosed to the individual concerned.
b. Other legal or business purposes for which the organization’s preservation of the personal data is required. This may include situations in which: (i). the personal data is required for an ongoing legal action involving the organization; (ii). the retention of the personal data is necessary to comply with the organization’s obligations under other applicable laws, regulations, international/regional/bilateral standards which require the retention of personal data; or (iii). the personal data is required for the organization to carry out its business operations, such as providing customer service.
An organization should regularly assess the personal data it maintains to see if it is still required. An organization that maintains a vast number of distinct forms of personal data may be required to set differing retention periods for each category of personal data.
In many cases, organizations may already have their own document retention rules, which may address the length of time for which records should be retained. These policies will be subject to the Retention Limitation Obligation’s restrictions.
Organizations must design or modify pertinent processes to ensure that personal data is recorded and maintained in a way that supports compliance with the Retention Limitation Obligation. In this context, the Commission acknowledges that organizations may have data retention policies applicable to groups or batches of personal information.
As a matter of best practice, organizations should develop a personal data retention policy that outlines their approach to personal data retention periods. In particular, where personal data is stored for an extended period of time, an organization’s personal data retention policy should explain the rationale for doing so.
Ceasing to retain personal data
When there is no longer a need for an organization to retain personal data, it must act expeditiously to verify that it is not holding such data in any of the two ways specified under the PDPA. In other words, an organization can stop retaining documents containing personal data or eliminate the means by which the data might be associated with specific individuals (that is, to anonymize the data).
An organization stops retaining documents containing personal data when it, its agents, and its data intermediaries can no longer access those documents and the personal data they contain. Examples include:
a) Returning the documents to the individual concerned;
b) Transferring the document to another person per the individual’s instructions;
c) Destroying the documents – for instance, by shredding them or disposing of them in an appropriate manner; and
d) Anonymizing the personal data.
Factors relevant to whether an organization has ceased to retain personal data
In determining whether an organization has ceased to retain personal data, the Commission will consider the following factors in relation to the personal data in question:
a) Whether the organization has any intention to use or access the personal data;
b) How much effort and resources the organization would need to expend in order to use or access the personal data again;
c) Whether any third parties have been granted access to that personal data; and
d) Whether the personal data have been deleted.
Breach of Retention Limitation Obligation by Interauct!
The recent decision that was released by the PDPC involving Interauct! underscores the importance of exercising the Retention Limitation Obligation by the PDPA. After breaching such an Obligation, luckily, the organization was only warned by the PDPC.
Interauct! Pte Ltd conducted an online auction for mobile phone numbers on behalf of a telecoms company. This arrangement began in 2000 and concluded in 2018. The Commission was notified in November 2019 that the Telco’s cybersecurity team had discovered an internet sub-domain containing files containing the personal information of individuals who had participated in the Auction. The Files comprised the Name, ID (such as a passport number or NRIC), Mobile number, Address, Date of birth, and Email address of individuals.
The Commission’s investigation discovered that the organization had contracted a third party to provide web hosting services for the Auction. The vendor conducted server migration exercises in 2012 and 2016. Prior to both server relocation efforts, the organization made Files backups and uploaded them to the vendor’s servers. The company did not delete the Files upon the completion of the server migration.
The Organization erased the Files within three hours of receiving notification from the Telco that the Internet sub-domain had been discovered. Additionally, the Organization ensured that the vendor corrected the misconfiguration of the servers within six hours of discovering the Internet sub-domain.
The organization acknowledged that there was no purpose to maintain the Files following the completion of the migration exercises. If the Files had been properly removed, the personal information contained in the Files would never have been compromised.
How a DPO can help organizations
When organizations fail to observe the Retention Limitation obligation, a financial penalty can be imposed by the PDPC. To ensure that this will never happen to your organization, a DPO can help.
A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of cyber threats and instances of data breaches as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
For instance, at Privacy Ninja, we make sure that obligations in keeping personal data are met, and that includes its disposal when it no longer serves its purpose. This is to prevent any instance of accidental usage of personal data that must not be used or must be deleted already.
DPOs complement the efforts of Organizations in making sure that the personal data collected and used is accurate. This is because when there is an instance that the obligation has been breached, DPOs ensure that a protocol for dealing with it has been established and can be employed.
As a consumer who provides my very own sensitive information to each organization I encounter or have a transaction with, I would feel safe if an organization would take the extra mile to ensure that my data is correct and concise as it affects me whenever a decision is made.