Mobile app data privacy - Length of record retention in a software app

#1
Hi everyone,

For how long should customers' data be stored or the length of record retention in a software app, for example, after the license has lapsed. Do customers always have access to their data or is this data destroyed after a certain amount of retention time? Thanks!
 

mihzago

Quite Involved in Discussions
#2
That depends on the type of data and locality. If, for example, you're in the US and the data stored on the app is ePHI, then "HIPAA requires that business associates and covered entities retain the following for at least six years from creation date or last effective date, whichever happens to be later". Some states, for example Massachusetts, have even longer retention periods of 7 years.
In other jurisdictions (e.g. Canada, EU), there is no specified period, so you have to define it on your own considering the requirement that the "Personal Information shall only be retained as long as necessary for the fulfillment of those purposes behind data processing."

Make sure you document the retention time and the justification in your procedures, and explain how you handle access and retention in terms of use or contracts with your customers.
 

Top Bottom