Use, Retention & Disclosure Limitation

ISO 27018 requires strict controls over how PII is used, how long it's retained, and when it can be disclosed to third parties. These limitations protect against unauthorized or excessive processing.

Three Core Limitations

1. Use Limitation

Definition: PII shall be used only for specified purposes.

2. Retention Limitation

Definition: PII shall be retained only as long as necessary.

3. Disclosure Limitation

Definition: PII shall be disclosed only as documented and agreed.

Control CLD.6.7: Use, Retention, and Disclosure Limitation

ISO 27018 Requirement: "The organization shall limit the use, retention and disclosure of PII to the purposes identified in the notice, except with consent of the PII principal or as required by law."

Use Limitation

Principle: Purpose Boundaries

Acceptable Uses:

Processing for documented purposes
Uses covered by consent
Legal requirements and obligations
Legitimate interests (with balancing test)

Prohibited Uses:

Processing beyond stated purposes
Marketing without consent
Sale of customer data
Undisclosed profiling

Technical Enforcement

Purpose-Based Access Control:

interface AccessRequest {
  userId: string;
  requestingSystem: string;
  purpose: Purpose;
  piiFields: string[];
}

enum Purpose {
  SERVICE_DELIVERY = "service_delivery",
  CUSTOMER_SUPPORT = "customer_support",
  BILLING = "billing",
  MARKETING = "marketing",
  ANALYTICS = "analytics"
}

function authorizeAccess(request: AccessRequest): boolean {
  // Check if system is authorized for this purpose
  if (!isSystemAuthorizedForPurpose(request.requestingSystem, request.purpose)) {
    auditLog.record('UNAUTHORIZED_PURPOSE_ACCESS', request);
    return false;
  }

  // Check if purpose is valid for this PII
  if (!isPurposeValidForPII(request.purpose, request.piiFields)) {
    auditLog.record('INVALID_PURPOSE_PII_COMBINATION', request);
    return false;
  }

  // Check consent if required
  if (requiresConsent(request.purpose)) {
    const hasConsent = checkConsent(request.userId, request.purpose);
    if (!hasConsent) {
      auditLog.record('MISSING_CONSENT', request);
      return false;
    }
  }

  return true;
}

Use Limitation Policy Matrix

Use Case	CSP System Access	Third-Party Sharing	Consent Required	Audit Trail
Service delivery	✓ Authorized systems	Sub-processors only	No (contract basis)	Standard
Customer support	✓ Support team only	No	No (legitimate interest)	Required
System analytics	✓ Anonymous only	No	No (if anonymous)	Standard
Marketing	✓ With consent	Only with consent	Yes (explicit)	Required
Product improvement	✓ Pseudonymized	No	Depends on method	Standard
Legal compliance	✓ As required	Authorities only	No (legal obligation)	Required

Retention Limitation

Principle: Keep Only What's Needed

Retention Requirements:

Define retention periods for each PII category
Document business and legal justifications
Implement automated deletion
Handle legal holds appropriately
Maintain audit trail of deletions

Retention Period Framework

Factors Determining Retention:

Business necessity
Legal requirements
Regulatory obligations
Contract terms
Industry standards
Data subject expectations

Common Retention Periods:

PII Category	Typical Retention	Justification
Account data	Active + 30 days	Business need
Transaction records	7 years	Tax/legal requirements
Support tickets	3 years	Customer service quality
Marketing consents	Until withdrawn	Ongoing consent
Usage logs	90 days	Security monitoring
Backup data	30-90 days	Disaster recovery
Audit logs	1-7 years	Compliance requirements

Automated Retention Management

Implementation Architecture:

interface RetentionRule {
  piiCategory: string;
  retentionPeriod: number; // days
  triggerEvent: TriggerEvent;
  deletionMethod: DeletionMethod;
  legalHoldCheck: boolean;
  notificationRequired: boolean;
}

enum TriggerEvent {
  FROM_COLLECTION = "from_collection",
  FROM_LAST_USE = "from_last_use",
  AFTER_ACCOUNT_CLOSURE = "after_closure",
  AFTER_PURPOSE_FULFILLED = "after_purpose_fulfilled"
}

enum DeletionMethod {
  SOFT_DELETE = "soft",        // Mark as deleted
  HARD_DELETE = "hard",        // Permanent removal
  ANONYMIZE = "anonymize",     // Remove identifiers
  ARCHIVE = "archive"          // Move to secure archive
}

class RetentionEnforcement {
  private rules: RetentionRule[];

  async enforceRetention(): Promise<void> {
    for (const rule of this.rules) {
      // Find data exceeding retention
      const expiredData = await this.findExpiredData(rule);

      for (const record of expiredData) {
        // Check for legal holds
        if (rule.legalHoldCheck && await this.hasLegalHold(record)) {
          await this.flagForLegalHold(record);
          continue;
        }

        // Notify if required
        if (rule.notificationRequired) {
          await this.notifyBeforeDeletion(record);
        }

        // Execute deletion
        await this.executeDeletion(record, rule.deletionMethod);

        // Audit trail
        await this.auditLog.record('RETENTION_DELETION', {
          rule: rule.piiCategory,
          recordId: record.id,
          method: rule.deletionMethod,
          timestamp: new Date()
        });
      }
    }
  }

  private async findExpiredData(rule: RetentionRule) {
    const cutoffDate = this.calculateCutoff(
      rule.retentionPeriod,
      rule.triggerEvent
    );

    return await this.database.query(
      `SELECT * FROM ${rule.piiCategory}
       WHERE trigger_date < $1
       AND deleted_at IS NULL`,
      [cutoffDate]
    );
  }
}

Legal Holds and Exceptions

When Retention Must Be Extended:

Ongoing litigation
Regulatory investigation
Law enforcement request
Contractual disputes

Legal Hold Process:

interface LegalHold {
  holdId: string;
  reason: string;
  requestedBy: string;
  affectedRecords: string[];
  startDate: Date;
  reviewDate: Date;
  status: 'active' | 'released';
}

async function applyLegalHold(hold: LegalHold): Promise<void> {
  // Mark records to prevent deletion
  for (const recordId of hold.affectedRecords) {
    await database.update('pii_records', recordId, {
      legal_hold_id: hold.holdId,
      legal_hold_applied: hold.startDate
    });
  }

  // Schedule review
  await scheduler.schedule(hold.reviewDate, 'review_legal_hold', hold.holdId);

  // Audit
  await auditLog.record('LEGAL_HOLD_APPLIED', hold);
}

Disclosure Limitation

Principle: Control Third-Party Access

Disclosure Definition: Sharing PII with any party outside the organization, including:

Sub-processors and vendors
Business partners
Government authorities
Other cloud service providers

Disclosure Control Requirements

1. Documented Disclosures All PII disclosures must be:

Documented in advance
Covered by agreement
Disclosed to customers
Subject to same protections

2. Sub-processor Management

interface SubProcessor {
  name: string;
  services: string[];
  piiAccess: string[];
  dataLocation: string[];
  certifications: string[];
  contractDate: Date;
  auditDate: Date;
  status: 'active' | 'pending' | 'inactive';
}

class SubProcessorRegistry {
  private subProcessors: SubProcessor[];

  async addSubProcessor(sp: SubProcessor): Promise<void> {
    // Validate certifications
    if (!this.validateCertifications(sp.certifications)) {
      throw new Error('Insufficient certifications');
    }

    // Customer notification (30 days advance)
    await this.notifyCustomers(sp, 30);

    // Add to registry
    this.subProcessors.push(sp);

    // Public disclosure
    await this.updatePublicRegistry();
  }

  private async notifyCustomers(
    sp: SubProcessor,
    daysNotice: number
  ): Promise<void> {
    const notification = {
      type: 'NEW_SUBPROCESSOR',
      subProcessor: sp.name,
      services: sp.services,
      piiAccess: sp.piiAccess,
      effectiveDate: addDays(new Date(), daysNotice),
      objectionDeadline: addDays(new Date(), daysNotice - 7)
    };

    await notificationService.sendToAllCustomers(notification);
  }
}

3. Customer Notification Requirements

30 days advance notice for new sub-processors
Immediate notice of security incidents
Annual transparency reports
Material changes to processing

Government Disclosure

Special Considerations:

Legal obligations to disclose
Customer notification (if legally permissible)
Resistance to overbroad requests
Transparency reports

Disclosure Decision Tree:

Government Request Received
    ↓
Is request legally valid?
    No → Challenge request
    Yes ↓
Is PII disclosure necessary?
    No → Provide non-PII alternative
    Yes ↓
Can customer be notified?
    Yes → Notify customer immediately
    No (gag order) → Log for later disclosure
    ↓
Minimize disclosure (only requested PII)
    ↓
Document and audit
    ↓
Include in transparency report

Disclosure Tracking

Audit Requirements:

interface DisclosureLog {
  disclosureId: string;
  timestamp: Date;
  piiCategories: string[];
  recipient: string;
  purpose: string;
  legalBasis: string;
  dataSubjectsCount: number;
  customerNotified: boolean;
  notificationDate?: Date;
  expirationDate?: Date;
}

class DisclosureAuditTrail {
  async logDisclosure(disclosure: DisclosureLog): Promise<void> {
    // Permanent audit record
    await this.auditDatabase.insert('disclosures', disclosure);

    // Alert for unusual patterns
    if (await this.isUnusualDisclosure(disclosure)) {
      await this.alertSecurityTeam(disclosure);
    }

    // Customer notification
    if (disclosure.customerNotified) {
      await this.notifyCustomers(disclosure);
    }
  }

  async generateDisclosureReport(
    startDate: Date,
    endDate: Date
  ): Promise<DisclosureReport> {
    const disclosures = await this.auditDatabase.query(
      `SELECT * FROM disclosures
       WHERE timestamp BETWEEN $1 AND $2`,
      [startDate, endDate]
    );

    return {
      totalDisclosures: disclosures.length,
      byRecipientType: this.groupByRecipient(disclosures),
      byPurpose: this.groupByPurpose(disclosures),
      governmentRequests: disclosures.filter(d =>
        d.recipient.startsWith('gov_')
      ).length
    };
  }
}

Cross-Border Transfers

Special Disclosure Considerations

When Transferring PII Across Borders:

Identify data residency requirements
Use approved transfer mechanisms
Document transfer safeguards
Customer notification and approval

Transfer Mechanisms:

Adequacy Decisions - EU approves destination country
Standard Contractual Clauses (SCCs) - EU-approved contracts
Binding Corporate Rules (BCRs) - Internal transfer framework
Consent - Explicit consent for specific transfer
Derogations - Limited exceptions (contract performance, etc.)

Transfer Documentation:

interface DataTransfer {
  transferId: string;
  sourceCountry: string;
  destinationCountry: string;
  piiCategories: string[];
  transferMechanism: TransferMechanism;
  safeguards: string[];
  customerApproval: boolean;
  riskAssessment: RiskAssessment;
}

enum TransferMechanism {
  ADEQUACY_DECISION = "adequacy",
  STANDARD_CONTRACTUAL_CLAUSES = "scc",
  BINDING_CORPORATE_RULES = "bcr",
  EXPLICIT_CONSENT = "consent",
  DEROGATION = "derogation"
}

Compliance Checklist

Use Limitation

All PII uses documented and justified
Purpose-based access controls implemented
No marketing use without explicit consent
Regular audits of actual vs. stated uses
Training on appropriate PII use

Retention Limitation

Retention periods defined for all PII categories
Business and legal justifications documented
Automated deletion implemented
Legal hold process established
Retention policy published and accessible
Annual retention policy review

Disclosure Limitation

Sub-processor registry maintained
Customer notification process for new sub-processors
Disclosure audit trail comprehensive
Government disclosure procedures documented
Cross-border transfer mechanisms in place
Annual transparency report published

Common Pitfalls

1. Indefinite Retention

❌ Wrong: "Keep everything forever" ✓ Right: Defined retention with automated deletion

2. Hidden Disclosures

❌ Wrong: Sharing PII with vendors without customer knowledge ✓ Right: Transparent sub-processor registry

3. Purpose Drift

❌ Wrong: Using customer data for unrelated purposes ✓ Right: Strict purpose enforcement

4. Manual Deletion

❌ Wrong: Rely on manual processes to delete expired data ✓ Right: Automated retention enforcement

Case Study: Cloud CRM Platform

Challenge: Managing complex use, retention, and disclosure requirements

Solution Implementation:

Use Controls:

Purpose tags on all PII records
API-level purpose enforcement
Role-based access by purpose
Quarterly use audits

Retention:

Account data: Active + 30 days
Support tickets: 3 years
Usage logs: 90 days
Marketing lists: Until consent withdrawn
Automated daily retention jobs

Disclosure:

5 sub-processors documented
30-day customer notification process
Government request protocol
Quarterly transparency reports

Results:

100% compliance with retention policies
Zero unauthorized disclosures
Customer trust increased
Audit findings reduced by 90%

Audit Evidence

Auditors Will Review:

Use limitation policies and enforcement
Retention schedule documentation
Evidence of automated deletion
Sub-processor agreements and registry
Disclosure logs and notifications
Government request handling procedures
Cross-border transfer documentation
Legal hold procedures
Transparency reports

Next Lesson: Privacy policy template and implementation guide.