Skip to content
Get in touch
  • Technology & data

A beginner’s guide to data storage ethics

A Beginner’S Guide On Ethical Data Storage

by Paul Clough

What are the implications of how long data can be stored and who has access to it?

As with other aspects of the data lifecycle, the Data Protection Act 2018 sets out clear rules for storing data ethically. In particular, organisations must not keep personal data for longer than they need to and they must be able to justify the length of time they hold the data. 

Policies are needed to set standard retention periods for data. Organisations must review the data they have and erase or anonymise it when they no longer need it. Individuals also have the right to ask for their data to be destroyed (check out our guide to ethical data destruction).

It’s worth noting that there are some exceptions to these rules. Organisations are allowed to keep data for longer periods if it's for public interest archiving, scientific or historical research, or statistical purposes.

Before you begin storing data, consider:

1) For how long will you be storing data?

It’s fairly obvious that data needs to be stored and protected with the appropriate level of security, with backup and recovery procedures that protect key information. But beyond this, there are considerations for ethical data storage, too. One of the main ones is how long organisations should store data, also known as data retention. This should encourage organisations to have a clear purpose for collecting data in the first place and to be very precise about its use. 

The GDPR states that data should be stored for the shortest time possible. However, in practice, things are not always as clear cut.

Ask yourself: 

  • Do you need to keep this data at all? Has it already served its purpose?
  • Should the data be anonymised? Even though it’s not the law, would this be safer? Do you really need to store personally identifiable information (PII)?
  • Are you storing out-of-date or redundant data? Could this be generating faulty insights leading to biased and poor decision-making?
  • How often will you review stored data and decide whether it’s still necessary to keep it? There are no hard and fast rules here, so think about upping your review periods to ensure an ethical approach.

2) Who will have access to the data you’ve stored?

Data protection and security are vital for storing and managing data, especially personal data that must not be disclosed to unauthorised people. Securing data means several things, including preserving its integrity, controlling access to it to reduce breaches and unauthorised access, and protecting the privacy of data contributors through techniques which de-identify or anonymise it. (Data subjects also always have the right to ask you what data you hold on them, and for this to be deleted.)

With this in mind, there’s an obvious tension between keeping data secure and ensuring the people who need to view it have access. Data is valuable because it enables us to generate insights and, in turn, improve services or save time and money. To achieve this, it must be shared. The principles of open data and data democratisation will always need to be balanced against the need to keep data secure. 

Ask yourself:

  • How can you balance the security, privacy and access elements of the data you are storing?
  • Do you have a plan for providing different levels of access to data so that data in your organisation can be used effectively and ethically?
  • How quickly can the data be made available to data subjects should they request it? The legal requirements state this must happen as soon as possible and definitely within one month. Can you put a system in place to ensure that you respond as quickly as possible?

Data storage lessons from Ocado

In June 2021, retailer Ocado settled its litigation with two former employees accused of retaining confidential documents when they left the business and using them to support the development of a new, rival operation. While it was found the two men breached their obligations of confidence to Ocado, more robust data storage and access principles could have prevented the employees from taking the files in the first place, producing additional hard copies or retaining them after leaving the company.

Top tips for more ethical data storage

  • Store multiple copies of key datasets in different media formats (depending on short- or long-term storage) for redundancy, accessibility, and retention.

  • Review databases multiple times a year to understand what data you still need to keep and what can be securely disposed of.

  • Make sure you are aware of your legal obligations — many organisations provide free resources such as checklists for effective data retention policies.

For more guidance on data ethics, read our article on ethical data collection and sharing.

Download the full report
Paul Clough's avatar

Paul Clough

Head of Data Science and AI

Contact Paul
Power Of Data Roundtable

Shaping the future of data in government

We share some key takeaways on data sharing, AI, innovation, and transformation across government from our Power of Data roundtables.

Read more