We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
DPA & Six Year Rule
sgx.saint
Posts: 1,615 Forumite
Had a discussion with friends recently about the Data Protection Act and in particular how it applies to banks and more specifically the six year data retention rule.
Which got me wondering, how exactly do banks remove and destroy our data after six years?
What process do they use to ensure data is fully removed and destroyed?
How do they know when the six years are up for certain information, what systems are in place to ensure that data over six years is flagged for removal?
I just have images in my head of bank offices full of files and files of data, but with no real system in place to know when data is due for removal.
So, I just wondered if anyone knew any of the answers to the above questions. Perhaps there are some data controllers on here who may know?
Which got me wondering, how exactly do banks remove and destroy our data after six years?
What process do they use to ensure data is fully removed and destroyed?
How do they know when the six years are up for certain information, what systems are in place to ensure that data over six years is flagged for removal?
I just have images in my head of bank offices full of files and files of data, but with no real system in place to know when data is due for removal.
So, I just wondered if anyone knew any of the answers to the above questions. Perhaps there are some data controllers on here who may know?
0
Comments
-
Banks do have "Document Retention and Destruction" policies which are audited and which staff are trained in. Documentation is categorised and labelled. So for example, paper documentation goes to off-site storage and is destroyed after the appropriate time period if it is so labelled. Maybe 6 years, Maybe 7 years (Sarbanes Oxley financial data) or Maybe less (purely admin data). And as there is a price to pay for offsite storage this is usually administered seamlessly and efficiently. However, on the electronic side, although there are electronic archiving and data cleansing rules, it is still possible that pockets of data remain on PCs, small servers etc, where the individual has not adhered to the stated policies; i.e. human error or oversight.
So, in summary. There are policies in place, they are managed, they are audited ... but there is no 100% guarantee!
Hope this helps.0 -
-
natweststaffmember wrote: »some of us know that certain data is not destroyed after 6 years and can go back 16 years.
Apologies for the epic delay in replying to this thread, however I have been absent from MSE for a good few weeks due to personal issues.
Are you speaking from experience there 'Natweststaffmember'?
From my understanding of the DPA and information from the ICO you can write to a particular organisation and ask them to remove your data after six years if you feel they have kept any beyond the set timeframes.0 -
On the ball with an inquiry I've got with HBOS here.
Opened C/A July of this year 07.... I've never had any dealings with BoS, yep okay Halifax
I register for internet banking/online services
"Oh you already exist. Memorable details please and we'll reactivate your account"
I've never had any kind of account with them............
Turns out there are two Credit Cards. One an affinity card the other one a BoS card.... Last active 2004.
I can't remember these at all. Let's just assume for the time being that they were mine and I've just forgotten about ever having possessed them...
My point is, when I terminated my financial relationship with HBOS with the Credit cards., it turns our I would have had to make a separate one concerning the online data....
E.g. If I'd opened an account with them not in 2007, but in 2012 say, then my online account would still exist with them......
"The data just lives there" I was told...
"What in perpetuity, it survives my own death even? "
"Errrr dunno, about that. Dunno how long it lives there"
It's being looked into...
When a consumer terminates their business relationship with a financial institution, then that's what one expects to have happened.
No ordinary consumer would know to, or, even think to, have to make a separate, distinct request for the deletion of their online data.
It's being looked into but the only person so far who has even suggested 6/7 year, possibly is me.............0 -
Sorry, i guess i need to give s fuller explanation. Firstly, i have no idea where people get a 6 year retention period for Subject Access Request. The Data Protection Act does not stipulate 6 years for data to be retained and then destroyed. People have got into their heads 6 years because of the Statute of Limitations and letters to banks across the charges sites stating 6 years statements will be sufficient. It is not. Yes I do know for a fact that data is held for more than that prescribed timescale. If ICO said 6 years, then they are really misinforming people they are there to protect IMHO.0
This discussion has been closed.
Categories
- All Categories
- 345.6K Banking & Borrowing
- 251K Reduce Debt & Boost Income
- 450.9K Spending & Discounts
- 237.6K Work, Benefits & Business
- 612.3K Mortgages, Homes & Bills
- 174.3K Life & Family
- 250.7K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 15.1K Coronavirus Support Boards