1.1 This policy sets out the policies and procedures of Physitrack Limited (the "company") with respect to the retention, archiving and deletion of data, whether in hard copy or digital form, and including personal data.
1.2 The company is subject to a range of statutory obligations in relation to the retention of data. On the one hand, the company is obliged to retain some classes of data for a minimum period. On the other hand, it is a fundamental principle of data protection law that personal data should be only retained for so long as required. Moreover, the retention of some classes of data may represent an unnecessary security risk. For these reasons, the company recognises the importance of formulating clear and specific policies in relation to data retention.
2.1 In this policy:
(a) "appointed person" means the individual primarily responsible for handling data retention, archiving and deletion by the company, being the data protection officer of the company;
(b) "data controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
(c) "data processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
(d) "data subject" means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(e) "deletion" means the permanent and irreversible deletion of data from all relevant databases and storage media in the possession or control of the company including, where necessary to ensure the deletion of the data, the destruction of the relevant storage media; and
(f) "personal data" means any information relating to a data subject.
3. Data retention, archiving and deletion
3.1 The company must archive and delete data in its possession and/or control in accordance with schedule 1 (Data retention periods), save as set out in this section 3.
3.2 Notwithstanding the archiving rules set out in this policy, the company may retain non-archived copies of data to the extent that the data is reasonably required in non-archived form for:
(a) the fulfillment of any legal or contractual obligations of the company; and/or
(b) the establishment, exercise or defence of any legal claims.
3.3 The company must not delete data to the extent that:
(a) the company has a legal obligation to retain the data;
(b) the company has a contractual obligation to retain the data (providing that such contractual obligation is not overridden by any legal obligation to delete the data); and/or
(c) the retention of the data is reasonably required for the establishment, exercise or defence of any legal claims (providing that such requirement is not overridden by any legal obligation to delete the data).
4. Default archiving and deletion methods
4.1 Data must be archived by the company specify methods, save to the extent that specific archiving methods are provided for in schedule 1 (Data retention periods).
4.2 Data must be deleted by the company specify methods, save to the extent that specific deletion methods are provided for in schedule 1 (Data retention periods).
5. Reviewing and updating this policy
5.1 The appointed person shall be responsible for reviewing and updating this policy.
5.2 This policy must be reviewed and, if appropriate, updated annually on or around 1 July.
5.3 This policy must also be reviewed and updated on an ad hoc basis if reasonably necessary to ensure:
(a) the compliance of the company with applicable law, codes of conduct or industry best practice;
(b) the security of data stored and processed by the company; or
(c) the protection of the reputation of the company.
5.4 The following matters must be considered as part of each review of this policy:
(a) changes to the legal and regulatory environment;
(b) changes to any codes of conduct to which the company subscribes;
(c) developments in industry best practice;
(d) any new data collected by the company;
(e) any new data processing activities undertaken by the company; and
(f) any security incidents affecting the company.
SCHEDULE 1 (DATA RETENTION PERIODS)
1.1 This schedule 1 sets out the methods to be used by the company when archiving and deleting data and the periods during which data must be archived and deleted by the company.
1.2 If a data record falls under more than one section of this schedule 1, then the earlier section shall take precedence over the later section, unless the record constitutes a duplicate copy of data that is separately governed by the earlier section.
2. Customer data: retention, archiving and deletion
2.1 In this policy, "customer data" means all customer relationship management records relating to the customers of the company, including customer identity details, customer identity evidence and customer contact details.
2.2 Customer data is stored by the company in the following databases: for each geographical data centre where Physitrack application data is stored, Customer data will be stored in SQL-based database management systems, configured in a high-availability pattern..
2.3 Customer data must be archived daily.
2.4 Customer data must be deleted:
(a) not less than 8 years following the archiving of the data; and
(b) not more than 9 years following that event, subject to subsection 3.3 of the main body of this policy.
2.5 Customer data must be deleted by deleting the backups from the storage medium.