The ICO exists to empower you through information.

Control measure: There is an assessment to determine and differentiate between each individual element of the service and consider what personal information is needed, and for how long, to deliver each one.

Risk: If personal information collected is not adequate, relevant and limited to what is necessary for the purposes of processing, this may  breach articles 5 (1) (b) (c) & (e) of the UK GDPR.

Ways to meet our expectations:

  • Document your reasons for collecting and processing personal information for each element of your service and consider the appropriate retention periods in the DPIA.
  • Maintain a retention schedule that details how long you will retain the information.
  • Consider the information you collect in order to develop your service that you may no longer need when applying retention periods.
  • Implement measures so that you only collect the minimum amount of information (eg only collect the information you need for each element of the service the child is actively engaged with).
  • When you offer service enhancements, avoid ‘bundling in’ or collecting additional information on top of the personal information you need to deliver your core services.  
  • Give children as much choice as possible over which elements of the service they wish to use and therefore how much personal information they need to provide.
  • Provide children with a choice about whether they wish their personal information to be used for each additional purpose or service enhancement (eg through the default privacy settings).

Options to consider:

  • Use an automated system that tags records with a retention date and automatically prompts for action at this date.
  • Publish the retention schedule.

 

Control measure: There are regular reviews of the information held and weeding activities are undertaken to reduce excessive or unnecessary personal information. Information is deleted in line with the retention schedule.

Risk: If the information held is not assessed on a regular basis, this may breach articles 5 (1) (d and e), namely it may become inaccurate and irrelevant if kept for longer than is necessary.

Ways to meet our expectations:

  • Understand how data flows into, around, and out of your service and document this in data flow maps.
  • Weed information according to the retention schedule.
  • Delete information you no longer need or is out-of-date (or put it beyond reach).
  • Pseudonymise or anonymise information you still need for research purposes or for continued service accuracy (eg in AI systems) wherever possible.
  • If there are changes to service functionality or features, review the DPIA and retention schedule to ensure you only: 
    • collect the minimum information you now need; and
    • delete any information you hold that you no longer require.
  • Give children easy options to request you delete their personal information.

Options to consider:

  • Use system rules or automated alerts to highlight information for weeding.
  • Run regular staff awareness exercises.