CyberDesk Awareness
Information Responsibility Series – Principle of Need to Keep
Keep the Right Information, in the Right Place, for the Right Duration
Welcome to the final edition of our Information Responsibility Series.
Over the past weeks, we have discussed:
- Need to Know – access information relevant to your role
- Need to Have – use only the tools, access, and resources required for your work
This week, we conclude with the Principle of Need to Keep.
This principle is about retaining information—whether digital or paper-based—in a way that supports business continuity, compliance, accountability, and easy retrieval.
It is not about deleting records based on personal judgment.
Rather, it is about ensuring that information which supports your work, approvals, audits, legal obligations, regulatory compliance or future reference is kept securely, organised properly, and retained for the required period.
What Should Be Kept?
Records that support any of the following should be retained:
- ongoing work and projects
- approvals and key decisions
- audit and compliance evidence
- NDPR / NDPA obligations
- legal and regulatory requirements
- operational reference
- team handover and business continuity
Where records are no longer in active use, they should be archived in line with approved retention schedules and procedures.
Retention Must Follow Requirements
Retention periods must always align with:
- regulatory obligations
- legal requirements
- industry best practices
- audit standards
- approved internal retention policy
Examples include financial records, HR files, customer data, contracts, and audit evidence.
Records must not be kept indefinitely, and they must not be disposed of before the approved retention timeline.
Digital and Paper Records
This applies to both digital records and physical documents.
Digital records may include:
- emails
- reports
- approvals
- shared folders
- cloud storage files
Paper records may include:
- signed approvals
- contracts
- invoices
- HR files
- audit evidence
Paper records should be properly filed, clearly labeled, and stored in secure fire proof cabinets or archive rooms with controlled access.
Ownership, Version Control, and Disposal
You may create or manage a record, but you are often the custodian, not the final owner.
Retention and disposal decisions should follow:
- process owner guidance
- department management direction
- compliance or legal requirement
- approved retention schedule
Always keep the final and approved version of documents clearly identified to avoid confusion caused by duplicate or outdated copies.
Once the retention period expires, disposal must be done through approved shredding, secure disposal bins, or secure digital deletion processes.
Incident Reporting and Best Practice
Immediately report any record that is:
- missing
- misplaced
- accidentally deleted
- accessed by an unauthorised person
- found outside the approved storage location
To maintain compliance and continuity, avoid:
- duplicate uncontrolled versions
- storing important files only on local desktops
- leaving paper files on open desks
- deleting records without approval
- retaining records beyond the approved period
Final Reminder
The Principle of Need to Keep is about:
- retention
- accessibility
- compliance
- confidentiality
- accountability
- business continuity
Keep the right information, in the right place, for the right duration.
CyberDesk – Supporting a Smarter Workplace
