The consultation contains proposals to clarify the PSA’s expectations as to how long providers will retain certain types of Relevant Data, including personal data, so that the PSA can request such data in the event of an investigation into the service or provider. This is in light of changes in May 2018 to UK legislation concerning the protection and processing of personal data under the Data Protection Act 2018.
The proposals can be summarised as the retention of all Relevant Data (including personal) for two years from the point at which it is first collected.
This is with two exceptions, the first being that all Relevant Data concerning providers’ or networks’ Due Diligence, Risk Assessment and Control of a client or service should be retained for three years from the point at which it is first collected. The second exception is that where an investigation is opened during the two- or three-year periods described above, all Relevant Data should be retained until such time that a provider or network is advised that the case or matter is closed.
These proposals are set out in the consultation, and the Guidance on which the PSA is consulting, at Annex A. For further clarity, Annex A to the document also sets out a non-exhaustive list of data that the PSA considers relevant.
The consultation closes on 3 April 2019. To access the consultation, click here.