POLICY: Information Technology - Retention Schedule and Policy POLICY URL: https://lsi-ac.uk/policy/3a6691b3-3ab1-42df-ae9b-c720272ba09a POLICY STATEMENT: The School is committed to managing records responsibly through the systematic retention and secure disposal of documents. This policy ensures adherence to legal requirements and best practices, maintaining the integrity and confidentiality of information. It applies to all staff, supporting effective information governance and safeguarding the School’s reputation and operational effectiveness. POLICY PRINCIPLES: ------------------ - Compliance : Adhering to legal and regulatory requirements governing record retention; - Transparency : Providing clear guidance on record retention periods and disposal procedures; - Confidentiality : Ensuring the confidentiality of sensitive records throughout their lifecycle; - Accessibility : Facilitating appropriate access to records during retention periods; - Efficiency : Retaining records only for as long as operationally necessary or legally required; - Security : Safeguarding records against unauthorised access, loss, or damage; - Review : Periodically reviewing retention schedules to reflect changes in legislation and operational practices; - Accountability : Assigning clear ownership and responsibility for record management; - Environmental Considerations : Disposing of records in an environmentally responsible manner; - Data Minimisation : Limiting the volume of data retained to the minimum necessary; - Auditability : Enabling effective audits of record-keeping practices and compliance; - Continuous Improvement: Actively seeking to refine record retention and disposal practices. REGULATORY CONTEXT: ------------------ This Policy has been developed in line with the applicable laws, regulations, regulatory advice, and sector best practices, including the following: R1. Office for Students (OfS): Regulatory Notices and Advice - Regulatory notices are additional information about OfS' regulatory requirements and are part of the regulatory framework. Regulatory advice helps providers understand and meet OfS requirements. R2. UK Government : Data Protection Act 2018 - Legislation aimed at controlling the processing of personal data, laying down principles with respect to the processing of personal data, and the rights of data subjects R3. Information Commissioner's Office (ICO): Guide for higher education institutions - Provides guidance for higher education providers on their obligations under data protection law. R4. JISC (Joint Information Systems Committee): Digital Infrastructure Guidelines - Guidelines for universities and colleges in the UK on how to manage their digital infrastructure. R5. Quality Assurance Agency (QAA): The Quality Code - This code represents a shared understanding of quality practice across the UK higher education sector, protecting public and student interests and championing the UK's reputation for quality. R6. Quality Assurance Agency (QAA): Advice - Learning and Teaching - METRICS AND KPIS: ------------------ The following metrics will be measured and regularly reviewed as key performance indicators for the School to ensure the effectiveness of this policy and associated operations: M1. Accuracy of Document Disposal: Percentage of documents disposed of securely and in compliance with the policy annually. Ensures that confidential information is properly destroyed, protecting data integrity and confidentiality. M2. Incident Reporting Frequency: Number of incidents related to improper retention or disposal of documents reported each year. Monitors issues related to policy adherence and helps address weaknesses in the system. M3. Percentage of Records with Defined Retention Periods: Percentage of records for which retention periods are clearly defined and documented. Ensures that all records have appropriate retention periods assigned, supporting systematic record management. SECTION 1: Retention Period ------------------ 1.1. Timeframe (by Director of Technology ): We may retain your personal data for a period of up to 6 years following the conclusion of your association with the School, unless otherwise specified. A core record of your data will be retained indefinitely to facilitate the verification of your academic history and to provide references after graduation; This policy ensures compliance with applicable data retention regulations under English law, including the General Data Protection Regulation (GDPR) and the Freedom of Information Act 2000. It supports the verification of academic credentials and the provision of references long after your association with the School has ended, in accordance with best practices for record-keeping in higher education institutions. 1.2. Roles and Responsibilities (by Director of Technology ): Compliance and the implementation, management, and review of the retention policy shall be the responsibility of the Director of Technology. The Director of Technology will oversee all aspects of data retention and security, ensuring that the policy is adhered to across the institution and that all staff are informed of their responsibilities regarding record management; This centralised approach clarifies accountability and promotes effective management of the retention policy. By assigning the Director of Technology as the primary responsible party, we ensure that all technological aspects of data retention and compliance with legal requirements, including data protection regulations, are comprehensively addressed. This responsibility fosters a culture of diligence and awareness within the institution, ensuring that staff understand their obligations regarding the retention and management of personal data. SECTION 2: Review and Disposal Process ------------------ 2.1. Regular Review and Secure Disposal (by Director of Technology ): Procedures shall be established for the regular review of records to ensure that retention schedules remain current and also in compliance with law. Once the retention period has passed, records will be disposed of securely using methods such as shredding paper documents and secure digital deletion; This process ensures compliance with data retention regulations and promotes effective data management. By regularly reviewing records and implementing secure disposal methods, we minimise the risk of unauthorised access to outdated information and protect sensitive data from potential breaches. SECTION 3: Data Security and Access ------------------ 3.1. Secure Storage and Controlled Access (by Director of Technology ): Records will be securely stored in designated systems, with access restricted to authorised personnel only. Measures will be implemented to protect sensitive data throughout the retention period; This policy ensures that personal data is safeguarded against unauthorised access and breaches. By clearly defining storage protocols and access controls, we create a secure environment that protects sensitive information and upholds the institution's commitment to data protection. SECTION 4: Version Control and Review Cycle ------------------ 4.1. Policy Review and Version Control (by Director of Technology ): The retention policy will be reviewed annually, or more frequently if necessary, to ensure compliance with evolving regulations and institutional requirements. A version control system will be implemented to track updates and revisions; Regular reviews of the policy ensure that it remains relevant and compliant with current legal standards. By maintaining version control, we promote transparency and accountability in record management practices, ensuring all staff are informed of the most up-to-date procedures. SECTION 5: Disaster Recovery ------------------ 5.1. Data Recovery Provisions (by Director of Technology ): Comprehensive provisions for disaster recovery will be established to ensure that records can be restored in the event of system failures or disasters; This policy ensures that vital records are protected against loss due to unforeseen circumstances. By implementing robust disaster recovery measures, we safeguard the integrity of our data and maintain continuity in operations, thereby ensuring that essential information remains accessible when needed. SECTION 6: Other Relevant Policies ------------------ 6.1. Retention Policy Integration (by All Staff and Students): This Retention Policy must be read in conjunction with other School policies, including the Information Technology (IT) Regulations, Automated Governance System (AGS) Policy, Information Technology (IT) Infrastructure Management Policy, Website Privacy Policy, and Data Protection Policy; Integrating this policy with the IT and Data policies ensures comprehensive management and understanding of data retention practices, aligning with the School’s broader governance and compliance framework. SECTION 7: Changes to this Privacy Notice ------------------ 7.1. Policy Review: This policy is subject to regular review; Regular reviews ensure the policy remains current, effective, and aligned with best practices and legal requirements, thereby maintaining its relevance and accuracy over time. SECTION 8: Other Notices ------------------ 8.1. Privacy Notices: We strive to protect your privacy diligently. Please note that additional privacy notices are available on our website, covering various aspects such as enquiries, applications, current students, alumni, and website usage; These notices ensure transparency and inform you about how your data is managed across different activities, helping you understand our comprehensive approach to privacy protection.