Request & response
What procedures and monitoring checks does TNA undertake to manage how it (as a Data Controller) adheres to the following GDPR principles in relation to its own physical and digital corporate records (not deposited archival records) that contain personal data:
– Data Minimisation
– Storage Limitation
For the purposes of this FOIA request the interest is in the steps taken to implement (and ongoing) monitoring actions undertaken by TNA to ensure its own compliance with the aforementioned GDPR principles rather than just reference to its own governance documents (e.g. policies, retention schedule) that might make provision for adherence to these principles
This sets out the items of personal data that it is necessary for us to process. Our Data Protection Officer has agreed that the minimum amount of data necessary is being used.
The fulfilment of these requests may in some cases be subject to exemptions under Data Protection Legislation, and are dealt with by The National Archives staff on a case by case basis in consultation with our Data Protection Officer.
Personal data is only kept for as long as we have a business need for it. This is managed by applying our retention schedules. Data subjects also have the right to request that their data is no longer processed by us, and their data will be removed on request, provided there is not an exemption under Data Protection Law. In the case of marketing data there is an unsubscribe button on each communication, which results in the cessation of communications. A stub entry is kept as a record of the subject’s wishes.
In addition to the above, The National Archives carries out a bi-annual audit of its Information Asset Register. Each Information Asset Owner, who is usually a department head, fills in a report describing additions, deletions or changes to their assets