Another problem with document retention policies is that they refer to document and file retention, they rarely specify what should be done with documents and data once the specified retention periods have expired. The implication of the Fifth Principle is that documents containing personal data and information comprising personal data should be destroyed and deleted respectively once they are no longer required for the purpose for which they are held. In practice many organisations find it difficult to order the destruction of files. There may be a nagging doubt as to whether or not the information may still be required.

Another problem arises where data is held on computer systems. The Information Commissioner is aware that computer systems do not always lend themselves to permanent deletion of data or to anonymising personal data.

Legal Guidance (issued December 2001) suggests that the organisation take such technical and organisational measureas are necessary to ensure that anonymised information cannot be reconstituted to become personal information and that they should also be prepared to justify any decision they make in relation to processing such data.

The guidelines for how long to retain documents arise from legal requirements and business needs.

Legal requirements apply to contractual documents, for example. Correspondence relating to a contract

should be retained for six years from termination of the contract. Other legal requirements apply to tax records and accounts, which should be kept for seven years from the relevant tax year. Company law requires other documents be kept indefinitely, such as minute books and details of shareholders and directors.

Business needs set document retention periods in other areas. Take the example of a marketing database. Personal data relating to marketing prospects may be retained for a number of years without any contact from the data subject so long as the contact details were kept up to date by undertaking data cleansing activities. There is an overlap here with the Fourth Principle which requires that personal information be accurate and kept up to date.

When deciding how long to retain a prospect on the database, the organisation may have regard to the statistical frequency with which its data subjects are likely to move house and other circumstances such as the number of returned mailings, those marked‘gone aways’ and the number of data subjects who exercise their right to object to direct marketing following a direct mailshot. Once the number of returns reaches an unacceptable level, the organisation will have determined the period for which data should be retained without further contact from the data subject.