5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
The definition of ‘necessary’ in terms of length of time is primarily for the business to decide as the Act does not give a specific minimum or maximum.
You should think about why you are using the data, decide how long you will need to keep it for and review the process regularly.
After the purpose is completed, the data must be securely deleted or destroyed.
Sometimes the length of time you keep the information may be determined by an external body or by legislation. For example, bookkeeping records which must be kept for a minimum of 6 years.