A Data Retention Policy forms an essential part of the personal data lifecycle. Data shall be maintained for as long as there is an operational need. The length of time it will be retained will be set out in the Data Retention Schedule.
This policy addresses the requirements surrounding Data Retention as set out by the General Data Protection Regulation (GDPR) and how Books for languages (‘Books4Languages’) meets its obligations to individuals and the law regarding the retention of personal data.
This document serves to inform all staff members who process personal data on behalf of Books4Languages.
The purpose of this policy is to:
- minimise the retention period of records while ensuring that the information needs of the business are met;
- ensure that records required for legal and evidential purposes are kept for the appropriate period and in an appropriate manner;
- ensure that records are not destroyed prematurely.
We need to do this in order to:
- ensure Books4Languages complies with the law;
- protect staff and other individuals;
- protect the organisation.
This document applies to the retention of personal data, which is processed and subsequently retained by Books4Languages. It should be read in conjunction with the Data Retention Schedule which specifies retention periods for each type of data.
It applies to all staff, contractors and temporary employees who hold or process any Books4Languages records for any purpose.
It applies equally to our own servers, third-party servers, email accounts, backup storage such as photographic, microform and electronic media that are used to store records as well as to more traditional paper or card records.
- Personal data shall not be kept for longer than is necessary for a given purpose. However, the retention period can differ based on the type of data processed.
- The Data Retention Schedule lists the types of personal data maintained by Books4Languages and specifies the Retention period for each data type. If Books4Languages acquires a new type of data, the Data Retention Schedule must be updated accordingly.
- No records involved in any investigation, litigation or audit will be destroyed until legal counsel has confirmed that no further legal reason exists for retention of the record. It is the responsibility of senior management involved to ensure related documents have
been segregated appropriately.
A document should not normally be stored both on paper and electronically, nor stored electronically in several different locations; a single electronic version (stored so as to be accessible to all who need the information it contains) is preferred.
There may be some exceptions to this, for example, exam-related paperwork referring to candidate enrolments, results and/or reports where we may take a scanned copy for ease of access to the information but where we also need to keep the original for purpose of checking signature or other hand-written details.
Specific retention periods are detailed in the Data Retention Schedule.
Where there is a statutory retention period for a record, this will be treated as a minimum period. No information should be kept indefinitely ‘just in case’.
In terms of information obligations, data subjects must be informed of:
• The retention period;
• If no fixed retention period can be provided – the criteria used to determine that period; and
• The new retention period if the purpose of processing has changed after personal data has been obtained.
After the retention period has expired, the personal data does not necessarily have to be completely erased. In line with Books4Languages Data Destruction Policy it is sufficient to anonymise the data, for example, by erasing single pieces of information that identify the data subject (whether alone or in combination with other pieces of information). In cases where the data cannot be allocated to an identifiable person, no action will be required.
Required to reproduce certificates/respond to enquiries: Profile and Exam information: Indefinite
All other personal and sensitive data: Evidence of ID: 6 years then delete
Exam data: Exam scripts and any information and submitted material: 6 years then delete
Required: Contact information and Copyright release: Indefinite
Document Owner and Approval
The Data Protection Officer is the owner of this document and is responsible for ensuring that this policy document is reviewed in line operational and General Data Protection Regulation (GDPR) requirements.
This policy was approved by Books4Languages Director on 05 Mar 2020 and is issued on a version-controlled basis under their signature.
Version – Details of Amendments – Date – Owner
1 – Policy updated to official launch – 05 Mar 2020 – Compliance Manager