How should data retention and disposal be handled under Annex F?

• A. Securely dispose or destroy data when no longer needed, regardless of retention policy.
• B. Retain data per policy/regulation; securely dispose or destroy when no longer needed.
• C. Preserve data forever to ensure ongoing availability.
• D. Delete data immediately after collection.

Answer: (B)

Data retention and disposal under Annex F is about following the organization’s retention policy and applicable laws to determine how long data should be kept and when it should be securely destroyed. The best approach is to retain data in line with policy or regulation, and then securely dispose of it when it’s no longer needed. This keeps data available for legitimate business or compliance purposes during its required life, while minimizing risk once the retention period ends.

Secure disposal means using appropriate methods for the data and media—such as secure erasure for digital data or physical destruction for physical media—and keeping records of the disposal. This reduces the chance of sensitive information being exposed after it’s no longer required.

Choosing to dispose of data regardless of policy, or to preserve data forever, or to delete it immediately after collection, ignores the need to align with legal holds, retention schedules, and privacy protections.