Data Retention Policies
This policy was last updated on 18/5/18
The remit of the EU’s General Data Protection Regulation (GDPR) includes Liberal Reform “the Organisation”. The regulation requires that data subjects are informed of how their data will be used, and in particular how long their data will be kept and used for. These are known as data retention periods.
Below are details of how long the Organisation will retain your data.
DATA RETENTION PERIODS
Where required by legislation, regulation or where the data is relevant to an ongoing investigation, for example, by the Organisation, a regulator or the police, data will be retained for as long as required. Otherwise, data will be retained for the periods as set out below.
1. Political Opinions
Proposed Retention Period: 15 years from collection
The Party has an explicit lawful basis in the UK implementation of GDPR, the UK Data Protection Bill (UKDPB) 2018. It proposes an explicit public interest lawful basis for democratic engagement and it is believed that this retention period, whilst long, is justified under the legislation. The Bill also provides an explicit exemption for political parties to process political opinions without requiring consent from the individual.
The Party also has a right to the Electoral Register under the Representation of Peoples’ Act.
The Party will therefore retain Political Opinions for a maximum of 15 years from collection whilst an individual is on the Electoral Register. This period is based on 3 Full Term Parliamentary Cycles
Covered by this data set are all political opinions collected in person, by phone, via the internet, social media and apps. This includes voting intention, voting history, and opinions on all political topics.
Individuals can ask for records of their political opinions to be corrected or deleted and can ask for the Party not to process their data.
2. Campaign Materials and Multimedia
Proposed Retention Period:
• 5 years for multimedia of non-members that is not used in publication from collection
• 15 years for all other material in this category from collection / production
As these materials will often include some personal data, for example in the form of photographs or contact details of a candidate and agent, they require a retention period.
For ensuring best practice, training and historical interest these materials may be kept for 15 years from date of publication or, in the case of material that was unpublished, from date of completion of their production process.
However, for multimedia of individuals who were not members of the Party at the time the multimedia was created (for example, photos and video) then, if that material has not been used in a publication, this limit is reduced to 5 years, based on 1 Full Term Parliamentary Cycle, during which the relevant campaign topic may still be relevant and the media could be of use.
Use of media of non-members of the Party will also be subject to appropriate consent requirements that will need to be obtained prior to publication, ideally at the point of capture / collection.
3. Data with Financial Content
Proposed Retention Period: 7 years from tax year of transaction
Financial regulations require retention of data for a minimum of 6 Full Tax Years. A common best practice is to retain data for 7 years to ensure data is retained for transactions that fall across tax year ends, e.g., a service is provided, invoiced and paid in different tax periods.
There is a considerable amount of data processed by the Liberal Democrats that falls into this category and therefore needs to be retained for this period.
Examples of data with financial content that is required to be kept for this period includes:
• Employee Data where salaries and expenses have been paid
• Membership Data where membership fees have been paid
• Donor Data, including PPERA returns
• Election and Referendum Expense Returns
• Volunteer Data, but only where expenses have been paid
• Conference Registration, where a fee has been paid
• Event Registration, where a fee has been paid
• Suppliers details, including transactions
In these cases, sufficient data for financial controls, auditing, ensuring compliance with electoral finance regulations and fraud prevention will be kept for the 7-year period. For example, name, contact details of the individual and details of the transaction.
Other personal data that may have been appended to financial data will be retained in line with the other relevant part of this policy depending on the data’s type.
4. Contact and Personal Data
Proposed Retention Period: 12 months from opting out or no longer being accessible
Re-consent Cycle for Emails: 15 years from collection
Re-consent Cycle for Telephone numbers for SMS: 5 years from collection
The Party is required to gather consent to contact individuals by electronic methods such as email, text, apps, etc., under the Privacy and Electronic Communications Regulations (PECR). The level of consent has changed with GDPR.
Contact and personal data for someone will be retained and may be used until:
1. (a) a request from the person for such contact to cease, or
(b) the Party becoming aware that the contact information is no longer accurate (e.g. a phone number no longer works or a hard bounce is received in response to an email).
In such cases, the Party will cease attempting to make contacts using such data and will delete their personal and contact data which does not fall under section 3 after a further 12 months, unless in the interim new consent or corrections to the data, as applicable, have occurred
In addition, if a Party member resigns or their Party membership lapses at the end of a quarter, then the Party will delete their personal and contact data which does not fall under section 3 after a further 12 months, unless in the interim they have re-joined the Party or otherwise given consent for their data. For non-members who are donors, employees, volunteer, activists, suppliers and attendees to conference, events or training, a similar 12-month period will begin from the date of their last transaction with the Party.
Under GDPR, we are required to regularly refresh consent, where required, in this case for electronic communication under PECR.
Consent for SMS communications will be refreshed no more than 5 years after original collection.
This is based on 1 Full Term Parliamentary Cycle.
Consent for email communications will be refreshed no more than 15 years after original collection. This 15 year period is based on 3 Full Term Parliamentary Cycles. In the interim, the Party will ensure that email addresses are kept accurate and that the individual continues to engage with the Party’s email communications. All communications from the party will include instructions as to how to stop receiving them.
5. Disciplinary Decisions
Proposed Retention Period: Lifetime
Under Membership Rules, section 8.2, we will keep data on disciplinary decisions for lifetime of the individuals. These are for safeguarding of other members and staff, which is explicitly permitted in the legislation under vital interest.
6. Contact Data for Press and Media
Proposed Retention Period: 15 years from collection
Refresh Period: 5 years from collection
We have a legitimate interest to contact press and media about the democratic engagement activities of the Party. We will keep this information for 15 years based on 3 Full Term Parliamentary Cycles. We will ensure that the data is kept up to date with 5-year cycles of refreshing contact details from the date on which the contact details were obtained.
7. Special Category Data
Proposed Retention Period: 15 years from collection
The GDPR defines Special Categories of Data, specifically, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The Party has a explicit exemption for processing political opinions, and a public interest lawful basis for democratic engagement in the UKDPB.
The Party also has an explicit exemption from requiring consent, or the need to regularly refresh consent for Special Categories of Data for Members of the Party.
For all other forms of Special Categories of Data, the Party is required to obtain explicit consent to process this data. This may be, for example, for campaigning, Diversity monitoring for employees, supporting the needs of Conference attendees, etc.
As best practice, the Party will request consent when collecting Special Categories of Data, irrespective of whether consent has been previously received from that individual.
The Party will ask to refresh consent on Special Categories of Data for individuals who are not members of the Party, other than political opinions, no more than 15 years after last receiving consent. If refreshed consent is not received within 15 years of the Party last receiving consent, the Special Category Data will be deleted. This 15-year period is based on 3 Full Term Parliamentary Cycles.
For members of the Party, data will be retained in line with Contact and Personal Data above. For Political Opinions, data will be retained in line with details given above.
Proposed Retention Period: 5 years
Cookies will be set to expire no longer than 5 years from being accepted on our websites.
9. Customer Services Telephone Recordings
Proposed Retention Period: 3 months
All calls to Customer Services are kept for 3 months for quality and training purposes. Recordings will be deleted after this period.
10. Archiving Policy
11. Statistical and anonymised Data
Data may be anonymised and/or aggregated statistically and retained for longer than the periods outlined above. This will be, for example, for Diversity Monitoring, Campaign Modelling, training, etc. In these situations, care will be taken to ensure that individuals cannot be identified from any of the data held on them, or through combination with other data held throughout the Party.
Questions and queries
Any questions you have about this policy should be directed to the Data Protection Administrator;
Liberal Reform, 13 Melrose Road, London, SW19 3HF