PII Retention, Deletion and Disposal Policy

The PII Retention, Deletion and Disposal Policy establishes the organization’s requirements for defining, reviewing, executing and evidencing the retention, deletion, anonymization, de-identification, return, transfer and disposal of PII. Its central purpose is to ensure that PII is retained only for approved purposes and periods, deleted or otherwise disposed of when it is no longer required, and supported by audit-ready evidence. The policy applies across controller, joint controller, processor and subprocessor contexts, reflecting that retention and final disposition obligations may arise from approved processing purposes, lawful basis records, controller instructions, contractual requirements, PII principal erasure outcomes, service exit, storage media disposal and PIMS monitoring findings. The policy is operationally focused and requires retention governance to be embedded in canonical PIMS evidence records rather than maintained in a separate deletion register. Controller processing activities must have a documented retention rule assigned in REG02 before processing begins. Joint-controller responsibilities are recorded in REG02 and REG08, while processor and subprocessor retention, return, transfer and deletion instructions are maintained in REG08. Approved retention rules must include the retention period, start trigger, owner, justification, final disposition and next review date. The policy also requires Data Protection Officer or Privacy Advisor advice before approval of retention rules involving legal conflict, high-risk processing, special-category PII or retention beyond the original processing purpose. Execution requirements cover the full PII lifecycle. The System Owner / Application Owner must execute or schedule approved deletion, return, transfer, anonymization, de-identification or disposal within the deletion window recorded for the applicable retention rule. The policy distinguishes live systems, archives, backup copies, replicas, logs, staging areas and temporary files, requiring these stores to be identified in REG02 before production go-live and during annual retention review. It also requires backup retention windows and restoration deletion handling to be documented, and expired deletion or restriction actions to be re-applied to restored backup data before the restored environment is released for business use. Temporary files and staging copies containing PII must be deleted or disposed of within the documented REG02 period after the related processing task ends. The policy also addresses secure disposal, anonymization, de-identification, exception control and monitoring. Disposal method classes for storage media that contains or may contain PII must be approved by the Information Security Lead in REG12 before reuse, release, destruction or external disposal. Anonymization or de-identification may be used as a retention risk-reduction measure or final disposition outcome, but must be documented in REG02 and approved by the Privacy Lead / PIMS Manager before identifiable PII is retained beyond its purpose or retention period. Exceptions to approved retention rules must be submitted and approved in REG12 before becoming active, with monthly review until closure. Metrics such as complete retention metadata, overdue reviews, overdue lifecycle actions and overdue final disposition evidence are measured at defined intervals, while nonconformities, audit findings and corrective actions are linked to REG12 to support continual improvement.