Dear colleagues,
I am helping to implement procedures for the creation and management of Privacy Impact Assessments (a.k.a. Data Protection Impact Assessments) in response to GDPR and the forthcoming revision of the Data Protection Act 1998. We are planning to keep PIAs produced by all sections of the authority in the same area of our system, subject to the same retention conditions. Does anyone know of a suitable retention period, with an appropriate justification? My starting assumption is that retention would be governed by the duration of the council's liability: so if we were to fail to make a proper assessment as obliged by the regulations, after how many years would we be immune from ICO enforcement action or other proceedings? I am very much of a newcomer to records management, and have not found anything in the General Data Protection Regulations themselves that imposes a limitation on action by the supervisory authority. Can anyone help?
Yours,
Mark
Mark Smith | Corporate Records Manager |Commissioning, Communities and Policy | Derbyshire County Council | Derbyshire Record Office, New Street, Matlock, DE4 3FE | Direct Dial: 01629 539203
Visit us at www.derbyshire.gov.uk | Follow us on Twitter | Find us on Facebook
To view the list archives go to: https://www.jiscmail.ac.uk/cgi-bin/webadmin?A0=RECORDS-MANAGEMENT-UK
To unsubscribe from this list, send an email to [log in to unmask] with the words UNSUBSCRIBE RECORDS-MANAGEMENT-UK
For any technical queries re JISC please email [log in to unmask]
For any content based queries, please email [log in to unmask]
|