Data Retention & Disposal Policy
The EU General Data Protection Regulation (GDPR) (superseded by the UK GDPR in 2021) and the Data Protection Act 2018 came into force on 25 May 2018. The regulation brought in tighter requirements regarding how long personal data may be retained. As a result of these requirements organisations, including The QHotels Collection, need to be more measured and disciplined in their retention of individuals’ personal data.
A key Principle of the regulation is data minimisation - both in terms of minimising the volume of personal data stored and how long the personal data is retained for.
The legal requirements under Article 5 (e) of the UK GDPR are that personal data shall be kept for no longer than is necessary for the purposes for which it is being processed. There are some circumstances where personal data may be stored for longer periods (e.g. archiving purposes in the public interest, scientific or historical research purposes).
Recital 39 of the UK GDPR states that the period for which the personal data is stored should be limited to a strict minimum and that time limits should be established, by the data controller, for either the deletion of the records or for a periodic review.
The QHotels Collection must therefore ensure that personal data is securely disposed of when no longer needed. This will reduce the risk it will become inaccurate, out of date or irrelevant.
This Policy is a company document that is relevant and applicable to all of The QHotels Collection employees and contractors. As such this document must be read and approved by The QHotels Collection Board and by all members of The QHotels Collection Executive team. The Executive team and senior management must ensure that all staff are aware of and comply with this Policy. Non-compliance with this Policy by The QHotels Collection directors, employees or contractors may lead to disciplinary action being taken.
Under the UK GDPR, and Data Protection Act 2018 personal data shall be kept in a form which permits the identification of data subjects, for no longer than is necessary for the purposes for which the personal data is processed.
In addition, the UK GDPR includes the right to erasure or “the right to be forgotten”. Data Subjects have the right to have their personal data erased (and to prevent the processing of that personal data) in the following circumstances:
- Where the personal data is no longer required for the purpose for which it was originally collected or processed (see above);
- When the data subject withdraws their consent;
- When the data subject objects to the processing of their personal data and the Company has no overriding legitimate interest;
- When the personal data is processed unlawfully (i.e. in breach of the GDPR);
- When the personal data has to be erased to comply with a legal obligation; or
- Where the personal data is processed for the provision of information society services to a child.
This Policy sets out the type(s) of personal data held by The QHotels Collection and the arrangements has put in place for protecting, retaining and disposing of personal data sets.
The QHotels Collection has put this Policy in place to ensure that the UK GDPR requirements regarding data retention, archiving and disposal are adhered to and all employees and contractors are familiar with and abide by the UK GDPR legal requirements.
- Data Retention
Technical & Organisational Data Security Measures
The following technical measures are in place within the Company to protect the security of personal data. All The QHotels Collection staff and contractors are expected to comply with these measures:
- All emails containing personal data must be encrypted by TLS technology;
- All emails containing significant amounts of personal data or sensitive data should be encrypted using additional password security
- All emails containing personal data must be marked “confidential”;
- Personal data may not be transmitted over a wireless network if there is a reasonable wired alternative;
- Where personal data is to be sent by facsimile transmission the recipient should be informed in advance and should be waiting to receive it;
- No personal data may be shared informally and if access is required to any personal data, such access should be agreed with a line manager;
- All hardcopies of personal data, along with any electronic copies stored on physical media should be stored securely, and disposed of securely when no longer required;
- No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without authorisation by a GM or their Deputy or a Head of Department from the Central Team;
- Personal data must be handled with care at all times and should not be left unattended or on view;
- No personal data should be stored on any mobile device, whether such device belongs to the Company or otherwise without the formal written approval of the Network Security Manager and then strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary;
- All personal data stored electronically should be backed up every day with backups stored onsite or offsite;
- All passwords used to protect personal data should be changed regularly and must be secure;
- Under no circumstances should any passwords be written down or shared except in relation to specific shared workspaces e.g. reception where approval to share passwords has been approved. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords;
- All software should be kept up-to-date. Security-related updates should be installed not more than two weeks after becoming available; and
- No software may be installed on any Company-owned computer or device without approval.
The following organisational measures are in place within the Company to protect the security of personal data. All staff and contractors are expected to comply with these measures:
- All employees and other parties working on behalf of the Company handling personal data will be bound by contract to comply with the GDPR, the Data Protection Act 2018 and the Company’s Data Protection Policy;
- All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all relevant employees are held to the same conditions as those relevant employees of the Company arising out of the GDPR and the Company’s Data Protection Policy.
- All employees and other parties working on behalf of the Company shall be made fully aware of both their individual responsibilities and the Company’s responsibilities under the GDPR these are set out in The QHotels Collection Approach to Data Protection document.
- Only employees and other parties working on behalf of the Company that need access to, and use of, personal data in order to perform their work shall have access to personal data held by the Company;
- All employees and other parties working on behalf of the Company handling personal data will be appropriately trained to do so;
- All employees and other parties working on behalf of the Company handling personal data should exercise care and caution when discussing any work relating to personal data at all times;
- The performance of those employees and other parties working on behalf of the Company handling personal data shall be regularly monitored and reviewed; and
- Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed.
Data Retention Considerations
Different types of personal data, used for different purposes, will necessarily be retained for different periods as set out below. When establishing and/or reviewing retention periods, the following shall be taken into account:
- The objectives and requirements of The QHotels Collection;
- The type of personal data in question;
- The purpose(s) for which the data in question is collected, held, and processed;
- The QHotels Collection lawful basis for collecting, holding, and processing that data;
- The category or categories of data subject to whom the data relates;
- If a precise retention period cannot be fixed for a particular type of data, criteria shall be established by which the retention of the data will be determined, thereby ensuring that the data in question, and the retention of that data, can be regularly reviewed against those criteria.
- Notwithstanding the following defined retention periods, certain personal data may be deleted or otherwise disposed of prior to the expiry of its defined retention period where a decision is made within The QHotels Collection to do so (whether in response to a request by a data subject or otherwise).
- In limited circumstances, it may also be necessary to retain personal data for longer periods where such retention is for archiving purposes that are in the public interest, for scientific or historical research purposes, for statistical purposes, or to protect against actual or potential litigation. All such retention will be subject to the implementation of appropriate technical and organisational measures to protect the rights and freedoms of data subjects, as required by the GDPR.
- Data Disposal
Upon the expiry of the data retention periods set out in The QHotels Collection Article 30 Data Registers or when a data subject exercises their right to have their personal data erased, personal data shall be deleted, destroyed, or otherwise disposed of as follows:
- Personal data stored electronically shall be deleted using the standard data deletion method for each system; and
- Personal data stored in hardcopy form shall be shredded to at least BS EN15713:2009 standard and recycled.
- Key Roles and Responsibilities
The CFO shall be responsible for overseeing the implementation of this Policy and for monitoring the compliance of this Policy with the Company’s other Data Protection Policies and with the UK GDPR, DPA 2018 and other applicable data protection legislation. Each member of The QHotels Collection Executive team will be responsible for ensuring awareness and compliance within their respective teams.
Our Privacy Team shall be directly responsible for ensuring compliance with the above data retention periods. All questions regarding this Policy, the retention of personal data, or any other aspect of UK GDPR compliance should be referred to The QHotels Collection DPO.
- Communication of the Policy
Whilst there is no formal training related to this policy it is expected that each employee and contractor is provided with a copy of this policy when they begin work for or with The QHotels Collection and are asked to sign off that they will follow it.