Dear Meic,

You might remember I brought up a related issue a while ago – retention of Privacy Impact Assessments. After hearing from colleagues including your good self, I concluded that the best thing was to retain the assessment for 7 years, triggered by the decommissioning of the process or system in question. The logic was that this should allow time for any legal action to be lodged. I am planning to recommend that we should apply the same rule to privacy notices. So if we have, let’s say, a privacy notice describing our processing of personal data of library volunteers, the 7-year clock would start ticking as soon as libraries stop using volunteers. Or if there was a special notice that only covered one particular project, the clock would start when that project came to an end. I am also thinking of proposing a rule that PIAs and privacy notices should be reviewed at intervals of no more than 2 years. That should enable us to keep these living documents reasonably up-to-date – and one day we will get to say “hang on, this notice refers to a function that the council no longer exercises, we had better close it to allow for its deletion in 7 years’ time”. (Such a natural-sounding sentence – I should have been a playwright.)

As to the issue of keeping things forever – I do wonder if a periodically-harvested sample of privacy notices might be of interest to historians one day? In which case it might be prudent to pass these on to our authority’s record office.

Yours,

Mark

Visit us at www.derbyshire.gov.uk | Follow us on Twitter | Find us on Facebook

From: The Information and Records Management Society mailing list [mailto:[log in to unmask]] On Behalf Of Nicholas Cooper
Sent: 12 April 2018 16:52
To: [log in to unmask]
Subject: Re: GDPR Chronicles ~2: retention periods: privacy notices

A global law firm I worked with kept all UK case files for 15 year after the end of the case regardless of the Law Society guideline of 6 years.

That may sit better with your instinct.

Nicholas Cooper
Project & Information Management Strategies

01728 635736

07788446050

Disclaimer: This email message is confidential to the intended recipient. If you have received it in error, please notify the sender and delete it from your system. Any unauthorised use, disclosure, or copying is not permitted. This email has been checked for viruses, but no liability is accepted for any damage caused by any virus transmitted by this email.
Registered Company No (England): 6887020 Registered VAT No: 970970979
Registered Address: 3 Manor Courtyard, Hughenden Avenue, High Wycombe, HP13 5RE

From: The Information and Records Management Society mailing list [mailto:[log in to unmask]] On Behalf Of Meic Pierce Owen
Sent: 12 April 2018 16:29
To: [log in to unmask]
Subject: Re: GDPR Chronicles ~2: retention periods: privacy notices

Thank you. That is useful. My instinct is saying longer though- if we consider privacy notices to be significant in terms of showing data governance at date x.

From: The Information and Records Management Society mailing list [mailto:[log in to unmask]] On Behalf Of Berit Reglar
Sent: 12 April 2018 16:20
To: [log in to unmask]
Subject: Re: GDPR Chronicles ~2: retention periods: privacy notices

The retention period under contract law is 6 years, in negligence it is 3 years but it only starts from the date of knowledge (or the date when the victim ought to have known about a possible claim).

I hope this helps.

Berit

Berit Reglar
Deputy Foundation Secretary

BB:	07850918826
Tel:	+44 (0) 121 371 4324
Internal:	14324
Email:	[log in to unmask]
Web:	http://www.uhb.nhs.uk

Corporate Affairs - University Hospitals Birmingham NHS Foundation Trust
Queen Elizabeth Hospital Birmingham, Mindelsohn Way, Edgbaston
Birmingham, B15 2GW

From: The Information and Records Management Society mailing list [mailto:[log in to unmask]] On Behalf Of Neil Gow
Sent: 12 April 2018 16:14
To: [log in to unmask]
Subject: Re: GDPR Chronicles ~2: retention periods: privacy notices

Usually in situations where someone may bring a legal case against you for something you did or didn’t do in the past, there is period of time after which the chances of any such case proceeding to be heard in the courts becomes very low. I would suggest to consult with lawyers to establish when that is likely to be and set that as the retention period. There may be something in the legislation, I don’t know it in enough detail.

I agree with you that it will be longer than it has been previously.

Neil.

Neil Gow

Head of Records Management

UCB

From: The Information and Records Management Society mailing list [mailto:[log in to unmask]] On Behalf Of Meic Pierce Owen
Sent: 12 April 2018 16:00
To: [log in to unmask]
Subject: GDPR Chronicles ~2: retention periods: privacy notices

Anyone have a current thought on the retention period for privacy notices?

I am minded of the effect on the retention of documents such as these of the growing practice, growing out of the current abuse inquiries, of retaining governance documentation longer than we would have previously so that we can evidence why we did what we did at a particular time. Equally, we cannot, of course, keep everything forever.

The sharing of any thinking on this appreciated.

Meic

Meic Pierce Owen FIRMS FIIM AMIRMS

Fife Council Records Manager

GDPR is replacing the Data Protection Act 25 May 2018 click here for further information

**********************************************************************

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed and should not be disclosed to any other party.

If you have received this email in error please notify your system manager and the sender of this message.

This email message has been swept for the presence of computer viruses but no guarantee is given that this e-mail message and any attachments are free from viruses.

Fife Council reserves the right to monitor the content of all incoming and outgoing email.

Fife Council

************************************************

To view the list archives go to: https://www.jiscmail.ac.uk/cgi-bin/webadmin?A0=RECORDS-MANAGEMENT-UK To unsubscribe from this list, send an email to [log in to unmask] with the words UNSUBSCRIBE RECORDS-MANAGEMENT-UK For any technical queries re JISC please email [log in to unmask] For any content based queries, please email [log in to unmask]

UCB Celltech is the UK branch of UCB Pharma S.A., a company registered in Belgium with registered offices at Allée de la Recherche 60, 1070 Brussels, Belgium, KBO/BCE nr. 0403.096.168, RPR/RPM Brussels.
UCB Celltech’s UK branch registration number is BR009137 and its UK representative office is at 208 Bath Road, Slough, Berkshire SL1 3WE.

(Ref: #*CUK0308) [Ref-CUK0308]

Legal Notice: This electronic mail and its attachments are intended solely for the person(s) to whom they are addressed and contain information which is confidential or otherwise protected from disclosure, except for the purpose for which they are intended. Dissemination, distribution, or reproduction by anyone other than the intended recipients is prohibited and may be illegal. If you are not an intended recipient, please immediately inform the sender and return the electronic mail and its attachments and destroy any copies which may be in your possession. UCB screens electronic mails for viruses but does not warrant that this electronic mail is free of any viruses. UCB accepts no liability for any damage caused by any virus transmitted by this electronic mail. (Ref: #*UG1107) [Ref-UG1107]

**********************************************************************

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed and should not be disclosed to any other party.

If you have received this email in error please notify your system manager and the sender of this message.

This email message has been swept for the presence of computer viruses but no guarantee is given that this e-mail message and any attachments are free from viruses.

Fife Council reserves the right to monitor the content of all incoming and outgoing email.

Fife Council

************************************************

This email or email thread section has been classified CONTROLLED - This email requires controlled access by Council personnel and / or intended recipient(s) only. This email may contain business or personal information.

Think before you print! Save energy and paper. Do you really need to print this email?

Derbyshire County Council works to improve the lives of local people by delivering high quality services. You can find out more about us by visiting 'www.derbyshire.gov.uk'. If you want to work for us go to our job pages on 'www.derbyshire.gov.uk/jobs'. You can register for e-mail alerts, download job packs and apply on-line.

Please Note
This email is confidential, may be legally privileged and may contain personal views that are not the views of Derbyshire County Council. It is intended solely for the addressee. If this email was sent to you in error please notify us by replying to the email. Once you have done this please delete the email and do not disclose, copy, distribute, or rely on it.
Under the Data Protection Act 1998 and the Freedom of Information Act 2000 the contents of this email may be disclosed.

Derbyshire County Council reserves the right to monitor both sent and received emails.