Data Retention Policy - gov.uk · Data Retention Policy POL-18-061 OFFICIAL Page 7 of 14 Student Loans Company Ltd e.g. hard copies in storage and other computer systems and information

OFFICIAL

Data Retention Policy

OFFICIAL

Business Area: Data Protection Office

Version: 2.1

Document Reference: POL-18-061

<Report Name>

Data Retention Policy POL-18-061

OFFICIAL Page 2 of 14 Student Loans Company Ltd

Document Control Status: Live

Document Version History

Date Version Author Comments

22/01/2018 0.1 Due to historical live policy versions being

allocated draft version numbers and a

significant policy re-write the draft version

number has been reset to v0.1.

10/05/2018 0.2 Internal SLC review by Legal team.

18/05/2018 1.0 Published version

29/01/2019 1.1 Update to new template. No content change

26/04/2019 2.0 Published to live after annual review

16/05/2019 2.1 Internal SLC review by Legal team.

Review and Approval Register

Note: RACI = R- Responsible, A- Accountable, C-Consulted, I-Informed

Name Position RACI Role

Gary Womersley Company Secretary/Head of Assurance Services (Data

Protection Officer/Senior Information Risk Officer)

A

Information Governance & Assurance Manager

(Accreditor and Deputy DPO)

R

Information Security Governance & Compliance

Manager/ Deputy SIRO

C

Senior Manager – Legal & Compliance C

Information Governance Officer C

SLC Information Asset Owners I

*NB: names of staff other than DPO have been removed under section 40(2) of the

Freedom of Information Act 2000



Update Schedule

This document will be reviewed at least annually or whenever business requirements,

legislation, regulations change.

Applicability

The requirements in this document apply to:

All permanent, temporary and contract workers employed or engaged by SLC or any 3rd

party organisations whilst at work or engaged on SLC business.

Compliance

Any employee found to have violated these requirements could be subject to disciplinary

action, up to and including termination of employment.

At its sole discretion, SLC may require the removal from the service provision account any

employee of a 3rd party organisation contractually engaged on SLC business who is found

to have violated these Procedure requirements.



Contents

Document Control .......................................................................................... 2

1 Introduction ......................................................................................... 5

2 Definitions and Policy Principles ....................................................... 5

2.1 Definitions ............................................................................................ 5

2.3 Policy Principles ................................................................................. 6

3 Disposal of Data .................................................................................. 6

4 Data Retention Periods ....................................................................... 7

5 Related Documents ............................................................................. 8

Appendix 1 Data Retention Guidance Table ................................................ 9



1 Introduction

1.1.1 SLC has a defined Information Asset Owner (“IAO”) handbook which sets out the

principles of the Information Asset Register (the “IAR”). All SLC information or data

(hereinafter referred to as “data” for ease of understanding) should be related to an

entry within the IAR. As part of an entry within the IAR, an IAO must define a period

for which the data should be retained by SLC. This retention period must be in

accordance with legal requirements.

1.1.2 This Policy documents the duration for which data, both personal and non-personal,

should be retained, irrespective of format (paper, electronic or other).

1.1.3 Please Note: although SLC is subject to data protection and data retention

regulations, in certain circumstances (as detailed in this Policy), SLC are required to

retain data indefinitely.

1.1.4 IAOs are responsible for following this Policy to ensure that appropriate retention

periods and removal arrangements are adhered to for data for which they are

responsible.

1.1.5 This Policy will assist SLC in managing the data it holds while complying with

legislative requirements, or best practice, as is appropriate and should be read in

conjunction with SLC’s Data Protection Policy (“DPP”) and SLC’s Freedom of

Information Policy.

2 Definitions and Policy Principles

2.1 Definitions

2.1.1 The following data protection-related terms are relevant for the purposes of this

Policy and are defined in SLC’s DPP:

data

personal data

data controller

data processor

data subject

Data Protection Officer (“DPO”)

processing

special category data



2.1.2 For the avoidance of doubt, the term "processing" of personal data refers to any

data that is collected, processed, stored, archived or deleted. Such data could be

contained in any media and therefore includes personal data contained in emails.

2.3 Policy Principles

2.3.1 All data should be retained for no longer than necessary in accordance with the

timescales detailed in this Policy.

2.3.2 Each IAO is responsible for regulating the retention period for data under their

responsibility and how often they cleanse that data.

2.3.3 Appendix 1: Data Retention Guidance Table contains tables of appropriate maximum

or minimum retention periods. Further operational specific data retention periods

are included within the Data Register for each Business Unit. IAOs are responsible

for deciding on a retention period and advising the Information Security Governance

& Compliance Manager to ensure the IAR and this Policy are up to date.

2.3.4 Should you require more specific advice on how long to retain certain data, please

contact the relevant IAO in the first instance, or alternatively the Data Protection

Office.

3 Disposal of Data

3.1.1 When the retention period for a particular piece of data has expired, an appropriate

review should be carried out before a final decision is made to dispose of the

document.

3.1.2 Disposal can be achieved by various means, for example:

physical destruction on site e.g. shredding;

deletion of electronic files; and/or

off-site disposal by a third party contractor.

3.1.3 The disposal method should be proportionate to the type of data being disposed of

and its sensitivity marking. For example, personal data or confidential information

should not be placed in the waste bin. This could result in SLC being in breach of

data protection legislation. Such data should be destroyed on site by shredding or

placed in specifically marked “Confidential Waste” bins.

3.1.4 A record should be maintained in relation to the data disposed of which records the

date and method of disposal and the officer who authorised disposal. In the event

of deleting electronic data, managers must ensure that any corresponding records



e.g. hard copies in storage and other computer systems and information on DAT

tapes etc must also be deleted.

3.1.5 It may be necessary in some scenarios to retain data that would otherwise be

scheduled for deletion. This could include (but is not limited to) data related to

confirmed or suspected fraud cases or data related to ongoing legal cases. In such

instances a record should be held of what data requires to be retained beyond its

retention period, the reason for retaining it and a further review duration.

3.1.6 If data is held when a request under the Freedom of Information Act 2000 (“FOIA”)

and/or the Environmental Information Regulations (“EIRs”) is received, SLC may

lawfully be able to say that it does not hold it if it would normally be destroyed

before the deadline for responding. However, SLC should, if possible, and as a

matter of good practice, suspend any planned destruction and consider the request

as usual.

3.1.7 Destroying requested information outside of SLC’s normal policies is unlawful under

the FOIA and may be a criminal offence if done to prevent disclosure.

3.1.8 As a matter of good practice, SLC should keep all information relevant to a request

under FOIA for at least six months following disclosure to allow for appeals to the

Information Commissioner.

4 Data Retention Periods

4.1.1 Appendix 1: Data Retention Guidance Table contains tables of appropriate maximum

or minimum retention periods. Further operational specific data retention periods

are included within the Data Register for each Business Unit.

4.1.2 Notwithstanding provision in data protection legislation that personal data should

not be kept for longer than is necessary, in certain circumstances SLC is required to

keep data for a minimum length of time (e.g. financial information) and/or even

indefinitely. For example:

student support legislation obliges SLC to take into account any previous supported study to accurately determine an individual’s entitlement to student support for any further study; and

student finance eligibility criteria requires that there are no arrears with any previous student loans.



5 Related Documents This document forms an essential part of SLC’s overall policy framework and should be read in

accordance with relevant related documents, including:

Document Description

Data Protection Policy

Freedom of Information Policy

Compliance Policy

http://documentcontrol.slc.co.uk/dcs/link.asp?TargetFile=11466





Appendix 1 Data Retention Guidance Table

This list is only for guidance purposes and contains recommended retention periods for different types of data held by SLC. The list is not exhaustive. Should

you require further assistance on data retention and factors to consider when deciding on an appropriate retention period for specific data please discuss

your needs with the relevant IAO in the first instance, failing which the DPO.

Please note that while some departments are transferring paper records to other media, such as microfiche or onto digital form e.g. scanning, this does not

vary SLC’s obligations in relation to ensuring that data is only held for the applicable retention period.

In circumstances where records are transferred from paper records to other media, the requirements of legal admissibility and the evidential weight of

information stored on electronic document management systems should be considered. Legal & Compliance can assist further with this on request.



Employee Data

Information Description Retention Period

Written particulars of employment Certain employee data is currently retained on an indefinite basis within SLC. SLC

has obligations to ensure that employee data is retained in line with a range of

regulatory and legal requirements. SLC is progressing an updated retention

schedule to ensure that employee data is only retained as long as necessary. This

retention policy is an active document and will be updated on an ongoing basis.

Please refer back to this policy for the most up-to-date position with regard to

employee data retention.

Current address details

Personal payroll history, including a record of pay, performance pay,

overtime pay, allowances, pay enhancements, other taxable

allowances, payment for untaken leave, reduced pay, maternity leave

Bank details – current

Pensions estimates and awards

Appraisals/Assessments

Annual Leave Records

Unpaid leave periods (maternity leave etc)

Statutory maternity pay document

Complete sickness absences record showing dates and causes of sick

leave

Health Referrals (incl. medical reports from doctors/consultants)

Papers relating to any injury on duty

Medical/Self Certificates




Death Benefit Nomination and Revocation Forms

Job Applications - Internal

Job Applications - External

Staff security vetting records

Employee training records

Identification documents of foreign nationals (ensuing from obligation

to retain copies of documents used to perform immigration checks)

Data concerning a temporary worker

Recruitment Vetting and criminal convictions

Employee Grievance records

Employee Discipline records



Customer Data


Student Loan original Consumer Credit Agreements Certain customer data is currently retained on an indefinite basis within SLC. SLC

has obligations to ensure that customer data is retained in line with a range of

regulatory and business requirements. SLC is progressing an updated retention

schedule to ensure that customer data is only retained as long as is necessary. This

retention policy is an active document and will be updated on an ongoing basis.

Please refer back to this policy for the most up-to-date position with regard to

customer data retention.

Any Student Finance Direct Agreements (PR1/PN1) that we have in

paper form

Deferment Forms

Customer communications

Telephone Calls 2 years

Letters Indefinitely

Public Relations/Press


Press cutting 7 years from release

Press releases 7 years from release

Correspondence with branches of the media 7 years from issue

Handbooks and guides to media/public relations Destroy when superseded



Legislation & Related Schemes


Procedures for handling FOI requests and other documents regarding

implementation of FOI; FOI Policy; case file records which lead to the

development or precedent and best practice

Retain for 5 years after the procedures have been superseded as may have

archival or reference value. Consider for permanent preservation.

Case file records detailing FOI requests and responses, consideration

of exemptions, and subject internal reviews and appeals. Each case

record is likely to contain personal data as defined in UK data

protection legislation. Specifically, each record is likely to contain:

- the name, address, and other contact information of the applicant

- personal details provided by the applicant when making his/her

request

- where a fee has been paid, bank account and other payment details

- all personal data will be handled with care and in accordance with

UK data protection legislation. Access to personal data will be strictly

controlled.

3 years (subject to above for case file records which lead to the development or

precedent and best practice). Any case file records which are considered for

permanent preservation will have applicant's personal data removed/redacted.

Statistical data about number of FOI requests, the timeliness of

responses, outcomes, internal reviews and appeals

10 years




Details of what access decisions have been taken about SLC records

and redacted versions of documents that were released

10 years

Information subject to a FOI request but scheduled for destruction 6 months from date of last correspondence