What is the purpose of this policy?
To clearly explain to customers/members, suppliers, partners how The Key and GovernorHub complies with Principle (e): Storage limitation of UK GDPR as stated by the UK Information Commissioner's Office.
Scope
All personally identifiable and special categories of data relating to a data subject, that is stored and processed within any system of The Key (The Key Support Services LTD) and GovernorHub (Ortoo Technologies LTD). This includes data inherited from predecessor organizations and data obtained from 3rd party partners.
1. Data Retention & Removal
1.1. Personal data (for example names, email address) in products or services provided by The Key and GovernorHub is retained for the duration of any attached subscription and for a minimum of six months and a maximum of two years from the end of a subscription period, or from the last time the user used our services - whichever is later. This is to allow for delayed renewal by subscribers.
1.2. Special category data (for example ethnicity, religious beliefs etc) in products or services provided by The Key and GovernorHub is retained for the duration of any attached subscription and for a minimum of six months and a maximum of twelve months after the end of the subscription period, or from the last time the user used our services - whichever is later. This is to allow for delayed renewal by subscribers.
1.3. Personal data in billing systems (for example names, email address, address on invoices) is retained for seven years in accordance with HMRC financial record keeping.
2. Requests to remove
2.1. Individual users can request that their data is erased from the product(s) database of The Key and or GovernorHub along with any personal data from the Helpdesk and Customer relationship management tools + other internal tools. A record of their request is retained separately within the company filing system. To exercise this request we may need to confirm the identity of the requester and seek the permission of the data controller (School, Trust or Local Authority).
2.2. Individual users can remove their own personal data from their product profiles at any time.
2.3. Data Controllers (Schools, Trust, or Local Authorities) can remove individual member data and documents stored within The Key or GovernorHub at any time.
2.4. Individuals and or data controllers can raise requests to us by emailing the following inboxes:
2.4.1. The Key dataprotection@thekeysupport.com
2.4.2. GovernorHub dataprotection@governorhub.com
3. Limitations
3.1. On rare occasions it may not be possible to remove some personal data (for example due to a technical limitation). In these cases we will explain what the data is and of the steps we have taken to prevent further processing.
3.2. The Key and GovernorHub continuously backup data as part of our backup and disaster recovery strategies. Backups will automatically be omitted from requests to remove data (for data security and integrity reasons). However backups are retained for several months in accordance with our backup strategy.
4. References
4.1. Storage limitations, UK Information Commissioner's Office: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/storage-limitation/
This article has been prepared using the following ISO:27001-2013 standard controls as reference:
ISO Control | Description |
A.18.1 | Compliance with legal and contractual requirements |
A.18.1.1 | Identification of applicable legislation and contractual requirements . |
A.18.1.4 | Privacy and protection of personally identifiable information |