Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
OFFICIAL
Data Retention Policy
OFFICIAL
Business Area: Data Protection Office
Version: 2.1
Document Reference: POL-18-061
<Report Name>
Data Retention Policy POL-18-061
OFFICIAL Page 2 of 14 Student Loans Company Ltd
Document Control Status: Live
Document Version History
Date Version Author Comments
22/01/2018 0.1 Due to historical live policy versions being
allocated draft version numbers and a
significant policy re-write the draft version
number has been reset to v0.1.
10/05/2018 0.2 Internal SLC review by Legal team.
18/05/2018 1.0 Published version
29/01/2019 1.1 Update to new template. No content change
26/04/2019 2.0 Published to live after annual review
16/05/2019 2.1 Internal SLC review by Legal team.
Review and Approval Register
Note: RACI = R- Responsible, A- Accountable, C-Consulted, I-Informed
Name Position RACI Role
Gary Womersley Company Secretary/Head of Assurance Services (Data
Protection Officer/Senior Information Risk Officer)
A
Information Governance & Assurance Manager
(Accreditor and Deputy DPO)
R
Information Security Governance & Compliance
Manager/ Deputy SIRO
C
Senior Manager – Legal & Compliance C
Information Governance Officer C
SLC Information Asset Owners I
*NB: names of staff other than DPO have been removed under section 40(2) of the
Freedom of Information Act 2000
Data Retention Policy POL-18-061
OFFICIAL Page 3 of 14 Student Loans Company Ltd
Update Schedule
This document will be reviewed at least annually or whenever business requirements,
legislation, regulations change.
Applicability
The requirements in this document apply to:
All permanent, temporary and contract workers employed or engaged by SLC or any 3rd
party organisations whilst at work or engaged on SLC business.
Compliance
Any employee found to have violated these requirements could be subject to disciplinary
action, up to and including termination of employment.
At its sole discretion, SLC may require the removal from the service provision account any
employee of a 3rd party organisation contractually engaged on SLC business who is found
to have violated these Procedure requirements.
Data Retention Policy POL-18-061
OFFICIAL Page 4 of 14 Student Loans Company Ltd
Contents
Document Control .......................................................................................... 2
1 Introduction ......................................................................................... 5
2 Definitions and Policy Principles ....................................................... 5
2.1 Definitions ............................................................................................ 5
2.3 Policy Principles ................................................................................. 6
3 Disposal of Data .................................................................................. 6
4 Data Retention Periods ....................................................................... 7
5 Related Documents ............................................................................. 8
Appendix 1 Data Retention Guidance Table ................................................ 9
Data Retention Policy POL-18-061
OFFICIAL Page 5 of 14 Student Loans Company Ltd
1 Introduction
1.1.1 SLC has a defined Information Asset Owner (“IAO”) handbook which sets out the
principles of the Information Asset Register (the “IAR”). All SLC information or data
(hereinafter referred to as “data” for ease of understanding) should be related to an
entry within the IAR. As part of an entry within the IAR, an IAO must define a period
for which the data should be retained by SLC. This retention period must be in
accordance with legal requirements.
1.1.2 This Policy documents the duration for which data, both personal and non-personal,
should be retained, irrespective of format (paper, electronic or other).
1.1.3 Please Note: although SLC is subject to data protection and data retention
regulations, in certain circumstances (as detailed in this Policy), SLC are required to
retain data indefinitely.
1.1.4 IAOs are responsible for following this Policy to ensure that appropriate retention
periods and removal arrangements are adhered to for data for which they are
responsible.
1.1.5 This Policy will assist SLC in managing the data it holds while complying with
legislative requirements, or best practice, as is appropriate and should be read in
conjunction with SLC’s Data Protection Policy (“DPP”) and SLC’s Freedom of
Information Policy.
2 Definitions and Policy Principles
2.1 Definitions
2.1.1 The following data protection-related terms are relevant for the purposes of this
Policy and are defined in SLC’s DPP:
data
personal data
data controller
data processor
data subject
Data Protection Officer (“DPO”)
processing
special category data
Data Retention Policy POL-18-061
OFFICIAL Page 6 of 14 Student Loans Company Ltd
2.1.2 For the avoidance of doubt, the term "processing" of personal data refers to any
data that is collected, processed, stored, archived or deleted. Such data could be
contained in any media and therefore includes personal data contained in emails.
2.3 Policy Principles
2.3.1 All data should be retained for no longer than necessary in accordance with the
timescales detailed in this Policy.
2.3.2 Each IAO is responsible for regulating the retention period for data under their
responsibility and how often they cleanse that data.
2.3.3 Appendix 1: Data Retention Guidance Table contains tables of appropriate maximum
or minimum retention periods. Further operational specific data retention periods
are included within the Data Register for each Business Unit. IAOs are responsible
for deciding on a retention period and advising the Information Security Governance
& Compliance Manager to ensure the IAR and this Policy are up to date.
2.3.4 Should you require more specific advice on how long to retain certain data, please
contact the relevant IAO in the first instance, or alternatively the Data Protection
Office.
3 Disposal of Data
3.1.1 When the retention period for a particular piece of data has expired, an appropriate
review should be carried out before a final decision is made to dispose of the
document.
3.1.2 Disposal can be achieved by various means, for example:
physical destruction on site e.g. shredding;
deletion of electronic files; and/or
off-site disposal by a third party contractor.
3.1.3 The disposal method should be proportionate to the type of data being disposed of
and its sensitivity marking. For example, personal data or confidential information
should not be placed in the waste bin. This could result in SLC being in breach of
data protection legislation. Such data should be destroyed on site by shredding or
placed in specifically marked “Confidential Waste” bins.
3.1.4 A record should be maintained in relation to the data disposed of which records the
date and method of disposal and the officer who authorised disposal. In the event
of deleting electronic data, managers must ensure that any corresponding records
Data Retention Policy POL-18-061
OFFICIAL Page 7 of 14 Student Loans Company Ltd
e.g. hard copies in storage and other computer systems and information on DAT
tapes etc must also be deleted.
3.1.5 It may be necessary in some scenarios to retain data that would otherwise be
scheduled for deletion. This could include (but is not limited to) data related to
confirmed or suspected fraud cases or data related to ongoing legal cases. In such
instances a record should be held of what data requires to be retained beyond its
retention period, the reason for retaining it and a further review duration.
3.1.6 If data is held when a request under the Freedom of Information Act 2000 (“FOIA”)
and/or the Environmental Information Regulations (“EIRs”) is received, SLC may
lawfully be able to say that it does not hold it if it would normally be destroyed
before the deadline for responding. However, SLC should, if possible, and as a
matter of good practice, suspend any planned destruction and consider the request
as usual.
3.1.7 Destroying requested information outside of SLC’s normal policies is unlawful under
the FOIA and may be a criminal offence if done to prevent disclosure.
3.1.8 As a matter of good practice, SLC should keep all information relevant to a request
under FOIA for at least six months following disclosure to allow for appeals to the
Information Commissioner.
4 Data Retention Periods
4.1.1 Appendix 1: Data Retention Guidance Table contains tables of appropriate maximum
or minimum retention periods. Further operational specific data retention periods
are included within the Data Register for each Business Unit.
4.1.2 Notwithstanding provision in data protection legislation that personal data should
not be kept for longer than is necessary, in certain circumstances SLC is required to
keep data for a minimum length of time (e.g. financial information) and/or even
indefinitely. For example:
student support legislation obliges SLC to take into account any previous supported study to accurately determine an individual’s entitlement to student support for any further study; and
student finance eligibility criteria requires that there are no arrears with any previous student loans.
Data Retention Policy POL-18-061
OFFICIAL Page 8 of 14 Student Loans Company Ltd
5 Related Documents This document forms an essential part of SLC’s overall policy framework and should be read in
accordance with relevant related documents, including:
Document Description
Data Protection Policy
Freedom of Information Policy
Compliance Policy
Data Retention Policy POL-18-061
OFFICIAL Page 9 of 14 Student Loans Company Ltd
Appendix 1 Data Retention Guidance Table
This list is only for guidance purposes and contains recommended retention periods for different types of data held by SLC. The list is not exhaustive. Should
you require further assistance on data retention and factors to consider when deciding on an appropriate retention period for specific data please discuss
your needs with the relevant IAO in the first instance, failing which the DPO.
Please note that while some departments are transferring paper records to other media, such as microfiche or onto digital form e.g. scanning, this does not
vary SLC’s obligations in relation to ensuring that data is only held for the applicable retention period.
In circumstances where records are transferred from paper records to other media, the requirements of legal admissibility and the evidential weight of
information stored on electronic document management systems should be considered. Legal & Compliance can assist further with this on request.
Data Retention Policy POL-18-061
OFFICIAL Page 10 of 14 Student Loans Company Ltd
Employee Data
Information Description Retention Period
Written particulars of employment Certain employee data is currently retained on an indefinite basis within SLC. SLC
has obligations to ensure that employee data is retained in line with a range of
regulatory and legal requirements. SLC is progressing an updated retention
schedule to ensure that employee data is only retained as long as necessary. This
retention policy is an active document and will be updated on an ongoing basis.
Please refer back to this policy for the most up-to-date position with regard to
employee data retention.
Current address details
Personal payroll history, including a record of pay, performance pay,
overtime pay, allowances, pay enhancements, other taxable
allowances, payment for untaken leave, reduced pay, maternity leave
Bank details – current
Pensions estimates and awards
Appraisals/Assessments
Annual Leave Records
Unpaid leave periods (maternity leave etc)
Statutory maternity pay document
Complete sickness absences record showing dates and causes of sick
leave
Health Referrals (incl. medical reports from doctors/consultants)
Papers relating to any injury on duty
Medical/Self Certificates
Data Retention Policy POL-18-061
OFFICIAL Page 11 of 14 Student Loans Company Ltd
Information Description Retention Period
Death Benefit Nomination and Revocation Forms
Job Applications - Internal
Job Applications - External
Staff security vetting records
Employee training records
Identification documents of foreign nationals (ensuing from obligation
to retain copies of documents used to perform immigration checks)
Data concerning a temporary worker
Recruitment Vetting and criminal convictions
Employee Grievance records
Employee Discipline records
Data Retention Policy POL-18-061
OFFICIAL Page 12 of 14 Student Loans Company Ltd
Customer Data
Information Description Retention Period
Student Loan original Consumer Credit Agreements Certain customer data is currently retained on an indefinite basis within SLC. SLC
has obligations to ensure that customer data is retained in line with a range of
regulatory and business requirements. SLC is progressing an updated retention
schedule to ensure that customer data is only retained as long as is necessary. This
retention policy is an active document and will be updated on an ongoing basis.
Please refer back to this policy for the most up-to-date position with regard to
customer data retention.
Any Student Finance Direct Agreements (PR1/PN1) that we have in
paper form
Deferment Forms
Customer communications
Telephone Calls 2 years
Letters Indefinitely
Public Relations/Press
Information Description Retention Period
Press cutting 7 years from release
Press releases 7 years from release
Correspondence with branches of the media 7 years from issue
Handbooks and guides to media/public relations Destroy when superseded
Data Retention Policy POL-18-061
OFFICIAL Page 13 of 14 Student Loans Company Ltd
Legislation & Related Schemes
Information Description Retention Period
Procedures for handling FOI requests and other documents regarding
implementation of FOI; FOI Policy; case file records which lead to the
development or precedent and best practice
Retain for 5 years after the procedures have been superseded as may have
archival or reference value. Consider for permanent preservation.
Case file records detailing FOI requests and responses, consideration
of exemptions, and subject internal reviews and appeals. Each case
record is likely to contain personal data as defined in UK data
protection legislation. Specifically, each record is likely to contain:
- the name, address, and other contact information of the applicant
- personal details provided by the applicant when making his/her
request
- where a fee has been paid, bank account and other payment details
- all personal data will be handled with care and in accordance with
UK data protection legislation. Access to personal data will be strictly
controlled.
3 years (subject to above for case file records which lead to the development or
precedent and best practice). Any case file records which are considered for
permanent preservation will have applicant's personal data removed/redacted.
Statistical data about number of FOI requests, the timeliness of
responses, outcomes, internal reviews and appeals
10 years
Data Retention Policy POL-18-061
OFFICIAL Page 14 of 14 Student Loans Company Ltd
Information Description Retention Period
Details of what access decisions have been taken about SLC records
and redacted versions of documents that were released
10 years
Information subject to a FOI request but scheduled for destruction 6 months from date of last correspondence