When to keep and delete

When to keep and delete personal information

A retention and disposition plan is a schedule for how long your initiative intends to hold onto personal information and when it will be destroyed. It should include a rationale as to why the personal information needs to be kept, for how long, and how to properly dispose of it when it’s time to do so.

When you need a retention and disposition plan

Your initiative always needs a retention and disposition plan for personal information it collects, creates, uses or shares.

How long to keep personal information

Depending on how the personal information is used, there may be legal obligations to hold onto it for a certain time period. For example, personal information used to make a decision about someone must be held onto for at least two years, since the last time it was used.  This gives the person time to make a request to access their information.

Your initiative may determine that, to meet its needs, personal information should be kept for longer than two years. Your initiative can delete personal information earlier than two years if it no longer needs it and the individual has agreed to its destruction.

Privacy tip: Your retention and disposition plan will depend on the context and circumstances of your initiative, so long as it can be rationally justified.

When to update and review your retention plan

Your retention and disposition plan should be reviewed and/or updated any time the initiative changes how it collects, creates, uses, or shares personal information. This is to make sure your plan still makes sense and meets all the requirements of the Privacy Act. These modifications to the handling of personal information may also require an update to your initiative's Privacy Impact Assessment and related Personal Information Bank.

Page details

Date modified: