Data Storage, Retention and Erasure
Covering
Storage and access of data
Data Retention & Erasure
Internal data
Storage & Access of Data
All our client/ member data is stored online and no paper records are held. Each is managed by the third-party sites (currently SquareSpace as Turscow). Financial payment processing is through Stripe We adopt their storage and access of data policy and actions. We do not sell any client/member data and only share within the sites that deliver content, resources, membership or payment (See Privacy Notice of all current/external third party provisions- reviewed annually). As per our data protection policy, we only store names, email, phone numbers which are all available in the public domain and financial data is encrypted through Stripe), we will not request any sensitive data.
Destruction Retention and Erasure
As we do not hold any sensitive data or request it for any of our products or services. Data is held for processing, supporting, using our products and services only. Once any data has reached its designated retention period date, the designated owner should refer to the retention register for the action to be taken. Not all data or records are expected to be deleted upon expiration; sometimes it is sufficient to anonymise the data in accordance with the GDPR requirements or to archive records for a further period.
All information of a confidential or sensitive nature on paper, card, microfiche or electronic media must be securely destroyed when it is no longer required. This ensures compliance with the Data Protection laws and the duty of confidentiality we owe to our employees, clients and customers.
The Company is committed to the secure and safe disposal of any confidential waste and information assets in accordance with our contractual and legal obligations and that we do so in an ethical and compliant manner. We confirm that our approach and procedures comply with the laws and provisions made in the General Data Protection Regulation (GDPR) and that staff are trained and advised accordingly on the procedures and controls in place.
Paper Records
Due to the nature of our business, the Company does not retain paper-based personal information and as such, has no requirement disposal of paper if ever required we would employ an external disposal business to ensure we comply in a secure, confidential and compliant manner.
Electronic & IT Records and Systems
The Company uses numerous systems, computers and technology equipment in the running of our business. From time to time, such assets must be disposed of and due to the information held on these whilst they are active, this disposal is handled in an ethical and secure manner.
The deletion of electronic records must be organised in conjunction with the current DPO who will ensure the removal of all data from the medium so that it cannot be reconstructed. When records or data files are identified for disposal, we will review as part of our annual information audit that removal is completed.
Only the DPO can authorise the disposal of any IT equipment and they must accept and authorise such assets from the department personally. Where possible, information is wiped from the equipment through use of software and formatting. It is the explicit responsibility of the asset owner and DPO to ensure that all relevant data has been sufficiently removed from the IT device and backed up before requesting disposal and/or prior to the scheduled pickup.
Internal Correspondence and General Memoranda
Unless otherwise stated in this policy or the retention periods register, correspondence and internal memoranda should be retained for the same period as the document to which they pertain or support (i.e. where a memo pertains to a contract or personal file, the relevant retention period and filing should be observed).
Where correspondence or memoranda that do not pertain to any documents have already been assigned a retention period, they should be deleted or shredded once the purpose and usefulness of the content cease or at a maximum, 12 months.
Examples of correspondence and routine memoranda include (but are not limited to): –
Internal emails
Meeting notes and agendas
General inquiries and replies
Letter, notes or emails of inconsequential subject matter
Erasure (SAR)
In specific circumstances, data subjects have the right to request that their personal data is erased, however, the Company recognise that this is not an absolute ‘right to be forgotten. Data subjects only have a right to have personal data erased and to prevent processing if one of the below conditions applies: –
Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
When the individual withdraws consent
When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
The personal data was unlawfully processed
The personal data must be erased in order to comply with a legal obligation
The personal data is processed in relation to the offer of information society services to a child
Where one of the above conditions applies and the Company received a request to erase data, we first ensure that no other legal obligation or legitimate interest applies. If we are confident that the data subject has the right to have their data erased, this is carried out by the Data Protection Officer in conjunction with any department manager and the IT team to ensure that all data relating to that individual has been erased.
These measures enable us to comply with a data subject’s right to erasure, whereby an individual can request the deletion or removal of personal data where there is no compelling reason for its continued processing. Whilst our standard procedures already remove data that is no longer necessary, we still follow a dedicated process for erasure requests to ensure that all rights are complied with and that no data has been retained for longer than is needed.
Where we receive a request to erase and/or remove personal information from a data subject, the below process is followed: –
The request is allocated to the Data Protection Officer and recorded via email authorisation.
The DPO locates all personal information relating to the data subject and reviews it to see if it is still being processed and is still necessary for the legal basis and purpose it was originally intended
The request is reviewed to ensure it complies with one or more of the grounds for erasure: –
the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed
the data subject has withdrawn consent on which the processing is based and where there is no other legal ground for the processing
the data subject objects to the processing and there are no overriding legitimate grounds for the processing
the personal data has been unlawfully processed
the personal data must be erased for compliance with a legal obligation
the personal data has been collected in relation to the offer of information society services to a child
If the erasure request complies with one of the above grounds, it is erased within 30 days of the request being received
The DPO writes to the data subject and notifies them in writing that the right to erasure has been granted and provides details of the information erased and the date of erasure
Where the Company has made any of the personal data public and erasure is granted, we will take every reasonable step and measure to remove public references, links and copies of data and to contact related controllers and/or processors and inform them of the data subjects request to erase such personal data
If for any reason, we are unable to act in response to a request for erasure, we always provide a written explanation to the individual and inform them of their right to complain to the Supervisory Authority and to a judicial remedy. Such refusals to erase data include: –
Exercising the right of freedom of expression and information
Compliance with a legal obligation for the performance of a task carried out in the public interest
For reasons of public interest in the area of public health
For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing
For the establishment, exercise or defence of legal claims
Special Category Data
In accordance with GDPR requirements and Schedule 1 Part 4 of The Data Protection Bill, organisations are required to have and maintain appropriate policy documents and safeguarding measures for the retention and erasure of special categories of personal data and criminal convictions etc.
Our methods and measures for destroying and erasing data are noted in this policy and apply to all forms of records and personal data, as noted on our retention register schedule.
Compliance and Monitoring
The Company are committed to ensuring the continued compliance with this policy and any associated legislation and undertake regular audits and monitoring of our records, their management, archiving and retention. Information asset owners are tasked with ensuring the continued compliance and review of records and data within their remit.
Responsibilities
Where a DPO has been designated, they must be involved in any data retention processes and records or all archiving and destructions must be retained. Individual employees must ensure that the records for which they are responsible are complete and accurate records of their activities and that they are maintained and disposed of in accordance with the Company’s protocols.
Retention Periods
Section 12 of this policy contains our regulatory, statutory and business retention periods and the subsequent actions upon reaching said dates. Where no defined or legal period exists for a record, the default standard retention period is 12 months. Unless legally required and we would comply with any legislative timescales.
For details please contact info@rlc-global.com