Yes, as soon as the information is found not to be necessary for the jurisdiction and responsibilities of the recipient, they must destroy it. That is what preserves the privacy interest of the individual whose information is presumably being shared.
However, if the information is found to be necessary, that's when they may retain it and the information is then subject to normal retention periods in individual institutions.