This data retention policy sets out the obligations of CalQLife Limited (“us/we/our”) and the basis upon which we shall retain, review and destroy data held by us, or within our custody or control.
This policy applies to our entire organisation, including our officers, employees, agents and sub-contractors and sets out what the retention periods are and when any such data may be deleted.
We are registered under the Information Commissioner’s Office under registration number ZA317676.
It is necessary to retain and process certain information to enable our business to operate. We may store data in the following places:
This policy applies to electronic media and any other method used to store personal data. The period of retention only commences when the record is closed. We are bound by various obligations under the law in relation to this and therefore, to comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully in respect of their personal data under the General Data Protection Regulation (“the Regulation”).
The Regulation defines “personal data” as any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
This Policy sets out the procedures that are to be followed when dealing with personal data and how we aim to comply with the Regulation in so far as it is possible. In summary, the Regulation states that all personal data shall be:
The Fourth and Fifth Data Protection Principles require that any data should not be kept longer than necessary for the purpose for which it is processed and when it is no longer required, it shall be deleted, and that the data should be adequate, relevant and limited for the purpose in which it is processed.
With this in mind, this policy should be read in conjunction with our other policies which are relevant such as our data protection policy and IT security policy.
All data and records are stored securely to avoid misuse or loss. We will process all personal data we will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if there is agreement by them to comply with those procedures and policies, or if there are adequate measures in place.
Our data is stored at the Linode Data Centre based in London, England.
We will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
Data retention is defined as the retention of data for a specific period of time and for back up purposes.
We shall not keep any personal data longer than necessary and as such, our data retention period shall be for a strict period of two years from the production of a client report. This gives time for a client file to be revisited by an Adviser to update information as part of a regular review process. Where a client has not been revisited within the strict two-year timeframe, the report and underpinning data will automatically be placed into the data deletion process which will take three working days to complete, as it moves through our data backup process. Therefore, two years and three complete days after a client report has last been modified, all data relating to that report will be permanently removed from CalQLife main server and backup server.
Data relating to Adviser businesses and their CalQLife license agreements will be retained for the life of the business relationship with CalQLife Limited. Upon cancellation of a license, the data of the then former license holding company will be placed into the deletion process three months after cancellation to allow time for any licence related queries to be resolved. Therefore, three months and three complete days after cancellation of a CalQLife licence all data relating to that licence, including all reports produced and the underlying client data will be deleted.
Data relating to Adviser businesses that commence trial licences and do not upgrade to full licences will be placed into the deletion process three months after the expiry of their trial licence to allow time for any mistaken expiries to be rectified. Therefore, three months and three complete days after cancellation of a CalQLife licence all data relating to that licence, including all company data, reports produced, and the underlying client data will be deleted.
All data deletions will be permanent and irretrievable.
Upon expiry of our retention periods, we shall delete all stated records and the data which is used in the drafting of client protection reports.
Our Records Management Officer, Mark Payne is responsible for undertaking regular checks to ensure that the automated deletion process is active, and no records are retained beyond the periods stated above. This will be undertaken via a review of his own active client records as officers of CalQLife Limited do not have visible access to client reports generated by licence holding individuals and / or business, in accordance with the agreed data privacy between CalQLife Limited and the licence holding individual and / or business.