Retention of information relating to GDPR compliance

Retention of information relating to GDPR compliance

The Data Protection and Freedom of Information Office processes all GDPR Subject Access Requests (SAR) received by the University, all Notifications with the UK Information Commissioner, and handles a variety of other requests and actions related to GDPR compliance. In each case the Office will normally create a case record which is likely to contain personal data and sensitive personal data as defined in the General Data Protection Regulation (GDPR). All such personal data will be handled with care and in accordance with the GDPR. Access to case records will be strictly controlled.

Each case record may contain, as appropriate, the following records:

  • The name, address, other contact information, and personal details of the applicant or correspondant
  • Personal details held by the University about the applicant
  • Records of correspondence between the University and the applicant or correspondant
  • Records of all actions and decisions and, for SAR, a record of all information withheld and what exemptions/exceptions were applied
  • Records of all correspondence between the University and the UK Information Commissioner

Subject Access Requests

The standard case record retention period for each SAR will be two years after the last action related to the SAR. In very rare cases the University may retain particularly lengthy or complex or multiple requests for a longer period of time - particularly where (a) the applicant has made a complaint about the handling of his/her SAR, and/or (b) the case resulted in an investigation by the UK Information Commissioner.

Abandoned Subject Access Requests

The standard case record retention period for a SAR, abandoned on request by the applicant, will be one month after the last action related to the SAR. In very rare cases the University may retain the case record for an abandoned SAR for a longer period of time - particularly where there have been previous SARs from the applicant.

Notification with the UK Information Commissioner

Records documenting the institution's Notification to the UK Information Commissioner, including (a) a record of all correspondence between the University and the UK Information Commissioner, and (b) a record of all actions and decisions taken with regard to any modifications to the Notification, will be retained for five years from the expiry of the Notification.

Enquiries from the Police and other Authorised Agencies

The Police, and other authorised agencies including the Immigration and Nationality Directorate of the Home Office, may request personal data about specific individuals from the University for the purposes of the prevention or detection of crime, the apprehension or prosecution of offenders, and for purposes connected with immigration. For every such request the Office will create a single case record. The standard case record retention period for such requests will be two years after the last action related to the request. 

General GDPR Compliance Enquiries

The Data Protection and Freedom of Information Office receives requests for advice and guidance on GDPR Compliance. These requests will be handled in accordance with standard University procedures and detailed records of the correspondence will not be retained. Only non-routine and complex requests for advice and guidance where, for example, legal advice has been obtained will be retained in a single case record. The standard case record retention period for such requests will be based on the currency and ongoing applicability of the request. 

Investigations by the UK Information Commissioner

A single case record will be created for each complaint to, or investigation by, the UK Information Commissioner. The standard case record retention period for such case records will be two years after the last action related to the request. In very rare cases the University may retain the case record for particularly lengthy or complex or multiple requests for a longer period of time - particularly where there have been previous SAR from the applicant.