There should be a timeframe. That said, organizations need, in some cases, to keep the data to address risk. Maybe you're going to get a lawsuit so you need to keep it for a certain period of time. You have to keep that in mind. There's also a patchwork of laws that will apply to different types of data.
As a matter of fact, it can be quite a big job for an organization to put together a detailed retention policy. These can be quite expensive, but I'm all for retention and delays that are reasonable, that take into account the fact that the information is no longer in use. You need to get rid of it. You need to destroy it.