Data Protection Documentation and Retention Policies

To help your management of personal data, you should aim to produce some documentation on the personal data you collect and process. You can do this as you see fit, but below are some recommendations of what to produce.

This collection contains information relating to the following areas:

Data Audit and Mapping

You should aim to produce some kind of map or audit of the personal data you hold and collect so you can easily track what you have. This may be very simple in some cases - if you just have a list of members that you delete every year for example - but if you are using personal data for anything complex or are collecting lots of types of personal data you may want to try and keep track of this. You should aim to keep a record of the following fields:

  • Description of Data    
  • Purpose of Holding data    
  • Legal Basis    
  • Method of Collection    
  • Location of Data    
  • Type of Data Subjects (eg. Students/Alumni/External)    
  • Extent of data (how many records)    
  • Time span of data held currently (from date of first collection)    
  • Sensitive or non-sensitive data?    
  • Fields/data held    
  • Intended Retention Schedule

Retention Schedules

You should specify retention policies for any personal data that you hold. This could be as granular as removing some fields of data but keeping others. For example, you may have collected phone numbers from some of your members to manage an event. Once the event has finished you may need to contact those members directly to arrange feedback or administering claims etc. in the weeks following the event but beyond that point, you will no longer need those phone numbers. You might set a retention period of 1 month after finishing an event to keep phone numbers. In this case it is important to try to keep all of your data in one place so retention can be easily managed.

The above is quite a specific example and you may want to set wider retention schedules to make life easier, such as removing all personal data you hold on previous members at a set point (eg. before Autumn term). The important thing is to make sure you have a schedule set against all the personal data you manage, you have a reason for that schedule and you stick to it. This should be considered in line with the Data Protection Principles - particularly Accuracy, Purpose Limitation and Data Minimisation. If you want any specific help or guidance about retention schedules you can contact the activities team. College has a very detailed retention schedule for much of the data that is processed so you may be able to get an idea from this if you are unsure.

As a general rule, if you are holding data that you don't need for a specific purpose then it should be deleted.

You may want to keep some basic records as a matter of record keeping. The Union maintains a record of student memberships so are able to provide information on who was a member at a speciifc time so you don't need to keep records for this purpose, though there may be other things you want to keep records of that the main Union database won't cover. Think about this carefully and as always, try to limit this to the minimum amount of data possible and make sure you have a purpose for keeping it.

Privacy Notices

If you are collecting personal data that is not covered by the Union Privacy Notice, you should provide a Privacy Notice to inform users at the time of collection of how their data will be used. You are also required to provide a Privacy Notice in the same format as the collection method eg. a web page or link if being captured through a webform, or on paper if collecting a paper list. The College has a template for Privacy Notices that you can use if you need one. If you need additional help then get in touch.

College has a handy template for newsletter Privacy Notices that you can adapt for your own purposes if you need to make one for a marketing newsletter. 

Loading, please wait  

Report a problem