Reflection on NDPR’s retention of records

Retention of records is one of the key components in data protection frameworks. It helps with the transparency principle of informing data subjects and essentially allows data subjects to know how long their data controller/processor will keep data.

Yet, there are a lot of Nigerian companies struggling with managing retention schemes. The Nigerian Data Protection Regulation Implementation framework mentions how Nigerian firms should treat the retention of records.

The Nigerian Data Protection Regulation implementation observes that time limit varies in data retention schemes. It further states that contracts determine the length of storage, transaction type, and an express request for deletion by the data subject and cost implication of storage of such data by the data controller influence retention. These are an essential requirement in the retention schemes of any company, but there are other factors a company must consider.

In any retention framework, from a global perspective, the company must have a clear retention policy. The retention policy should clearly state the types of retention schemes. Without the right plan in place, the procedures for the retention scheme remain useless. There is no justification for having a retention scheme when there is no written guidance for the retention scheme. That is like buying a complicated machine without the right manual.

The Nigerian Data Protection Implementation framework makes it complicated when it states that data controllers and processors should consider retention schemes in terms of “three years after the last active use of a digital platform” or “six years after the last transaction in a contractual agreement.” These are high-level recommendations for data controllers and data processors that need unpacking. For example, should companies immediately delete the data sets or re-process them? What type of data sets does the Nigerian data protection regulation allude to here? It’s quite confusing when one tries to tease out the features here.

Overall, good companies with data protection framework will maintain retention records that show transparent retention schemes, what categories of data, and who has access to them.

This retention record helps in the following ways. It describes to the staff, the organisational and technical measures necessary in processing data. There is always room for companies to breach the retention scheme when teams or management don’t know how long and when to delete data.

The retention of records as presented by NITDA needs more in terms of clear definition and approach. NITDA’s implementation framework states that organisation will “determine if the data was stored appropriately and for a reasonable length of time”. How does NITDA define a reasonable length of time?

And when the implementation framework says “Personal Data that is no longer in use and after requisite statutorily required storage period shall be destroyed in line with global best practices for such operations”; these terms raise a lot of confusion than clarification.

I think there needs to be more documentation explaining in details the retention of records scheme for data controllers and processors. Apparent retention of records implementation programme should inform companies clearly on how to approach the retention scheme rather than confuse them.

There needs to be further review with regards to NDPR’s retention of records explanation as retention schemes play an important role in data protection framework. Missing the right approach to data protection would permanently set the company up for breaching their existing retention policies or procedures.