Information life cycle

The information lifecycle affects everyone, and lapses at any stage can result in data compromise which – whether they reveal themselves immediately or at a later date – can mean dire consequences for the party involved. Corporations and individuals alike are at risk. Recognising this, it’s paramount to do your best to conserve the quality of the material and do your utmost to protect it throughout the process.

Onboarding or acquisition stage

The first stage in the information life cycle is the onboarding or acquisition of data and information. This information could be computer generated, for example an access control or automatic numberplate recognition system; it can also be created manually. This might include someone filling out a form and sending it to the target organisation, perhaps by email, letter, telephone, data transfer or similar. Once that information reaches the organisation, it’s the responsibility of a designated person (the 'custodian') to collate the information to ensure its security and utilisation (in other words, the custodian needs to keep information secure as soon as they receive it). The custodian is often in an IT role, for example, an Information System Administrator. This would be overseen by the data controller.   

Utilisation or usage stage

The next stage in the information life cycle is the utilisation or usage stage. As you might expect, this is when the data and information are put to use. 

This data could be used in all sorts of ways, depending on its type. Perhaps the information captured is on the age of users of a specific product, and this needs to be analysed in order to educate an organisation on their target market, or to be published for others to understand and learn from.  

Occasionally, information such as this is stored as a physical document, but far more likely it’ll exist electronically on servers or other storage devices and accessed through the Internet or a corporate network. It’s important to consider secure storage for the information even during its analysis, as well as during the processing, sharing and transmission of reports.  

Archiving or disposal stage

Finally, at the end of the information life cycle we have the archiving or disposal stage. All information will have a finite lifespan after which it will have served its intended purpose and must be either deleted or archived in a way that prevents its theft, loss or corruption. This is known as its ‘retention period’.

It’s important to consider how long the data will be held, and how it will be disposed of. Therefore, consider validity dates, sensitivity of the data, legal and contractual obligations, disposal methods and auditing of the process at this stage.

Guiding principles 

If the information you’re dealing with is a record that your organisation might need to retain, it’s important to know the legality behind the process. Although not controlled through GDPR, some corporate documents, like board meeting minutes, financial records, and technical documents, are legally protected and must be retained for inspection over a pre-defined time period. This period varies depending on the relevant legislation. In the US, for example, Sarbanes-Oxley regulations require corporate accounts to be protected from modification and deletion for a minimum of seven years, with penalties of up to $5m and 20 years imprisonment for non-compliance.

ISO 15489 is a legal standard for Records Management Systems (RMS). It was designed to help businesses and other organisations to manage their records to keep them reliable and up to date. The Standard applies to records regardless of structure or form, in all types of business and technological environments. In some cases, legislation also dictates that data must be destroyed after a specified time period. In the event of a criminal investigation or legal dispute, an organisation could be asked to produce records, or show proof of their destruction. Failure to produce the required information could lead to fines and even imprisonment of the data owner.

A note on GDPR and the information life cycle 

GDPR for business

Now you’ve heard of GDPR, but how do businesses need to behave? On the storage of information, GDPR states that:

• You must not keep personal data for longer than you need it.
• You need to think about, and be able to justify, how long you keep personal data. This will depend on your purposes for holding the data.
• You need a policy setting standard retention periods wherever possible, to comply with documentation requirements.
• You should also periodically review the data you hold, and erase or anonymise it when you no longer need it.
• You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
• You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.

In 2021, WhatsApp had to pay a €225 million GDPR penalty, after it was alleged that the messaging service had failed to properly explain its data processing practices in its privacy notice. You can find out more about that case, and other GDPR fines levied by European regulators, here

GDPR in the UK

The UK-GDPR definitions:

• The data controller has the most responsibility when it comes to protecting the privacy and rights of the data's subject, such as the user of a website. The data controller controls the procedures and purpose of data usage and will be the one to dictate how and why data is going to be used by the organisation.
• A data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors act on behalf of the relevant controller and under their authority.
• The Information Commissioner’s Office is the body in the UK responsible for upholding information rights under UK-GDPR.

Since Brexit, the new UK-GDPR is no longer an EU regulation, however the terms have been adopted into UK domestic law and means the same basic data protection and requirements apply as before under EU law. In June 2021, a four-year adequacy agreement was made by the EU accepting UK standards for data protection, a decision which paves the way for personal data to be transferred freely from the EU to the UK until June 2025, after which the agreement will be reviewed. 

Key principles

UK-GDPR has seven key principles:

1. The first principle states that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
2. The second principle requires that any personal data collected is for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3. The third principle states that when personal data is collected or processed, it’s adequate, relevant and limited to what is necessary in relation to the purposes for which it’s processed.
4. The fourth principle requires personal data to be accurate and, where necessary, kept up to date in relation to the purpose for which it’s processed.
5. The fifth principle requires that personal data is kept for no longer than is necessary for the purposes for which it’s processed. When personal data is no longer needed, it must be destroyed.
6. The sixth principle requires data processors to process personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.
7. The final principle is accountability it requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate compliance.

What’s next? 

Having looked at the information life cycle, let’s return to focus on GDPR in more detail.