RSA
Data protection policy

1. Purpose of the policy

1.1. This Data Protection Policy ensures that the RSA complies with the Data Protection Act 2018, the UK General Data Protection Regulation, and such other legislation as may be passed; in this document all such legislation is collectively referred to as ‘the Legislation’.

1.2. Scope: This policy applies to all our people including employees, contractors, and volunteers working for the RSA, partners working with the RSA, all Trustees, all Independent Committee members and all Fellows engaged in activities commissioned, sponsored, or otherwise provided by the RSA.

2. Responsibilities

2.1 The Executive Team

The Executive Team is responsible for supporting and driving the broader data protection and information security agenda at the RSA, as well as providing assurance that effective best practice mechanisms are in place across the business. Within the context of data protection the Executive Team is responsible for:

Reviewing, contributing to, and recommending to the Board or its Committees data protection-related strategies and policies;
Ensuring the provision of resources to deliver approved strategies, and monitoring performance;
Reviewing the operational status of data protection compliance across the business and acting as a point of escalation for related issues; and
Ensuring that the Data Protection Officer has appropriate levels of autonomy and adequate support and resources to enable them to undertake their role effectively and to fulfil the requirements of the role.

2.2 Data Protection Officer

RSA’s Director of Finance (or their nominee) is the Data Protection Officer. The Data Protection Officer is responsible for monitoring internal compliance with data protection legislation and reporting data protection matters to the Audit and Risk Committee.

The Data Protection Officer is also responsible for informing all staff of and advising them about their data protection obligations in relation to a number of compliance matters, including:

The processing of special category and criminal convictions data;
Handling data subject requests;
Approving arrangements with Data Processors;
International data transfers;
Carrying out Data Protection Impact Assessments (DPIA) and privacy by design; and
Reporting data breaches.

The Data Protection Officer is the contact point for data subjects and the Information Commissioner’s Office (ICO).

2.3 Heads of Department

Heads of Department are responsible for ensuring that staff in their teams are aware of this policy and their responsibilities (as outlined above), including completion of mandatory data protection training.

Heads of Department are expected to encourage and promote a culture of compliance with regards to data protection within their teams.

Heads of Departments should work in conjunction with nominated staff within their teams to identify, record, and manage data risks.

2.4 All Staff

All RSA staff are responsible for:

Familiarising themselves with this policy and ensuring that they adhere to the data protection principles when processing personal data as part of their work for the RSA;
Consulting with the Data Protection Officer for guidance and advice in relation to data protection compliance matters, including the processing of special category and criminal convictions data, handling data subject requests, international data transfers, carrying out Data Protection Impact Assessments, and reporting data breaches;
Completing data protection-related training as required by the RSA;
Reporting any personal data breaches they become aware of to the Data Protection Officer immediately via the personal data breach-reporting process (see Appendix 1);
Keeping personal data in accordance with the IT Security and Usage Policy, and the Archive Policy;
Ensuring that personal information is not disclosed deliberately or accidentally orally, electronically, or in writing, to any unauthorised third party;
Promptly forwarding all initial requests for personal data to the Data Protection Officer or to their nominee, and within two working days;
Ensuring that the information provided to the RSA in connection with their employment or service contract is kept accurate and as up to date as possible.

It is important to understand that it is the responsibility of the individual collectors, keepers, and users of personal data to apply the provisions of the Legislation, such as keeping records up to date and accurate.

3. Data Protection Principles and Processing

The Legislation is not intended to prevent the processing of personal data, but to ensure the fair and proper use of information about people. It is about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others.

3.1. The Principles

The RSA is committed to processing data in accordance with its responsibilities under the Legislation, which requires that personal data should be:

Processed lawfully, fairly, and in a transparent manner in relation to individuals (the “lawfulness, fairness and transparency principle”);
Collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific purposes, historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes (the “purpose limitation principle”);
Adequate, relevant, and limited to what is necessary with relation to the purposes for which they are processed (the “data minimisation principle”);
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data are accurate, having regard to the purposes for which they are processed, are erased, or rectified without delay (the “accuracy principle”);
Kept in a form that permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific purposes, historical research purposes, or statistical purposes, subject to implementation of the appropriate technical and organisational measures required to safeguard the rights and freedoms of individuals (the “storage limitation principle”);
Processed in a manner that ensures appropriate security of personal data, using appropriate technical and organisational measures to protect the data against unauthorised or unlawful processing, accidental loss, destruction, or damage (the “integrity and confidentiality principle”);
The Data Controller is responsible for and is able to demonstrate compliance with the principles as above (the “accountability principle”)

3.2. Processing – Personal data

The RSA can process personal data when at least one of the following lawful bases applies:

An individual has given clear consent for the RSA to process their personal data for a specific purpose;
Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract; for example, when we need to store details of someone in our accounts system in order to pay them;
Processing is necessary for compliance with a legal obligation; for example, when ordered to do so by law such as through a court order or warrant;
Processing is necessary to protect the vital interests of a data subject or another person; one example would be to protect someone’s life;
Processing is necessary for the performance of a task carried out in the public interest or for an official function, and the task or function has a clear basis in law; and
Processing is necessary for RSA’s legitimate interests or for those of a third party, except where there is a good reason to protect the individual’s personal data that overrides RSA’s legitimate interests.

The legal basis for processing should always be determined before the data is processed and documented. The RSA’s Privacy Policy broadly outlines the legal bases for processing carried out as part of RSA’s standard functions. Users must consult/read this policy prior to initiating any new processing activity.

3.3 Processing – Special Category Data and Criminal Offence Data

In order to lawfully process special category data and criminal offence data, additional conditions must be met, and the Data Protection Officer should be consulted in relation to these.

3.3.1 Special Category Data

UK GDPR sets a higher bar to justify the processing of special categories of personal data. These are defined as “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” (Article 9(1)).

The RSA can process special category data when at least one of the lawful bases in 3.3 is met and one of the conditions below also applies:

Explicit consent by the data subject;
For carrying out obligations and exercising rights in relation to employment, social security, and social protection law;
To protect vital interests where the data subject is incapable of giving consent;
Processing by not-for-profit bodies;
Personal data has manifestly been made public by the data subject;
Necessary for exercise of defence of legal claims or judicial acts;
Necessary for the purpose of substantial public interest;
Necessary for health or social care systems and services;
Necessary for the reason of public health; and
Necessary for archiving, research and statistics.

Staff who wish to process special category data should seek advice from the Data Protection Officer to ensure that the data can be lawfully processed.

3.3.2 Criminal Offence Data

The UK GDPR gives extra protection to “personal data relating to criminal convictions and offences or related security measures”. This covers a wide range of information about offenders or suspected offenders in the context of:

Criminal activity;
Allegations;
Investigations; and
Proceedings.

Those who wish to process criminal offence data should seek advice from the Data Protection Officer to ensure that the data can be lawfully processed.

3.4 Processing – CCTV

The RSA processes personal data through the use of CCTV to monitor and collect visual records to provide a safe environment for staff and visitors to our House and for the purposes of security. Clear signage is in place around RSA House and CCTV processing is referenced in RSA’s Privacy Notices, in line with ICO guidance.

Such personal data may be used for the prevention and detection of crime; for evidential purposes to support criminal, civil, and internal proceedings, including disciplinary investigations; and to assist in Health and Safety requirements and other legal or regulatory compliance obligations.

4. Data subject rights

4.1. The Data Protection Legislation ensures that data subjects have the following rights:

The right to be informed: to be informed about the collection and use of their personal data;
The right of access: to access and receive copies of their personal data;
The right to rectification: to have inaccurate personal data rectified or completed (if incomplete);
The right to erasure (or ‘to be forgotten’): to ask for personal data to be erased; however, this is not absolute and only arises in quite a narrow set of circumstances, notably where the controller has no legal ground for processing the information;
The right to restrict processing: to request restriction or suppression of their personal data; again, this only applies in certain circumstances, and storage of the data is still permitted;

The right to data portability: to obtain and reuse their personal data for their own purposes across different services;
The right to object: to object to the processing of their personal data in certain circumstances; and
Rights in relation to automated decision-making and profiling.

4.2. The RSA has appropriate processes in place to comply with data subject requests within the associated statutory timescale. The Data Protection Officer should be contacted whenever one of the above requests is received from a data subject.

5. International Transfers

5.1. Personal data must not be transferred outside of the United Kingdom unless appropriate safeguards are in place to ensure an equivalent level of data protection. Generally, such safeguards will be limited to the following:

The United Kingdom has made a decision that the third country ensures an adequate level of protection (an adequacy decision); or
An appropriate transfer mechanism is in place, such as the use of an International Data Transfer Agreement (IDTA).
Where relevant, the RSA may rely on UK Extension to the EU-US Data Privacy Framework where applicable, in line with guidance from the ICO

5.2. Where the transfer is to a country without an adequacy decision, advice should be sought from the Data Protection Officer at the very earliest opportunity.

6. Data Protection Impact Assessments

6.1. Under data protection legislation, organisations are required to complete a Data Protection Impact Assessment (DPIA) for types of processing that are likely to result in a high risk to the rights and freedoms of Data subjects.

6.2. Staff undertaking DPIAs should include consultation with the Data Protection Officer, as well as other relevant individuals or stakeholders, where appropriate.

7. Records and Retention Management

7.1. The RSA depends upon the reliability, integrity, and accessibility of its records for the efficient and effective discharge of its responsibilities. Records created in the course of RSA business belong to the RSA, rather than the individuals that create or use them. However, everyone within the RSA has defined and shared responsibilities for managing records. These responsibilities and the system to be followed is set out in Appendix 2.

8. Data Breaches

8.1. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

8.2. All personal data breaches must be reported to the Data Protection Officer, who will decide whether they are reportable to the Information Commissioner’s Office or to Data subjects. The Data Protection Officer will also advise on action that is required internally and provide guidance to assist with mitigating risks of future breaches.

8.3. The RSA must report certain types of personal data breaches to the Information Commissioner’s Office within 72 hours of it becoming aware of the breach. As such, breaches should always be reported to the Data Protection Officer immediately. Should the Data Protection Officer be absent, the Chief Operating Officer or another member of the Executive should be contacted.

8.4. Guidance on the reporting of a data breach is included in Appendix 1.

9. Glossary of Terms

9.1. PERSONAL DATA means any information relating to an identified or identifiable individual. This might be anyone, including a customer, client, employee, partner, member, supporter, business contact, public official, or member of the public.

9.2. It doesn’t need to be ‘private’ information: even information that is public knowledge or is about someone’s professional life can be personal data.

9.3. It doesn’t cover truly anonymous information, but if you could still identify someone from the details, or by combining it with other information, it will still count as personal data.

9.4. It includes paper records if you intend to put them on a computer (or on any other digital device) or file them in an organised way.

9.5. SPECIAL CATEGORY DATA is personal data that needs more protection because it is sensitive. It includes data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (used to uniquely identify someone), data concerning health, or data concerning a person’s sex life or sexual orientation.

9.6. PROCESSING means any operation or set of operations performed on personal data or on sets of personal data (whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction)

9.7. DATA SUBJECT is the identified or identifiable living individual to whom personal data relates.

9.8. DATA CONTROLLER is the person or entity which, alone or jointly with others, determines the purposes and means of processing personal data. The RSA is a data controller.

9.9. DATA PROCESSOR is a person or entity that processes personal/special and sensitive data on behalf of a controller. Whenever a third party is used to process personal data for the RSA, staff must ensure that the appropriate legal/contractual arrangements are in place, and the RSA must be assured that the processor can demonstrate compliance with data protection legislation requirements. Arrangements with processors should be approved by the Data Protection Officer.

9.10. ALL STAFF refers to employees, self-employed contractors, and agency temps.

10. Further information

Further information can be found in the following:

IT Security & Usage Policy
Privacy Policy
RSA Personal Data Breach Guidelines (Appendix 1)
Data Breach Notification Report (Appendix 2)
Records and Retention management (Appendix 3)
Retention and Disposal Schedule (Appendix 4)

If you have questions or require further guidance, please contact the Data Protection Officer.

APPENDIX 1

RSA Personal Data Breach Guidelines

1. Introduction

1.1. The RSA collects, holds, processes, and retains personal data to deliver and support its business function.

1.2. Under the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018) the RSA has an obligation to ensure the appropriate safeguards are in place when handling personal data.

1.3. The RSA needs to have in place a robust process for reporting and managing any incidents involving breach of personal data.

2. Definitions

2.1. The GDPR defines a “personal data breach” as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

2.2. The aim of this guidance is to standardise the RSA’s response to a personal data breach incident and to ensure incidents are reported, logged, and managed appropriately by adopting a standard, consistent approach. It ensures that:

Incidents can be properly managed, and consideration given to referring to the Information Commissioner’s Office (ICO) where appropriate to do so, ensuring the 72 hours statutory reporting period is met;

All incidents are recorded and documented, and evidence is gathered and maintained;

Data subjects and/or external bodies are notified where appropriate; and

The impact of incidents and preventative actions taken are captured so that lessons can be learned to prevent the reoccurrence of a similar breach in the future.

3. Responsibilities

3.1. Heads of Departments are responsible for ensuring that staff in their area act in compliance with the Data Protection Policy and this guidance, and that Heads provide appropriate assistance to investigations as required.

3.2. Staff: When a staff member is aware of an actual or suspected personal data breach they should:

Inform their Line manager immediately.
Take steps to retrieve/contain the personal data.
Alert the Data Protection Officer as soon as possible and complete the incident reporting form (Appendix 2). Send the completed form to the Data Protection Officer. In the absence of the Data Protection Officer, a member of the Executive Team should be contacted.
Assist the Data Protection Officer with investigations as required, particularly if urgent action must be taken to prevent any further harm.

3.3. All staff should be aware that a breach of Data Protection legislation may be subject to the RSA’s disciplinary procedure

4. Data Protection Officer’s responsibilities

4.1. Once the Data Protection Officer has been notified they will undertake the following, as determined by the circumstances:

Arrange for an investigation to be undertaken, with support from other areas of the business as necessary.
Take steps to contain the breach and any additional steps to prevent any further breach.
Assess the severity, risk, and harm to individuals affected by the breach.
Consider notification to individuals impacted by the breach and to relevant third parties.
Maintain a record of the breach, mitigations to be implemented, and the outcome.
Notify the Information Commissioners Office of personal data breaches, if necessary.
Add the breach to the RSA’s personal data breach log.

5. Notification of Breach

5.1. The RSA has a duty to report to the Information Commissioner’s Office (ICO) a personal data breach that is likely to result in high risk to the rights and freedoms of individuals within 72 hours.

5.2. If the assessment of risk and impact identifies that the breach meets the threshold for referral, then the Data Protection Officer, following liaison with the Executive team, will report the notifiable breach to the ICO via the ICO’s online reporting form.

5.3. In any event, personal data breaches will be reported to the next Audit and Risk Committee meeting.

APPENDIX 2

Data Breach Notification Report

Please see the guidance below to help complete this form

Date & time of Breach Incident
Department
Description of the Breach and how it occurred	(see guidance note 1)
Please mark all categories that were included in the breach		Basic personal Identifiers e.g. name, contact Details		Identification data – e.g. usernames, Passwords
		Economic / Financial Data e.g. Bank Details		Health Data
		Location Data		Criminal Convictions / Offences
		Trade Union Membership		Official Documents e.g. Driving License
		Sex Life Data		Genetic or Biometric Data
		Political Opinions		Not yet known
		Any of the 9 Protected Characteristic Groups (see guidance Section 2) – Please State:
		Other – please state:
How many data subjects have been affected?	[x] Number		Categories (Please see guidance section 3)
Number of personal data records concerned (if applicable)
Describe, and identify any potential risks and impact to the affected data subjects(s) given the sensitivity of the data and any other risks identified.	(See guidance section 4)
What actions have already been taken to recover the breach or mitigate the risk	(see guidance section 5)
Have the data subjects been made aware? If so when and by whom?
Type of Breach	(see guidance section 6)
Are there any safeguarding issues that we need to be made aware of?	(See guidance section 7)
Person Completing this form: • Name/Job Title • Date & Time Completed

Guidance for Completing a Data Breach Incident Notification Report

Please work through the form and complete ALL sections

1. Description of the Breach and how it occurred

Things to include are:

Who committed the breach/identified the incident. The name of their supervisor and the date/time were they notified.
What exactly happened (e.g., email sent to the wrong recipient, loss of keys, information etc).
Whether the data breach has spread further (such as whether the email has been forwarded to anyone else).
Whether it was due to Human or System error.
Whether such a breach has happened before; if so, when, and what happened.
This is not an exhaustive list, please include all information available to you.

2. Protected Characteristics

Please identify all categories of protected characteristics that are in the data breach:

Age, Race, Disability, Sex, Gender Reassignment, Sexual Orientation, Religion or Belief, Pregnancy and Maternity, Marriage, and Civil Partnership.

3. Data Subject Categories

Please identify all categories of data subjects that have been affected by the breach/incident:

Trustees, Employees, Students, Children, Vulnerable Adults, and Customers. This includes individuals requesting services or information from us e.g., Fellows, applicants, alumni, etc.

4. What is a Potential or Real risk?

Physical or emotional, material, or non-material damage or distress caused, or likely to be caused, to any affected individuals.

Could the breach lead to identity fraud, or any financial loss, or damage to a person’s reputation, or may lead to any economic or social disadvantage to a person(s) etc.?

5. Suggest actions to Recover or Mitigate the Breach

For email breaches:

Try to recall the message using the Outlook recall function.
If you are unable to recall the email, contact the IT department to ask if they are able to recall it.
Contact the recipient(s) directly, ask that the email is disregarded, and seek written confirmation of the action that the recipient has taken.

For other hardcopy or removable media breaches:

Seek to retrieve the paperwork or removable media immediately.
Ensure it has not been accessed or shared further. If the items have been found by an individual, request confirmation from them that they have not accessed, copied, or shared the information further.

Contact the Data Protection Officer for further advice and support.

6. Types of Breach

Breaches have been grouped into different types. Please select the appropriate type from below and enter the relevant one on the form:

Data Loss: Any loss of data, including missing discs, USB memory sticks, paper files etc.
Inappropriate Disclosure: Includes the accidental or deliberate sharing of information to the incorrect person/organisation, wrong emails, or information provided about the wrong data subject.
Procedural Concerns: Where a breach occurs despite following the current procedure, and it is identified that the procedure may require review.
Other: If none of the breach descriptions above match your incident.

7. Safeguarding

Please raise any safeguarding issues that we need to be aware of. For example, is there a person in the business who is the key contact for a vulnerable adult or child? How have the rights of the vulnerable people been taken into account? Do liaise with the Designated Safeguarding Lead for support.

APPENDIX 3

Records and Retention Management (Archive)

1. Scope and Definitions

1.1. The Archive aims to assess, appraise and catalogue key moments in the RSA’s history. The Archive’s records and retention management dates back to 1754. Our current procedure for management the RSA’s archival records aims to:

Ensure that the RSA retains, and increasingly creates, only those records that it requires to conduct and document its business, and to comply with its legal and regulatory obligations.
Select records for permanent preservation as archives those records deemed worthy of permanent preservation for (i) documenting the administrative history of the RSA; (ii) demonstrating the cultural context in which the RSA operates; (iii) illustrating a representative sample of the activity and history of the organisation under the Archiving in the Public Interest exemption (see 6.5).

1.2. This procedure applies to all records created, received, and maintained by the RSA’s staff during RSA business. Not all records created will be relevant for the purposes of the Archive.

1.3. A Record is a document in any format that has been generated or received by the RSA during its activities and has been, or may be, used by the RSA as evidence of its actions and decisions, or because of its information content.

1.4. Records management is a series of integrated and embedded systems related to the core processes of the RSA by which the RSA seeks to control the creation, distribution, filing, retrieval, storage, and disposal of those records created or received by the RSA during its business.

1.5. Archives are records selected for permanent preservation as part of the RSA’s corporate memory and as a resource for research for current and future use.

2. Key Objectives

2.1. The objectives of this procedure are to ensure:

RSA records systems are authentic, reliable, protected against unauthorised alteration, comply with regulatory and other business needs, and remain accessible to those that need to use them for as long as they are required.
Records and other data that are not required are deleted quickly and efficiently.
The information records contain can be retrieved accurately and quickly to aid decision-making and increase management effectiveness.
RSA records are managed cost-effectively, avoid unnecessary duplication, and are retained only as long as required.
All files are held securely, in a manner commensurate with their value and retention period, and in the medium most appropriate for the task they perform.

All files vital to the survival of the RSA are identified and protected.
That files that are no longer current will be stored cheaply, retrieved promptly, and reviewed and disposed of only in accordance with a defined approval process.
Files worthy of permanent preservation as archive are identified and at the appropriate point preserved in the RSA Archive.

3. Responsibilities

3.1. Effective records management is a shared responsibility across the RSA.

3.2. The Chief Operating Officer has overall responsibility for the efficient storage of records across the RSA.

3.3. The Data Protection Officer is responsible for personal data across the organisation and ensuring the RSA’s obligations under relevant legislation.

3.4. The Senior Archivist of the RSA has responsibility for promoting and supporting compliance with the Records and Retention Procedure.

3.5. The Head of Technology has responsibility for developing and maintaining systems to ensure that records will remain authentic, reliable, and usable throughout any system change, including format conversion, migration between hardware and operating systems, or specific software applications, for the entire period of their retention.

3.6. Team Managers and Departmental leads are responsible for ensuring the accuracy of the Schedule of Personal Data, including Archive Processes and compliance with the agreed retention periods.

3.7. All staff are responsible for creating and maintaining records in compliance with relevant RSA policies and procedures.

4. Implementation

4.1. All records, including all personal data collected and stored by departments, are required to be listed on the GDPR Map, including Archive Processes. This sets the retention policy and period for all records and personal data across the RSA. It ensures:

Retention of records for permanent preservation and the periods for which other records are to be retained;
A clear list of records retention/disposal schedules for each department;
Appraisal and destruction of time-expired records, including a permanent record of why records were destroyed, when, and on whose authority;
Storage and destruction of non-current records; and
Compliance with the procedure represented by the RSA’s strategy to preserve, document, and provide long-term access to electronic records to be kept permanently as archives.

5. Record Systems

5.1. Files are stored on the Archive’s digital platform or physically in the strong rooms.

5.2. Once Departments no longer require records, those identified for permanent preservation should be passed to the Archive for either electronic archive or to be kept in the physical archive.

6. Record Retention and Archive

6.1. Live records defined as those within the schedule must be retained by the relevant department and should be shared, in discussion with the Senior Archivist.

6.2. Digital records potentially requiring archive are thereafter transferred to a designated folder within SharePoint for review by the Senior Archivist before formally being accepted into the archive or being disposed of.

6.3. Paper records are passed to the Senior Archivist for review by the same before being accepted into the archive or being disposed of.

6.4. Any records may be accepted to the archive under an archiving in the public interest exemption when the purpose for doing so meets one or more of the following criteria (outlined in The National Archives Data Protection Toolkit by Naomi Korn associates):

storage and preservation
long term accountability
provision of access for all types of research through inspection and publication
discovery and availability of personal, community and corporate identity
memory and history
establishment and maintenance of rights, obligations and precedents
educational use
commercial and non-commercial re-use, such as digitisation
acquisition and selection
accessioning
arrangement and description
if the processing of archival material serves a public good rather than being purely for personal or corporate interest and private gain
where funding for archival activity is funded or partly funded out of the public purse, or the service is used by publicly funded organisations or to support publicly funded activities
the records have been selected for permanent preservation
the archive service is transparent about the fact and nature of its archiving of personal data, the way it manages that data and how data subjects can contact the service
the archive pays due respect to current relevant standards
public access in line with the data protection principles is permitted or is likely to be permitted at some future date when the archives are no longer confidential.

If you have questions or require further guidance, please contact the Senior Archivist.

APPENDIX 4

Retention and Disposal Schedule

6.5. The aim of the Retention and Disposal Schedule is to outline the RSA’s approach to managing the retention and secure disposal of our information in line with our business requirements and legal obligations. Most systems will likely have more of an individual in-depth GDPR Map and also individual data schedules owned by the Data Controller for example, Salesforce.

6.6. There are various pieces of legislation which outline retention requirements. These include, but are not limited to:

Freedom of Information Act 2000 – including the Code of Practice Section 46 (FOIA)
The UK General Data Protection Regulations (the UK GDPR)
Data Protection Act 2018 (DPA 18)
Public Records Act 1958
Limitation Act 1980
Inquiries Act 2005

6.7. Our Retention and Disposal Schedule sets out our retention periods. Information must be kept for the length of time defined in the schedule unless there is a legal requirement to destroy it sooner.

6.8. The Schedule is arranged by function, rather than by directorate. Any proposed additions or changes to retention periods must be sent through to the Data Protection Officer for discussion and approval.

6.9. The RSA has the below Retention and Disposal Schedule (point 6). Each retention period has three elements:

Trigger – the action which begins the retention period (e.g., ‘End of Financial Year’ or ‘End of Employment’)
Retention period – the length of time the information will be kept
Action – either ‘review’ or ‘destroy’. If the action is ‘review’ the information must be reviewed to ensure it is no longer required before destruction.

6.10. Every team are responsible for their own data and review. Outcomes of a review may be – dispose, mark for permanent preservation, or temporary extension to review again at a future date. If the action is ‘destroy’, this means the information can be destroyed without being reviewed.

7. Weeding

7.1. Not all information we create has long-term value. Our Retention and Disposal Schedule does not include redundant, obsolete or trivial (ROT) information. Such information should be identified by directorates regularly weeding their information and then destroyed. Approval or sign-off to delete ROT information is not required.

7.2. Information should be weeded for two reasons:

To ensure that we are not wasting money or space (either digital or physical) by storing ROT information.
To make the process of reviewing and appraising records easier. Sifting through low- value records makes this process more time consuming.

8. Reviewing Information

8.1. When information has reached the end of its retention period it may need to be reviewed to ensure that it is no longer required. Information that has an action of ‘destroy’ on the Schedule can be disposed of securely without a review and without the Data Protection Officer’s approval.

8.2. Where a review is required the Data Controller must discuss this with the Data Protection Officer and should consider the relevant information and decide whether it can be destroyed. If a high volume of information is being reviewed at once then this should be conducted at a macro level, i.e., not document by document. If information is marked for permanent preservation or subject to a legal hold it may be necessary to review every document.

8.3. Information should only be retained beyond its retention period in limited circumstances. When conducting a review, the following factors should be considered:
• Is the information the subject of an information request or relate to information recently disclosed in a response?
• Is the information required to fulfil statutory or regulatory requirements/legal hold?
• Is retention required to evidence events in the case of a dispute?
• Does the information fall under the selection criteria for permanent preservation and transfer to the RSA’s Archive?
• Is there another demonstrable business need for retaining the information?

8.4. If the information is deemed to still be required, an extension of two years is given, the information needs to be reviewed again at the end of the extension. The only exception to this is where the information has been marked for permanent preservation.

8.5. The retention period must not be extended indefinitely. You should contact the Data Protection Officer for advice.

9. Destruction

9.1. When records are no longer required by the RSA and do not have archival value they should be securely destroyed.

9.2. If the action on the retention schedule is ‘review’, destruction of records should not
proceed without approval from the Data Protection Officer.

9.3. A record containing what has been destroyed, when it was destroyed and the individual who authorised the destruction should be created and retained by the relevant directorate. A template can be found on the ICO website.

9.4. If the action on the retention schedule is ‘destroy’, a Record of Destruction does not
need to be created.

9.5. Records should be destroyed securely and the method chosen should reflect the sensitivity of the contents. Paper records should be placed into the confidential waste bins and documents stored on electronic systems should be deleted, including back-ups.

9.6. When information is destroyed, all copies of the information should be destroyed at the same time (both digital and physical). Information cannot be considered to have been completely destroyed unless all copies have been destroyed as well.

10. Permanent Preservation

10.1. Documents should be selected for permanent preservation if they meet the criteria specified by the Director of the department or, if donated to the Archive, by the Archive team.

10.2. Documents which have been marked for permanent preservation must not be destroyed. Any information which is selected for preservation should be clearly marked to ensure it is not destroyed accidentally.

11. Legal Holds

11.1. A legal hold is the process of preserving all forms of information relevant to legal proceedings. If a legal hold is in place there is a freeze on the destruction of any relevant material held by the RSA.

12. Schedule

	Source	Owner	Trigger	Retain Period	Action (Review/Destroy)	Information comment
1	Actus	Head of People	Bi-annual Review	2 Years	Review	Business Need
2	Adobe Creative Cloud	Head of Technology	Bi-annual Review	2 Years	Review	Business Need
3	Asana	Director of Communications	Bi-annual Review	2 Years	Review	Business Need
4	Asperato	Director of Fellowship	Bi-annual Review	2 Years	Review	Business Need
5	Barracuda	Head of Technology	Bi-annual Review	2 Years	Review	Business Need
6	Benefithub	Head of People	Bi-annual Review	2 Years	Review	Business Need
7	Business Central	Director of Finance	Bi-annual Review	7 Years	Review	Legal Requirement
8	Bupa	Head of People	Bi-annual Review	2 Years	Review	Business Need
9	Chubb Director	Head of Facilities	Annual Review	3 Years	Destroy	Business Need
10	Circle	Director of Fellowship	Bi-annual Review	2 Years	Review	Business Need
11	Cisco Meraki	Head of Technology	Bi-annual Review	2 Years	Review	Business Need

12	Convene	Director of Finance	Bi-annual Review	2 Years	Review	Business Need
13	Design My Night	Chief Operating Officer	Bi-annual Review	2 Years	Review	Business Need
14	Eventbrite	Director of Communications	Bi-annual Review	2 Years	Review	Business Need
15	Gallup	Head of People	Bi-annual Review	2 Years	Review	Business Need
16	Hi Bob	Head of People	Bi-annual Review	7 Years	Review	Legal Requirement
17	Highspeed Training	Head of People	Bi-annual Review	2 Years	Review	Legal Requirement
18	Know Be4	Head of Technology	Bi-annual Review	2 Years	Review	Business Need
19	Lolly	Chief Operating Officer	Bi-annual Review	2 Years	Review	Business Need
20	Mailchimp	Director of Communications	Bi-annual Review	2 Years	Review	Business Need
21	Microsoft 365 Azure	Head of Technology	Bi-annual Review	2 Years	Review	Business Need
22	Mighty Networks	Head of People	Bi-annual Review	2 Years	Review	Business Need
23	Miro	Head of Technology	Bi-annual Review	2 Years	Review	Business Need
24	NinjaRMM	Head of Technology	Bi-annual Review	2 Years	Review	Business Need
25	NordPass	Head of Technology	Bi-annual Review	2 Years	Review	Business Need
26	O2	Head of Technology	Bi-annual Review	2 Years	Review	Business Need
	Open Badge Factory	LifeLong Learning Lead	Annual Review	1 year	Review	Business Need
27	Pardot	Director of Fellowship	Bi-annual Review	2 Years	Review	Business Need
28	PLD (Fellowship Mentoring)	Director of Fellowship	Bi-annual Review	2 Years	Review	Business Need
29	Power Bi	Head of Technology	Bi-annual Review	2 Years	Review	Business Need
30	R Studio	Head of Technology	Bi-annual Review	2 Years	Review	Business Need
31	Rendezvous	Chief Operating Officer	Bi-annual Review	2 Years	Review	Business Need
32	Royal London	Head of People	Bi-annual Review	2 Years	Review	Business Need
33	Salesforce	Director of Fellowship	Bi-annual Review	2 Years	Review	Business Need
34	Soutron	Head of House Curation	Bi-annual Review	2 Years	Review	Business Need
35	Sundry	Director of Communications	Bi-annual Review	2 Years	Review	Legal Requirement
36	Survey Monkey	Head of People	Bi-annual Review	2 Years	Review	Business Need
37	Soteria +	Head of House Curation	Bi-annual Review	2 Years	Review	Business Need
38	Tableau	Director of Communications	Bi-annual Review	2 Years	Review	Legal Requirement

About the RSA

Enabling people, places and the planet to flourish in harmony.

Find out more

Governance

Access our Annual Impact report, meet our trustees and find out more about how we are governed.