This guidance looks at data retention in relation to the new General Data Protection Regulation (GDPR). You can find out more about GDPR in our GDPR toolkit, including a template Data Protection and Retention Policy.
One of the changes with GDPR is that you will need to be more vigilant with regards to how long you keep data for. It can be very easy to keep old data on a spreadsheet somewhere or locked away in a filing cabinet. However, you should not hold and use data unless you have a good reason for doing so.
Removing old data may seem like an administrative burden. But tidying up data is a good administrative process to go through anyway – and if you don’t need the data, why have it? It takes up space and exists purely to create risk for you – which you can easily remove.
Having a regular review of the data you hold and how you use it is a good idea. But thinking about data retention and making sure your data is clean and useful should be an ongoing process. If you have some processes in place for cleaning data as you go, it will help ensure you are being fair and responsible in how you use data and reduce any risk to your group, not to mention making a regular data review much easier.
Have a regular review of your data
Have a process in place for reviewing your data on a regular basis. The point of this review should be to decide if you still have a good and fair reason to store and/or use the data, and that you have any necessary permissions in place.
It is a good idea to have a retention policy to help you manage the regular review process. We have a template policy available to help with this. A retention policy should cover:
- How often will it take place - we think every 2 years will be fine for a leisure time music group
- What data will be reviewed and where it is stored
- Who will do the review
- What criteria will you apply to make decisions
- How will you delete or destroy data.
Things to consider when reviewing you data:
Permission and consent: you might find as part of a review that you are using data in a way that was not originally intended. For example, you are emailing an accompanist or workshop leader you worked with about your events, without a record of their consent. There is no need to panic and contact them to get consent. If you have always provided an opt-out/unsubscribe option, and they have not acted on it (or requested you stop via another way) then you might take the view that are happy to carry on receiving emails.
Review the data, not the individual: it is important to remember that you are reviewing pieces of data not all the data on an individual. The point here is that you can treat different pieces of data in different ways.
Example: someone you worked with on a freelance basis two years ago. At the point of review you might hold: name, address email, phone, bank details, a contract/agreement and notes on their performance. You might decide to:
- Delete the address and bank details
- Keep the name, email and phone in case you want to work with them again
- Keep a redacted version of the performance notes for reference purposes
- Keep the contract for archive purposes/statuary requirement
Anonymise: if you think some data (e.g. age of former members) is useful but you don’t have a particular need to keep it at the moment, you could turn it into anonymous statistical data, which might be useful for strategic planning targets or funding bids.
Statutory requirement: it is important to remember that there is regulation that says you have to keep some forms of data for a certain amount of time. Some examples include:
- Financial records (e.g. accounting records/documents, bank statements) - six years
- Annual accounts - permanently
- Gift Aid Declarations - six years after last payment made
- Contracts/agreement with suppliers/customers (e.g. freelancers) - six years after expiry
- Tax and employment records for employees (not freelancers) - six years
- Job applications and interview notes - six months
- Trustees meeting minutes - permanently
- Insurance:
- Policies - three years after lapse
- Employers Liability Certificate - 40 years
- Information relating to claims - three years after settlement
Keeping for archive/record purposes: it may be necessary to keep some data for your group records. For example you might want to keep the name and membership dates of former members, or for volunteers/freelancers your might want to keep name, dates of engagement and brief notes on performance for references.
Safe and secure: its fine to decide to keep data if you have a good reason - but as ever it must be stored safely and securely.
Retention procedures outside of a regular review
Having processes in place to help you think about data retention on an ongoing basis (rather than just at a regular review) is the best way to keep your data clean, accurate and useful. You could have built in deletion criteria for some data that would mean it is deleted based on an action before the regular review. For example:
- Member data: if a member leaves the group you might decide to delete sensitive data (medical, financial) as soon as is practically possible and ensure any email data is removed from any live mailing lists (unless you have consent) but, on the grounds that it might be sensible to keep some data for longer, review all other data at your next regular review point.
- Mailing list data: if someone opts-out of the mailing you must ensure that they are not contacted again. That doesn’t necessarily mean deleting the data – you could keep the data but not use it (you will need good processes to manage this). However, if their data exists solely on a mailing list and they have opted out it makes sense to remove the risk and delete them as soon as is practical. At the very least, any individual who has opted out but not been removed should be removed in your regular data review.
- Volunteers and freelancers: this could be treated in a similar way to members. Sensitive data is removed as soon as possible after the person leaves, all other data is reviewed at next two year review.
You may also want to think about asking your members to check the data you hold on them is accurate. This could be done annually at rehearsals.
How far do you have to go with deleting data?
When a member leaves it is likely their data will be in several places. It may be listed a spreadsheet used by the committee, a mailing list, on an old paper form in a filing system or in a directory in the member section of your site. Their email address may also be listed in emails sent over previous years. It is unrealistic and unpractical to remove all instances of the data, so a common sense approach can be taken:
- Certainly it should be removed from any live dataset where it could be used, such as a mailing list or online directory
- You should be vigilant with any paper forms as well – these can be easily reviewed and destroyed as appropriate every two years.
- Data on old emails perhaps depends on what it is. If you have an email with sensitive data relating to a former member (medical, bank details etc.) it would be sensible to review and delete those emails. Where it is a case of their name/email appearing in an email it would be overzealous to delete all of these. Of course your email account should be secure and password protected anyway, and you could also look at archiving rules for emails based on date.
We hope you find this Making Music resource useful. If you have any comments or suggestions about the guidance please contact us. Whilst every effort is made to ensure that the content of this guidance is accurate and up to date, Making Music do not warrant, nor accept any liability or responsibility for the completeness or accuracy of the content, or for any loss which may arise from reliance on the information contained in it.