PSA Guidance on Data Retention
19 September 2019
We've updated our Guidance for industry on the Retention of Data, especially consumer data and how long it should be stored
The Phone-paid Services Authority (PSA) has published new Guidance for phone-paid service providers on the retention of data following consultation.
The consultation was in response to several questions raised by industry following the introduction of the General Data Protection Regulation (GDPR) in May 2018.
The new Guidance clarifies PSA expectations around data retention, particularly on the handling and retention of consumer personal data by network operators and service providers, and the length of time they should be expected to retain data for. The Guidance covers a broad range of data sets, including personal data.
The new Guidance updates and expands on the PSA’s existing draft Guidance, which was published with its consultation following the introduction of the GDPR.
It now includes:
- A continued expectation that providers should retain all Relevant Data for two years from the point at which it was first collected
- The expectation that in relation to providers’ Due Diligence, Risk Assessment and Control (DDRAC), data should be retained for three years
- An expectation that all Relevant Data and Relevant DDRAC Data should be retained in cases where a PSA investigation is opened until advised that the case is closed
- Clarification on when a service provider would be expected to collect data and the definition of ‘trend data’
- A revision of the recommendation to keep timestamped screenshot records of served browsing pages to include screenshots and relevant HTML codes
- Simplification of some transaction log requirements, and an outlined expectation that providers should flag Relevant Data to prevent it from being wiped
This follows extensive consultation with industry which opened in February 2019. The PSA received constructive and insightful input from industry on the practicalities of retaining data which it has taken into account.
The new Guidance makes the PSA’s expectations clear for network operators and service providers. It also advances the consumer interest by ensuring that robust records of phone-paid transactions are retained for a sufficient period, especially in instances when the PSA has reason to investigate a service.
Read the Guidance in full here.
ICO Data Protection Fee
On behalf of the ICO businesses in the phone-paid services sector are reminded that they need to comply with a range of responsibilities set out by the General Data Protection Regulations/Data Protection Act 2018, one of which is the requirement to pay the annual data protection fee. This is an important legal obligation, so it's worth checking whether you are required to pay. Further details can be found here.