Download the pdf

[Company Letterhead/Logo]

Data Retention Policy

Effective Date: [Insert Date]

Last Revised: [Insert Date]

1.1 Introduction

This Data Retention Policy ("Policy") is established by [Insert Organisation Name] to ensure the lawful, fair, and transparent handling of personal data in compliance with the Digital Personal Data Protection Act, 2023 ("DPDPA"), the Information Technology Act, 2000, and other applicable laws and regulations. This Policy sets out the principles and procedures governing the retention and secure disposal of data processed by the Organisation.

1.2 Objectives

  • Ensure compliance with legal, regulatory, and contractual obligations related to data retention.
  • Protect the privacy and security of personal data throughout its lifecycle.
  • Provide clear guidelines for the retention, archiving, and destruction of data.
  • Minimise risks associated with over-retention, such as legal liabilities and security breaches.

Scope

This Policy applies to:

  • Data Types: Personal data, sensitive personal data, business records, operational data, and other information processed by the Organisation, regardless of format (electronic or physical).
  • Entities Covered: All employees, contractors, vendors, and third parties processing data on behalf of the Organisation.
  • Systems: Applications, databases, storage media, and systems used by the Organisation.

1.4 Data Retention Principles

  • Purpose Limitation: Retain data only for as long as necessary to fulfill its original purpose, as outlined in privacy notices or agreements.
  • Retention Periods: Based on legal, regulatory, contractual, and operational requirements, detailed in the Data Retention Schedule (Annexure A).
  • Data Minimisation: Retain only data necessary for specific purposes.
  • Access Controls: Limit access to retained data to authorised personnel.
  • Secure Disposal: Ensure secure destruction or anonymisation of data no longer required.

1.4 Responsibilities

  • Data Protection Officer (DPO):
    • Oversee Policy compliance and periodic reviews of the Data Retention Schedule.
    • Address queries related to data retention and disposal.
  • Department Heads:
    • Ensure departmental compliance with the Policy.
    • Identify and classify data within their areas of responsibility.
  • Employees and Contractors:
    • Adhere to data retention guidelines.
    • Report non-compliance or data incidents to the DPO.

1.6 Data Retention Schedule

The Data Retention Schedule (Annexure A) specifies:

  • Categories of data.
  • Retention periods for each category.
  • Legal or regulatory justification for retention.
  • Procedures for data archiving, retrieval, and secure disposal.

1.7 Data Destruction and Disposal

  • Disposal Methods:
    • Physical Records: Shredded, incinerated, or securely destroyed.
    • Electronic Data: Permanently deleted using industry-standard techniques.
  • Destruction Documentation:
    • Maintain records of data destruction, including the date, method, and responsible personnel.

1.8 Audit and Monitoring

  • Conduct regular audits to ensure adherence to the Policy and Data Retention Schedule.
  • Report instances of non-compliance to the DPO and address them promptly.
  • Review the Policy annually or as required by legal or operational changes.

1.9 Exceptions

Any exceptions to retention or disposal requirements must be:

  • Approved by the DPO.
  • Documented with a rationale for the exception.

1.10 Contact Information

For questions or concerns regarding this Policy, contact:

Data Protection Officer: [Insert Name]
Email: [Insert Email Address]
Phone: [Insert Phone Number]
Address: [Insert Organisation Address]

1.11 Acknowledgement and Acceptance

All employees, contractors, and third parties processing data on behalf of the Organisation must acknowledge and accept this Policy as part of their responsibilities.

Approved by: [Insert Approver Name]
Title: [Insert Approver Title]
Date: [Insert Approval Date]

Rule 5 →
DPDPA
Table of contents


Report error