Statistical data retention and disposal policy

• Implemented on: 5 January 2022

• Last review on: 26 September 2023

• Next review due on: 26 September 2024

• Version: 10.0

• Policy owner (name): Melanie Mancino

• Policy owner (division): Security and Information Management

• Approved by: Jason Marsh

• Main point of contact: KIM.Team@ons.gov.uk

• Published version link: Statistical Data Retention and Disposal Policy

This Statistical Data Retention and Disposal Policy describes the responsibilities and requirements for the compliant retention of statistical data (hereafter referred to as data) within the Office for National Statistics (ONS). The policy defines the requirements for data lifecycle management in support of contractual, policy or legal stipulations, as well as the need for secure removal of data from ONS platforms and systems throughout the data journey prior to archiving or disposal.

The policy applies to all ONS employees, including staff on fixed-term, temporary or permanent contracts, staff on secondment, students and contractors.

Retention periods are essential for effective lifecycle management of data to ensure data availability as prescribed in an agreement, contract, policy or relevant legislation, for example data protection legislation. Where retention periods are not defined, default retention review periods must be applied.

Retention periods must be applied to all locations where data reside during the data journey, including persistent and transient locations.

This policy is to ensure that eligible data is available via ONS platforms and systems and that data governance activities are fulfilled by all individuals assigned the responsibility for this task.

This policy supports the Data Principles which underpin the Data Strategy.

The Statistical Data Retention and Disposal Policy applies to data generated by ONS as part of the statistical production process. The policy also applies to data that has been sourced, acquired or accessed for research and/or production purposes and made available via ONS platforms and systems.

The policy applies to data held within persistent and transient storage locations and ensures that copies of data and duplicates of data are removed from transient locations as the data moves through the pipeline.

Review periods for data held in persistent locations must be recorded in the mandated metadata field within the IAR and/or data catalogue to ensure regular reviews are carried out as part of data governance activities. The review will lead to an action to either extend the retention period, retain sub-subsets or modifications of the original data source, or dispose of, or archive the data.

Retention periods for data held in transient locations must be defined according to business requirements and technological capability. Data is expected to be deleted from transient storage once ingested into the next location and quality assurance is complete; where this isn't possible, a short time scale for retention should be applied and recorded on the data retention schedule which is available via the IAR.

Data retention schedules for data held across one-to-many locations must be completed and added to the IAR. The schedules record the retention periods for data throughout the lifecycle and apply to all locations.

Personal data is retained in accordance with the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018.

This Statistical Data Retention and Disposal Policy describes the responsibilities and requirements for the review and retention of data to enable ongoing access for research and statistical production purposes and to ensure data governance activities are carried out within the ONS.

Data retention schedules that record retention periods for data held in persistent and transient storage locations are essential for effective lifecycle management of data to ensure ONS demonstrates compliance with a range of information related legislation, such as the Public Records Act (PRA), the Freedom of Information Act (FOIA), the UK GDPR and the DPA. Data retention schedules will be created, stored, and updated via the IAR and/or data catalogue.

Data archiving is subject to a separate Data Archiving Policy.

Persistent storage locations

Retention periods can be prescribed by a third-party supplier as a requirement via a contract, data sharing agreement or memorandum of understanding. Where no data retention period is defined by a third-party, default retention review periods will be applied. The default retention review period will be five years for data that has no personal data attributes, or two years when personal data is included. Role holders will be assigned specific data governance activities and will be responsible for ensuring ongoing reviews are undertaken.

Data retention review dates relating to the data retention period will be added to the relevant IAR and/or data catalogue in a mandated field that will be subject to quality checks by Governance Metadata Administrator role holders.

Prior to the retention review date being reached, a report will be generated that will provide the opportunity for a review of the data retention period. The assigned Data Governance

role holder will make a decision on whether to further retain the data as is and negotiate an extension to retain if provided by a third-party; modify the existing data if appropriate in order to retain sub-sets, for example following anonymisation of personal data; extend the retention period according to the default periods; or remove access to the data and dispose of or archive the data. If derived datasets exist as a child of the data recorded in the asset register and/or data catalogue, these will also be in scope for review, modification, disposal or archiving.

If the decision has been made to remove access to the data due to disposal or archiving, the entry on the asset register and/or data catalogue will be amended to show that the data is no longer available, but metadata will remain available for future reference.

Transient storage locations

Retention periods for data held in transient locations must be defined according to business requirements and technological capability. Data is expected to be deleted from transient storage once ingested into the next location and quality assurance is complete; where this isn't possible, a short time scale for retention should be applied and recorded on the data retention schedule.

Data governance activity will be undertaken by the relevant role holder to ensure that retention periods are adhered to, ensuring effective lifecycle management of data, and that copies and duplicates of data are removed from ONS platforms and systems in a timely manner.

Information Asset Owner/Data Governance role holders

The Information Asset Owner and Data Governance role holders are responsible and accountable for data governance activities assigned to them as part of their appointment to the role. Data governance duties undertaken by these role holders relating to this policy include:

• Management of statistical data assets throughout the lifecycle and pipeline, ensuring related governance metadata is recorded, accurate and complete

• Ensuring a data retention schedule has been completed and linked to the IAR, with an accurate date entered in the mandated metadata field in the IAR and/or data catalogue

• Undertaking reviews of metadata when prompted, and decision-making for ongoing access to the data when retention periods are reached

• Ensuring a data sensitivity assessment has been undertaken for assigned data assets and that associated risks are managed accordingly

• Responsibility for decisions on use, transfer and access requests for data assets; oversight around associated processing activities

• Responsibility or accountability for risks associated with the data assets

• Decision-making in relation to project or user accreditation relating to access to data

Governance Metadata Administrator

The Governance Metadata Administrator role holders are responsible for ensuring that the metadata relating to data assets is accurate on the asset register and/or data catalogue. These role holders will undertake regular reviews and audits relating to the lifecycle of the data.

Data Acquisitions and Operations team

The Data Acquisition and Operations (DAO) team provides a coordinated capability for the acquisition, preparation and linkage of non-survey data, supporting data use across ONS and the UK research community through approved environments.

Data archiving policy

Data protection policy

Metadata policy