We help IT Professionals succeed at work.

What's the practice in retaining customers personal particulars?

sunhux
sunhux used Ask the Experts™
on
Question from our legal department:
if our customers send us their personal particulars (eg:
NRIC, Social security number) via email, what's the best
practice out there in terms of
a) how long we retain the email?
b) after how long that we dont need it that we ought to
     purge/delete it away?
c) do we need to show evidence that it's been purged?
d) any other treatment of such customers' information?

Currently we are on O365
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Is this a EU based question? If so, please regard https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
If not EU based, you can still use it, as you'll be in the front of the pack regarding privacy issues.
Exec Consultant
Distinguished Expert 2018
Commented:
If you are referring to Singapore NRIC then it is best you refer to the PDPC's Advisory Guidelines on NRIC numbers.

Default is that your organisation should not  be asking for NRIC. It is only in their possession or under their control are required under any law or necessary to accurately establish or verify the identity of the individual to a high degree of fidelity.

Organisations should not keep the personal data after it is no longer necessary for the purposes for which the personal data was collected or for any legal or business.

Organisations are reminded to cease the retention of all personal data through proper disposal or anonymisation when the purpose for collection is no longer served by the retention of the information and there is no business or legal need for them.

If I will to be prepared for audit, there would need to have evidence to demonstrate the above mentioned on the protection put in place to secure the NRIC information and also perform the due diligence to remove or anonymised them once no longer needed.

These are not legal advisory but you should refer your counterpart to the relevant country regulation .

http://www.ifaq.gov.sg/PDPC/mobile/index.aspx#DetailDoc/2110273

The retention period should be under the policy and as advised it was that no longer required it should be removed. O365 has retention policy and you need to explore the exact period required. The default is dont even request and user are educated too and remove such content when no longer required.

https://docs.microsoft.com/en-us/microsoft-365/compliance/retention-policies

Author

Commented:
From the PDPC  doc dated Jan 2019:
"4.28 The PDPA does not provide a right for individuals to request that an organisation ceases to retain their personal data per se. Thus, an organisation which receives a notice of withdrawal of consent for publication of a photograph or video recording is not necessarily required to delete that photograph or video recording from all its records and documents, and may retain personal data in accordance with the Retention Limitation Obligation (e.g. where retention is necessary for legal or business purposes). However, where the organisation’s activities involving the personal data are in breach of the Data Protection Provisions, the organisation may be directed by the Commission to (among other things) cease retaining such personal data.”

Reckon where there are conflicts between what's indicated between what's indicated in O365 above & PDPC, clauses from PDPC supersedes?
It's hard to indicate a specific policy on retention other than to say "retain on a need-to basis"
btanExec Consultant
Distinguished Expert 2018
Commented:
The regulation take precedence and the focus is on NRIC and not in general. So if there is specific clause to say retention of NRIC is alright even if not needed by the organisation then that will be good reference to extract for evidence.

Author

Commented:
So in the clause 4.28 above, it covers NRIC?
btanExec Consultant
Distinguished Expert 2018
Commented:
Likely the case as NRIC can be consider as Personal data but it would be best that you consult legal if required.

3.15 Organisations should note that when they collect a copy of the NRIC, they are considered to have collected all the personal data on the NRIC, and will be subject to the Data Protection Provisions of the PDPA for that collection. Organisations should assess whether they are collecting excessive personal data contained in the copy of the NRIC for the intended purpose, and if they could adopt alternatives to the
individual’s NRIC number or copy of NRIC.
Adam DiStefano, M.S, CEH, CISSPTrusted Security Advisor

Commented:
This really would be dependent on your organizations compliance requirements. GDPR for example outlines these requirements. If this is more a general question without regard for compliance to a particular regulation, then the organization can set its own defined data retention policies. There are plenty of standards available to help guide and align with best practices as far as retention is concerned. Additionally, seek to align with the legal department as well when it comes to retention as there may be legal requirements to hold this data for potential litigation.