UNIVERSITY of GLASGOW

DP and FOI office
home > services > DP and FOI office > Policies and procedures > DPA - Retention Schedules

Retention of information relating to DPA compliance

The Data Protection and Freedom of Information Office processes (a) all Subject Access Requests [SARs] received by the University, (b) all Notifications with the UK Information Commissioner, and (c) handles a variety of other requests and actions related to DPA Compliance Management. In each case the Office will normally create a case record which is likely to contain personal data and sensitive personal data as defined in the Data Protection Act 1998. All such personal data will be handled with care and in accordance with the DPA. Access to case records will be strictly controlled.

Each case record is likely to contain, as appropriate, the following records:

  • The name, address, other contact information, and personal details of the applicant or correspondant
  • Personal details held by the University about the applicant
  • Bank account details where a fee has been paid
  • Records of correspondence between the University and the applicant or correspondant
  • Records of all actions and decisions and, for SARs, a record of all information withheld and what exemptions/exceptions were applied
  • Records of all correspondence between the University and the UK Information Commissioner

Subject Access Requests

The standard case record retention period for each SAR will be two years after the last action related to the SAR. In very rare cases the University may retain particularly lengthy or complex or multiple requests for a longer period of time - particularly where (a) the applicant has made a complaint about the handling of his/her SAR, and/or (b) the case resulted in an investigation by the UK Information Commissioner.

Abandoned Subject Access Requests

The standard case record retention period for a SAR, abandoned on request by the applicant, will be one month after the last action related to the SAR. In very rare cases the University may retain the case record for an abandoned SAR for a longer period of time - particularly where there have been previous SARs from the applicant.

Notification with the UK Information Commissioner

Records documenting the institution's Notification to the UK Information Commissioner, including (a) a record of all correspondence between the University and the UK Information Commissioner, and (b) a record of all actions and decisions taken with regard to any modifications to the Notification, will be retained for five years from the expiry of the Notification.

Enquiries from the Police and other Authorised Agencies

The Police, and other authorised agencies including the Immigration and Nationality Directorate of the Home Office, may request personal data about specific individuals from the University for the purposes of the prevention or detection of crime, the apprehension or prosecution of offenders, and for purposes connected with immigration. For every such request the Office will create a single case record. The standard case record retention period for such requests will be two years after the last action related to the request. 

General DPA Compliance Enquiries

The Data Protection and Freedom of Information Office receives requests for advice and guidance on DPA Compliance. These requests will be handled in accordance with standard University procedures and detailed records of the correspondence will not be retained. Only non-routine and complex requests for advice and guidance where, for example, legal advice has been obtained will be retained in a single case record. The standard case record retention period for such requests will be based on the currency and ongoing applicability of the request. 

Investigations by the UK Information Commissioner

A single case record will be created for each Complaint to, or Investigation by, the UK Information Commissioner. The standard case record retention period for such case records will be two years after the last action related to the request. In very rare cases the University may retain the case record for particularly lengthy or complex or multiple requests for a longer period of time - particularly where there have been previous SARs from the applicant. 

Management & Operational Records

A summary record of the activities and workload of the Data Protection and Freedom of Information Office is retained for management, statistical and audit purposes.