The incorporation of privacy requirements into an organization’s information governance program often focuses on personal information and those records containing personal information. While this is a crucial consideration for ensuring privacy compliance, there has been growing regulatory focus around privacy compliance records separate and apart from those containing personal information. These requirements create obligations for organizations to retain records demonstrating the compliance of their privacy programs which may need to be presented to regulatory authorities upon request.
Records Demonstrating Privacy Program Compliance
Organizations are required to retain certain records in order to demonstrate their compliance with privacy and data protection laws and regulations:
- Data Breach Records: Breach reporting laws may require organizations to record instances of data breaches involving personal information. The reporting requirements vary by jurisdiction, whether all breaches must be reported to regulators or only those involving a significant risk of harm, and in some cases breaches must also be reported to affected individuals. In instances where a certain threshold needs to be met for reporting purposes, organizations should retain the records of this assessment and the decision made. (Personal Information Protection and Electronic Documents Act (Canada); Breach of Security Safeguards Regulations (Canada); Data Protection Act 2018 (UK); Act of 12 March 2019 on Personal Data Processing (Czech Republic))
- Records of Data Processing: Records of processing activities generally cover actions taken regarding personal information, such as those defined in the EU General Data Protection Regulation (GDPR): “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” These records are meant to demonstrate how and why personal information is handled by an organization. Similar requirements can be found in local legislation throughout Europe and around the globe. (General Data Protection Law (Brazil))
- Privacy Impact Assessments (PIA) / Data Protection Assessments / Data Protection Impact Assessments (DPIA): Many privacy laws require organizations to conduct a risk assessment prior to processing personal information, particularly when the personal information is sensitive or the processing may result in a real risk of harm to individuals. Other records relating to these assessments may need to be retained, such as threshold assessments conducted when determining whether or not it is necessary to proceed with a PIA/DPIA. (Guide to undertaking privacy impact assessments (Australia); Consumer Data Protection Act (Senate Bill No. 1392) (Virginia))
- Privacy Policies, Practices and Notices: To align with the principles of transparency and openness, organizations are required to document their information handling practices and policies, making them available to individuals through means such as privacy notices. These documents should set out the purposes for the collection of personal information, the intended uses, disclosures, retention periods, etc. Organizations should also keep records of their internal policies and procedures relating to their privacy program. (Data Protection Act 2018 (UK); Consumer Privacy Protection Act (Bill C-11) (Canada))
- Records of Consent: Many jurisdictions follow consent-based models to allow for the collection, use, disclosure, etc. of personal information. In the event of a complaint or investigation the organization would be required to provide evidence of such consent, including whether it relied on express or implied consent, or whether a determination was made that consent was not required under certain exemptions (e.g. publically available information). Organizations should also keep records of withdrawals of consent. (Competition and Consumer (Consumer Data Right) Rules 2020 (Australia); Law 1581/2012 on Data Protection (Colombia))
- Access to Information and Amendment / Deletion / De-Identification of Information: Many laws provide individuals with a right of access to personal information relating to them that an organization has under its control. Records relating to access to information requests including reasons for denying access should be retained. Where individuals can request personal information be amended, organizations may also be required to keep records demonstrating that amendment requests were transmitted to third parties where necessary, and records of determinations made in cases of disagreements regarding amendments. Organizations should also retain records of deletion requests, and evidence of the deletion and de-identification of information. (Act of 12 March 2019 on Personal Data Processing (Czech Republic); California Consumer Privacy Act of 2018; Competition and Consumer (Consumer Data Right) Rules 2020 (Australia))
- Records of Decisions about Individuals: Organizations may also be required to keep records of decisions, recommendations, or predictions made about an individual, and of decisions that directly affect an individual if personal information was used in the decision-making process. This includes records relating to the use of automated decision-making and algorithmic transparency. (Personal Information Protection Act (British Columbia); Consumer Privacy Protection Act (Bill C-11) (Canada))
Reflecting Privacy Compliance Records in Information Governance Programs
As part of overall privacy compliance organizations should consider how to integrate these records into their information governance programs. One approach is to establish a dedicated record category such as “Privacy Program Compliance” in the enterprise records retention schedule. Organizations should also reflect privacy compliance recordkeeping and related procedures in information governance policy documentation.