Who is responsible for deciding how long PII can be kept — the records officer, the privacy office, or the business unit that owns the data?
Short answer: no single role decides alone. Setting how long personally identifiable information (PII) can be kept is a shared, governed decision. The records officer owns the retention schedule, the privacy office sets the limits PII must respect, and the business unit supplies the operational facts. The schedule is the binding output that ties them together.
What each role actually contributes
The records officer (or records/IG function) owns the retention schedule and the disposition process. They translate requirements into an approved, documented retention period, ensure it aligns with broader recordkeeping rules, and authorize defensible destruction once a record’s period ends. They do not invent retention out of thin air — they consolidate the requirements others provide.
The privacy office sets the boundaries that PII specifically must honor. A core privacy principle is data minimization and storage limitation: personal data should be kept only as long as needed for the purpose it was collected, then disposed of. The privacy office identifies which data is PII, flags purpose limits, and pushes back when a proposed retention period keeps personal data longer than justified.
The business unit that owns the data is the subject-matter authority. It knows why the data was collected, what legal, regulatory, tax, or operational obligations apply, and when the information stops being useful. It proposes a business-need retention period, which the records officer and privacy office then test and refine.
How the decision gets made
In practice the retention period is the lowest defensible number that satisfies every applicable requirement:
- Statutory or regulatory minimums (the data usually must be kept at least this long).
- The business purpose and operational need.
- Privacy limits, which often pull the period shorter — PII should not linger past its purpose.
When these conflict, legal minimums set the floor and privacy minimization sets the ceiling. The records officer reconciles them into an approved schedule entry, with the privacy office and legal counsel signing off.
The takeaway
Think of it as roles, not a single decider: the business unit proposes, the privacy office constrains, and the records officer documents and authorizes. Disposing of PII on a schedule — rather than keeping it indefinitely — is itself a privacy safeguard, because data you no longer hold cannot be breached or misused.
For related guidance, see the PII and privacy topic hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- Records management policy and guidance — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). Who is responsible for deciding how long PII can be kept — the records officer, the privacy office, or the business unit that owns the data?. Records Management University. https://www.recordsmgmt.org/questions/who-decides-how-long-pii-is-kept-records-privacy-or-business-owner/
MLA
RM University Editorial. "Who is responsible for deciding how long PII can be kept — the records officer, the privacy office, or the business unit that owns the data?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/who-decides-how-long-pii-is-kept-records-privacy-or-business-owner/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?