Policy paper

Data retention policy

Published 18 February 2022

January 2022

Created July 2018

Last reviewed February 2024

Scope

The data which the CMA creates, receives or maintains including data inherited from its predecessor departments (the Office of Fair Trading and the Competition Commission) is subject to this Data Retention Policy.

Retention policy

CMA data should only be kept for as long as there is an administrative need to keep it to enable the CMA to carry out its business or support functions, or for as long as it is required to demonstrate compliance for audit purposes or to meet legislative requirements. Legislative requirements include, but are not limited to, compliance with the Public Record Act 1958 (selection and disposition of records), the Enterprise and Regulatory Reform Act 2013, the Competition Law Act 1998, the Code of Practice on the Management of Records issued under section 46 the Freedom of Information Act 2000, the Data Protection Act 2018 and the UK GDPR.

Retention periods

To comply with the administrative and legislative requirements described above, a retention period for the data based on one of the options listed below needs to be agreed with the Records Management Team and the Senior Departmental Records Officer (DRO).

The retention period is defined as the specified time following the last entry, financial year, case or project closure or the date the data is superseded, depending on the type of data and or its context.

The defined retention periods applied within the CMA are:

• 2 years – destroy: includes types of records that are generally of low or short-term value such as those relating to general administration, local management or business support

• 6 years – review or destroy: includes types of records that generally need to be retained by law or for audit or compliance purposes but aren’t considered to be of historical value. Examples include those relating to finance, commercial activities, facilities management and information management

• 10 years – review or destroy: includes types of records that generally hold long-term value to the organisation or are required to be retained by law for longer periods. In some cases, these records may be of historical value. Examples include those relating to governance or the CMA’s statutory and regulatory functions

• 15 years – review or destroy: includes types of records that are likely to hold historical value for the organisation or be considered for permanent preservation. Examples include casework files from reviews, reports, investigations and enquiries relating to the CMA’s statutory or regulatory functions and litigation records

• Permanent preservation: following the review of a record it may be selected for permanent preservation (as set out in the CMA Appraisal Methodology Report), these records will be processed and retained before being transferred to The National Archives or place of deposit within 20 years of creation

Review periods

Although the CMA has stipulated retention periods as detailed above, we also have implemented an interim review period for some data types. This ensures that we regularly review our data to determine whether it should be retained longer or re-classified and disposed of earlier, or to determine the most appropriate disposal action to take place at the end of the retention period. This enables teams across the CMA to assess the ongoing business need to keep data.

At the time of completion of cases it is not always apparent if they are going to be historically significant for transfer to TNA or if the case will lead to further investigations or market studies that will benefit from data collated for the case in question. The review period will provide the CMA with a mechanism for maintaining and reviewing this data in real time, whilst ensuring the deletion of data when appropriate within the review retention periods.

Extended data retention

Inevitably there will be a few exceptions where the retention requirement does not fall into the above timescales. In these circumstances, unique disposition dates are applied. These exceptions are often found in the support areas of the department such as HR where, for example, staff files such as pension records need to be kept for 100 years from an employee’s date of birth. Other exceptions are required for ongoing business use such as consultation data and review of CMA work post closure of cases. Below provides more detail on these two unique exceptions for the CMA.

Review of CMA work for research and evaluation

If the CMA deems the cases to be of significant interest it may engage a third-party contractor to analyse the case data, therefore retaining personal data for this purpose. This will assist the department in assessing how we conduct our work, namely identifying any issues in the decisions taken during the lifespan of those cases selected for research and evaluation. Under Article 6(1)(e) of the UK General Data Protection Regulation to lawfully process personal data, the CMA can use personal data contained in the casefile for necessary performance evaluations that are in the interest of the public. The CMA will determine which cases are necessary on a regular basis by establishing and targeting a varied but limited number of cases for the purpose. This review and evaluation will be conducted independently of the CMA, to ensure the CMA can take stock of their decisions, test their working procedures, and take stock of any mistakes encountered throughout the case history. As part of the case selection consideration will be given to transfer to TNA, and the final selected case for research and evaluation will be transferred to TNA at the 20-year timeframe stipulated in the Public Records Act 1958.

Retention of personal data

Any personal data processed by the CMA, for example as part of a project or case, or for managing staff should only be kept for as long as there is a business need, otherwise it should be destroyed at the earliest opportunity. The CMA will make a proportionality assessment on a case-by-case basis, namely personal information that is interwoven throughout the record will remain part of the casework file to ensure the records are complete and an accurate account of the work conducted throughout the case. Personal data collated as a consultation, will be disposed of and only the responses kept for reference.

Data protection law requires that ‘Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’.

‘Personal data’ is any information relating to a living individual who can be identified, directly or indirectly from it, in particular by reference to a name, an identification number, location data, an online identifier or to factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

‘Processing’ is anything we do to personal data for example collecting, receiving, storing, viewing, accessing, disclosing, sharing, profiling, deleting, redacting.

Examples of where personal data might be being processed and what needs to be done with the personal data to ensure compliance with data protection law are listed below:

1. At the end of a project or case it is the Project Director’s responsibility to decide whether there is a continuing need to keep the personal data that has been collected, including that contained in Public Folders, or whether it can be securely deleted. Consideration should be given to redacting or anonymising the personal data if it is deemed reasonable. Proportionality is considered at this stage as personal data will form part of the corporate record, and information is interwoven across the casework file. Where it is decided that the personal data should be securely deleted, the relevant SharePoint Site administrator for that project should carry this out. In the case of hardcopy or physical material a nominated person from the project team should do this but in either scenario the Records Management Team and the Information Access Team should be kept informed of the decisions that have been made.

2. Outlook accounts - Emails containing personal data that is no longer required should be deleted as soon as possible. Outlook accounts will be deleted when a member of staff leaves the CMA.

3. OneDrive – Documents containing personal data that is no longer required should be deleted as soon as possible. OneDrive accounts will be deleted when a member of staff leaves the CMA.

Related policies

• CMA Personal Information Charter
• CMA Appraisal Methodology Report