19.

(1) Pursuant to section 39 of the Act, a data controller or data processor shall retain personal data processed for a lawful purpose, for as long as may be reasonably necessary for the purpose for which the personal data is processed.

(2) A data controller or data processor shall

(a) establish personal data retention schedule with appropriate time limits for the periodic review of the need for the continued storage of personal data that is no longer necessary or where the retention period is reached; and

(b) erase, delete anonymise or pseudonymise personal data upon the lapse of the purpose for which the personal data was collected.

(3) A personal data retention schedule established under paragraph(2)(a) shall outline the —

(a) purpose for retention;
(b) the retention period;
(c) provision for periodic audit of the personal data retained;

(d) and actions to be taken after the audit of the personal data

(4) An audit of the retained data under paragraph (3)(c), shall seek to—

(a) review records with a view of identifying personal data that no longer requires to be retained and permanently delete the personal data;

(b) ensure the retained data is accurate and up-to-date;

(c) specify the purpose for retention of personal data;

(d) ensure that the personal data security measures are adequate; and

(e) identify the best cause of action where personal data retention period lapses.

(5) A data controller or data processor shall establish appropriate time limits for the periodic review of the need for the continued storage of personal data for any of the law enforcement purposes.

(6) The personal data storage limitation period and data retention schedule outlined under paragraph (2)(a) may be included as part of the policy envisaged in regulation 23.