Control measure: There is an assessment to determine and differentiate between each individual element of the service and consider what personal information is needed, and for how long, to deliver each one.
Risk: If personal information collected is not adequate, relevant and limited to what is necessary for the purposes of processing, this may breach articles 5 (1) (b) (c) & (e) of the UK GDPR.
Ways to meet our expectations:
- Document your reasons for collecting and processing personal information for each element of your service and consider the appropriate retention periods in the DPIA.
- Maintain a retention schedule that details how long you will retain the information.
- Consider the information you collect in order to develop your service that you may no longer need when applying retention periods.
- Implement measures so that you only collect the minimum amount of information (eg only collect the information you need for each element of the service the child is actively engaged with).
- When you offer service enhancements, avoid ‘bundling in’ or collecting additional information on top of the personal information you need to deliver your core services.
- Give children as much choice as possible over which elements of the service they wish to use and therefore how much personal information they need to provide.
- Provide children with a choice about whether they wish their personal information to be used for each additional purpose or service enhancement (eg through the default privacy settings).
Options to consider:
- Use an automated system that tags records with a retention date and automatically prompts for action at this date.
- Publish the retention schedule.