Things You Need to Know About Document Retention and Destruction in the Legal Sector

Here in the EU, our General Data Protection Regulations (GDPR) set a trailblazing example of data protection rights and privacy. As a result, we have some of the best-protected data for individuals in the world.

However, with increased data protection, various exemptions, legitimate interests, and many other grey areas emerging as the UK gets through its GDPR teething problems, it can sometimes be difficult to know which records should be kept, and which records need to be destroyed.

This can be difficult for law firms in particular due to variations in regulations for specific legal sectors. Knowing when to retain and destroy documents should be a top priority for law firms, as with handling confidential client information comes the responsibility to protect this information.

Cartoon image of judge with a gavel, standing in front of the scales of justice.

So, what documents do we need to keep?

Below are the information retention schedule regulations as laid out by the Information Commissioner’s Office in August 2018.

Regulatory Retention Trigger Retain For Action
Appeals information tribunal Case closed 6 years Destroy
All criminal enforcement cases Case closed 6 years Review
Civil enforcement case where an action was taken Case closed 6 years Review
Civil enforcement case where no action was taken Case closed 2 years Destroy
Gathered intelligence Entered onto intelligence log 6 years Review
Data protection and FOI complaints Case closed 2 years Destroy
Data protection and FOI complaints physical items (items which cannot be scanned or returned) Case closed 6 months Destroy
Cases relating to Section 159 of the Consumer Credit Act 1974 Case closed 6 years Destroy
Audit reports Case closed 6 years Review
Advisory visits and supporting audit documents Case closed 12 months Destroy
IPA supporting audit documents Case closed Until the next audit or 3 years, whichever is sooner Destroy
High priority case file supporting audit documents Case closed 6 years Review
Data protection fee information Case closed 2 years Destroy
Breach report – no action is taken Case closed 2 years Destroy
Internal Regulatory Activities Retention Trigger Retain For Action
Information created in relation to new policies, guidelines, and research. This information has been created internally to guide decision making. This relates to any final drafts and significant supporting information. Last action 6 years Review
Stakeholder Engagement Retention Trigger Retain For Action
First line advice services Case closed 2 years Destroy
Engagement with significant stakeholders (including government departments, large companies, charities, and international work) Last action 6 years Review
Engagement with less significant stakeholders (advice provided to smaller organisations with the advice only affecting small numbers) Last action 3 years Review
Guidance for external use Superseded 6 years Review
Data privacy impact assessments Last communication 6 years Review
Finalised binding corporate rules End of contract 6 years Review
BCR initial assessment supporting documents National authorisation 2 years Review
BCR point of contact and legal representation details After each annual update 12 months Review
Consultations (The ICO gathers information externally through an open consultation in relation to policies they are developing) Policy published As soon as policy published Destroy
Information requests including MP requests Last action 2 years Destroy
Corporate Governance Retention Trigger Retain For Action
Health and Safety inspections, property management, and asset records Last action 6 years Review
Documents relating to IT system integral to their running and long-term use End of system life 3 years Review
Records and information management Last action 3 years Review
IT infrastructure Last action 3 years Review
Information security Last action 6 years Review
Information requests (including MP requests not dealt with directly by the commissioner) Case closed 2 years Destroy
Projects and corporate programmes Last action 3 years Review
Building reports, risk assets, helpdesk and security reports Last action 3 years Review
IT backups Last action 3 months Destroy
System audit logs Last action 12 months Destroy
CCTV Last action 1 month Destroy
Reception sign-in book End of year 2 years Destroy
Google Analytics reports Last action 38 months Destroy
Finance Retention Trigger Retain For Action
Financial information End of financial year 6 years Destroy
Payroll Capita reports End of financial year 6 years Destroy
Legal Retention Trigger Retain For Action
Policy legal and legal advice Last action 6 years Review
Enforcement legal cases Case closed 6 years Review
Contracts End of contract 7 years Review
Unsuccessful tenders Last action 400 days Review
Building contracts and leases End of contract 12 years Review
Organisation-wide Retention Trigger Retain For Action
Significant draft versions (the draft versions of policies, advice and guidelines for significant areas of work) Last action 3 years Review
Less significant draft versions (general drafts of documents created for less significant work) Last action 12 months Review
Internal audits Creation 3 years Destroy
Internal guidance and lines to take Creation 3 years Destroy
Templates, procedures, team information, and team meetings Last action 3 years Review
Annually renewed documents End of financial year 3 years Review
Department logs and registers Last action 12 months Review
Team administration Creation 3 years Review
Management information End of financial year 6 years Review
General content types (SharePoint) Last action 12 months, 3 years, 6 years Review
Mobile device information for visitor wifi use Creation 90 days Destroy
Transfer to The National Archives Retention Trigger Retain For Action
Information detailing what has been sent to The National Archives (not transferred) Last action 6 years Review
Section 55 DPA and Section 77 FOI Case closed Prepare for transfer
Publications and material Creation Prepare for transfer
Management board minutes Last action Prepare for transfer
Senior leadership team minutes Last action Prepare for transfer
Upper Tribunal Case and Court of Appeal Case closed Prepare for transfer
ICO constitution Superseded Prepare for transfer
Office-wide strategic plans Superseded Prepare for transfer
Department of culture, media, and sport Last action Prepare for transfer
Delegated authority Last action Prepare for transfer
Legal advice to the commissioner (where directly relevant to information rights policy) Last action Prepare for transfer
High-profile casework Case closed Prepare for transfer
PECR breach logs Superseded Prepare for transfer
Interactions with key stakeholders in relation to interpreting Data Protection and Freedom of Information Act, Code of Practice relating to acts, legislative development, and significant internal advice Last action Prepare for transfer
Civil monetary penalty cases Case closed Prepare for transfer

For the full list including which HR and communications records to destroy, visit the ICO’s article here.

These regulations ensure that data is not kept for longer than necessary, and any data kept for legal reasons is periodically reviewed.

What about data destruction exemptions?

In criminal law, there are many exemptions from data destruction. In England and Wales, the Police and Criminal Evidence Act of 1984 (Part 5) overrules GDPR and makes provision for the retention of DNA profiles and fingerprints amongst other records. If a conviction has been made for a recordable offence, the individuals DNA profiles and fingerprints may be indefinitely on file.

However, many records held by law firms such as non-disclosure agreements, opinion letters and factual summaries in convicted cases may have to be expunged if not required to pass onto The National Archives. This will usually happen once the convicted person has completed their court-mandated sentence, and is a means of protecting the individual as well as witnesses from further ramifications after they have fulfilled their societal obligations. This is why the review and destruction processes are so important.

How can I destroy legal documents safely?

Shredding documents which are no longer needed is the safest and most secure option law firms can take to protect their sensitive records. Another advantage of shredding is that it will reduce the costs of holding onto inactive records kept in long-term storage. Electronic files and digital media storage devices containing sensitive information must also be destroyed if no longer used, even if encrypted or wiped, as this information can still be recovered by an experienced data thief.

We hope this article has shed light into your obligations when retaining legal records, actions to take after retention periods, and implementing their destruction.

Here at Shred Station, we are fully accredited to securely handle the destruction of your confidential data. If you’d like to request a free e-brochure, call back, or a quick quote, you can do so via the Shred Station homepage.


Sign up to our newsletter here to be alerted about brand new blog articles, data protection advice, and news about Shred Station.


Information correct at time of publication, 4th February 2019. If you would like further clarification with regards to retention and destruction periods for your specific industry, please seek further guidance from the Information Commissioner’s Office. Shred Station can accept no responsibility for any incorrect retention or review guidelines in the above text. These information retention schedule regulations are as detailed by the Information Commissioners Office in August of 2018. To stay updated with industry guidelines after the date of publication, please contact the Information Commissioner’s Office.