1. If you store data electronically you should be registered with the ICO for data retention as either yourself if you are a sole trader, or as an organisation if your association is a legal entity in itself. (E.g. Ltd co)
2. You must appoint a Data Retention Controller who is responsible for the Data Retention.
3. All individuals that you collect data on must be made aware what data you have collected and what the purpose of this data collection is with the retention needs. This can be done via direct contact to the individual or by making a Data Retention policy available to the public via a link on your website, this information must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
4. You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.
5. You must only keep the personal data on an individual that you need to. Any surplus data, e.g. copies of qualifications, must be deleted or destroyed unless it is only kept for the following reasons:
a. “Public interest archiving using digital continuity (e.g. Any qualification certificates you actually award may be archived for future request from a student that may have lost them and in a format that may be accessed in the future.”).
b. “Scientific or Historical Research”. (E.g. results from experiments or trials.)
c. Statistical Purposes.
Non UK records should be treated as UK records until the “Frozen GDPR” information is updated by the ICO.
6. You will need to develop a separate written Data-Retention policy for your association if you keep any data for the reasons above. Any data kept for these reasons must be anonymised where possible.
7. Any data that you hold that you do not have a reasonable use for must be deleted or destroyed. In the case of paper records it is recommended that you use shredding (Cross-cut, Particle-cut or Pierce and tear shredding are adequate, Strip-cut shredding is not sufficient) or burning. Placing full documents into domestic recycling is not secure and must not be used.
8. All data retained must be periodically reviewed and destroyed when no longer legitimately needed.
9. You may not use the individuals data for marketing purposes unless you have clear consent from the individual, it is compatible with your original purpose (e.g. informing the individual about further membership benefits available), or you have a clear obligation or function set out in law.
10. All SARs (Subject Access requests) must be acknowledged within 3 working days and dealt with within a reasonable amount of time. This amount of time must be stated on the acknowledgement.
11. Any and all software used should be investigated for compliance with the UK ICO standard of Data Retention. This information is usually on their website but if not this should be requested via email.
12. Your Data Retention Controller must carefully consider any challenges to your retention of personal data either verbally or written and should be a point of contact for individuals who request erasure of information and respond within 1 month. Erasure of information is a right of the individual when it is no longer kept for legitimate purposes and the individual should be informed of the results of their erasure of information.
13. In the event of a dispute where your decision is to retain the data, the individual must be informed;
a. Why you are retaining the data
b. That they have the right to contact the BAF Data retention officer for further mediation
c. That they have the right to seek legal advice
d. That they have the right to contact the ICO using the following link to object.