Destruction of Personal Data
Further guidance on the retention and destruction of records containing personal data is available in Section 20 of the Data Protection Code of Practice.
Guidance on the Safe Disposal of Confidential Waste
The Data Protection Act and the Freedom of Information Act impose specific requirements about the timely and secure disposal of information, both paper and electronic. This guidance note sets out what you need to know.
Download the Guidance on Safe Disposal of Confidential Waste
Retention and Destruction of Records
The University has to ensure that it has complied with statutory requirements for the retention of records under Data Protection Legislation (GDPR and DPA 2018), Freedom of Information (Scotland) Act or Environmental Information Regulations. Guidance on the retention and then destruction of records is available above in the guidance note on the Safe Disposal of Confidential Waste. When it has been established that a record can be destroyed a record of that destruction, the basis on which this was done (e.g. in accordance with a legal requirement) and the method used must be kept by the area in which the destruction took place. This is the University's form for this purpose.
Download the Record Disposal Form
The University's Records Retention Schedules provide further information relating to the retention and disposal of records, including personal data.
Destruction of Equipment Used to Process Personal Data
University provided equipment and BYOD
Equipment which has been used to process personal data must be disposed of in a confidential and secure manner to ensure that the data is completely wiped from the equipment and cannot be restored by any means. Normal file deletion processes are not adequate and over the years there have been many instances where the ICO have investigated breaches which have occurred through the re-sale or re-use of equipment which has not been fully wiped. For University equipment please complete the Redundant Equipment Notification form which can be found on the Procurement intranet pages.
If you are using your own equipment (laptops, phones, etc.) for work purposes please ensure that you do not download / process others' personal data (being processed on behalf of the University) onto that equipment. If you need to process personal data using your equipment log in using VPN or Virtual Desktop. If you do download personal data for which the University is the Data Controller then you must ensure that the equipment is securely and fully wiped/destroyed at the end of its life. See the 'Bring Your Own Device' Policy. Note: Opening an attachment from Outlook when logged on using Office 365 (not through VPN/VD) is likely to store the document directly onto your device.