Identifying the record series in your retention schedule that contain personal information is a strategic step to advance your records and information management program. Not only will you be more mindful of the record series that contain personal information, but you’ll also gain a more detailed understanding of the sources from which you acquire personal information.

So if you’re looking to further your organization’s RIM program, considering the types of personal information in your RRS is a wise step forward. Once you determine the types of personal information within your organization’s records cache, legal requirements, operational needs, and risk considerations will determine the impacts to your RRS.

Types of Personal Information

There are a variety of different flavors within the big bucket of personal information. Specific types under the GDPR include genetic data, biometric data, data concerning health, and special categories of personal data.[1] As shown in the table below, these are not defined as broadly as their umbrella, “personal data.”

GDPR – Personal Data Type Definition
Personal data Any information relating to an identified or identifiable natural person.
Genetic data Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
Biometric data Personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person.
Data concerning health Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Special categories of personal data Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

With an increased operational footprint comes the added complexity for organizations to understand how the definitions of specific types of personal information change based on various privacy laws. Organizations subject to both California’s CCPA as well and the EU’s GDPR must understand how specific types of personal information are defined differently under each law.

Specific types of personal information under the CCPA include sensitive personal information and biometric information.[1] The table below illustrates the complexity of these definitions.

CCPA – Personal Information Type Definition
Personal information Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

 

Sensitive personal information Personal information that reveals a consumer’s social security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership; genetic data; or mail, email, and text messages contents unless the business is the intended recipient of the communication.

 

Biometric information An individual’s physiological, biological, or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA), that is used or is intended to be used singly or in combination with each other or with other identifying data, to establish individual identity.

 

Know Your Source

You may also acquire the same type of personal information from different sources. For example, health information may come from employees, patients, and customers. Identifying the source of a specific type of personal information can be useful for identifying the proper retention needs or record series for the information. For example, the basis for retaining health information of employees exposed to toxic substances differs from health information acquired from job applicants.

The types of personal information your organization retains as well as the source from which it’s acquired will impact the general structure and retention periods of your RRS. For example, the personal information of employees can include everything from medical or biometric information to access logs. And retention periods for employee biometric information or access logs can give rise to compelled destruction requirements, which can put a wrench in your RRS. Compelled destruction requirements often conflict with the retention period for other records grouped in the same record series. This is why creating specific carveouts in your RRS often make sense, or even become necessary.

Common RRS carveouts include biometric information, access logs, CCTV footage, and sensitive financial information. These carveouts provide your organization with the flexibility to decrease retention periods in line with risk considerations, as well as operational and legal needs. Additionally, carveouts help demonstrate to regulators that your organization is being compliant about not over-retaining personal information.

RRS and RIM Policies Impact

RIM policies and procedures will also be specific to the type of information and special considerations based upon the associated risk. Examples of policy components that may be changed by the type of information your organization maintains can include vendor requirements, methods of information destruction or deletion, training, and cloud storage.

Also, certain policy components may be driven by operational determinations, while others may be caused by legal requirements. For example, HIPAA requires that organizations “have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information”[2] and “train all members of its workforce on the policies and procedures with respect to protected health information.”[3] These specific HIPAA provisions would drive policies and procedures related to employee training as well as protecting IT safeguards and access controls.

Risks and Obligations

Sensitive personal information like genetic, biometric, health, and special category data comes with major risks. Sensitive personal information is a more prized target for cyber criminals. Given this, over retaining sensitive personal information increases its vulnerability. Clearly identified record series for records with sensitive personal information can help alleviate the risk of over retention that comes from including this data in a broader records series.

Operational Needs

The Federal Trade Commission has successfully pursued enforcement actions involving over retaining sensitive financial information for up to thirty days after the business need expired, in violation of bank security rules.[4] In In re: BJ’s Wholesale Club, Inc, the US-based membership-only warehouse chain agreed to a settlement with the FTC in 2005 requiring the company to create and maintain a comprehensive information security program and carefully inventory and assess the risks associated with its personal information, among other things. The consent order BJ’s Wholesale Club agreed to was enforceable for 20 years, meaning in 2024, the company is still subject to its terms.[5] The FTC’s action in the BJ Wholesale Club matter is but one example of the very long-lasting consequences an organization can face from failing to set and enforce proper retention periods around sensitive personal information.

Legal Requirements

In addition to factoring business need retention periods into your RRSs, organizations must also know legally mandated disposition requirements. For example, Texas requires employers retaining biometric identifiers for commercial and security purposes to delete the biometric identifier no later than one year after the termination of the employment relationship.[6]

Risk Considerations

Organizations must also consider the risk from specific types of personal information. The array of risk considerations that come with the specific types of personal information are equally as vast as the variety of personal information your organization may retain. Such risk may be created by security considerations, storage costs, legal regulations, and data erasure requests.

Conclusion

Ensuring retention periods line up with your business’s operational, needs, legal requirements, and risk appetite is critical when taking the next steps to advance your RIM program. By identifying the types of personal information in your records, you can make the proper adjustments to your RRS based on legal requirements, operational needs, and risk considerations. Inventorying and assessing the types of personal information in your records inventory and determining the proper RRS adjustments may seem like an overwhelming task, but doing so is crucial for advancing a successful RIM program and ensuring your business isn’t exposing itself to unnecessary risks.

[1] See Cal Civ Code 1798.140.

[2] 45 CFR 163.530 (c)(1).

[3] 45 CFR 163.530 (b)(1).

[4] See, e.g., Complaint, In re BJ’s Wholesale Club, Inc., FTC File No. 0423160 (Sept. 20, 2005) (alleging the company created unnecessary risks to sensitive financial information by storing it for up to 30 days when it no longer had a business need to keep the information).

[5] In the Matter of BJ’s Wholesale Club, Inc., Federal Trade Commission Docket No. C-4148, Decision and Order (Sept. 20, 2005).

[6] Tex. Bus. & Com. Code 503.001.

[1] See EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.