How do we handle decommissioning an old system that still holds personal data subject to different retention rules?
Decommissioning a legacy system is rarely just an IT shutdown. When that system still holds personal data, the data itself carries obligations that survive the application housing it. The goal is to retire the platform without orphaning records, deleting something prematurely, or keeping personal data longer than any rule allows.
Inventory and Classify First
Before anything is turned off, map what the system actually holds. Identify each record series, the personal data elements involved, and the retention rule that governs each one. A single system often mixes categories with very different schedules, so treat them separately rather than applying one blanket decision.
Flag any records that are:
- Under a legal hold or active litigation
- Subject to a pending FOIA, Privacy Act, or public-records request
- Permanent or archival in value
These cannot be destroyed even if their normal retention period has lapsed.
Apply Retention Rules Record by Record
Once classified, sort the data into three buckets:
- Eligible for disposition — retention met and no hold attached. Destroy it in a documented, defensible way, and capture proof of destruction.
- Still under retention — migrate to a successor system or an approved repository, preserving metadata, integrity, and access controls.
- Uncertain — retain until the schedule is confirmed. When in doubt, do not destroy.
Honoring different retention periods within one decommissioning project is normal. The system’s end-of-life does not reset or override any record’s individual clock.
Protect Privacy Throughout
Minimization is the privacy principle at work here: personal data should not persist past its lawful purpose, but it also must not be destroyed early to “clean up.” Secure the data during migration, sanitize storage media before disposal, and verify that backups, exports, and test copies are addressed too — those are easy to overlook.
Document Defensibly
A decommissioning is defensible only if you can show your reasoning. Keep records of the inventory, the schedules applied, approvals, holds checked, migration confirmations, and destruction certificates. That documentation is what demonstrates the process was systematic and authorized rather than arbitrary.
For related guidance, see the privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- Privacy Act of 1974 — U.S. Department of Justice
- Records management policy and guidance — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). How do we handle decommissioning an old system that still holds personal data subject to different retention rules?. Records Management University. https://www.recordsmgmt.org/questions/how-to-decommission-system-holding-pii-under-different-retention-rules/
MLA
RM University Editorial. "How do we handle decommissioning an old system that still holds personal data subject to different retention rules?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-to-decommission-system-holding-pii-under-different-retention-rules/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?