SCOPE
1.
This Policy is aimed at regulating the
retention, maintenance and disposal of documentation, both personal and other,
within the Office of the Regulator, Granting of Citizenship for Excptional Services (OR-GCES), as provided for in the Maltese Citizenship Act, Cap 188, in accordance with the principles of Data Protection Legislation, and the National Archives Act, Cap 477, and other legal provisions in Maltese Law.
BACKGROUND
2.
The General Data Protection Regulation (GDPR) puts forward the principle that personal data and
sensitive personal data should not be retained for periods that are longer than
necessary, whereas the National Archives Act puts forward the principle that records of historical value are retained. In this context, the OR-GCES will be putting forward a
retention policy for all data and documentation that it collects and processes,
with the purpose of ensuring compliance to the GDPR and the National Archives Act.
OBJECTIVES
3.
This policy aims to achieve the following
objectives:
a) Regulate the retention of and
disposal of the various types of documentation whether held in manual or
automated filing systems within the OR-GCES, while adhering to the Data
Protection principle that personal data should not be retained for a longer
period than necessary;
b) Make sure that records of enduring historical value are retained for posterity;
c) Dispose of unnecessary documentation
that is no longer relevant and is taking up useful storage space, whilst ensuring that important (anonymous) documention is stored safely for future reference;
d) Promote the digitisation of documentation as may be
reasonably possible in order to minimize the use of storage space required to
store documentation, as well as to promote a sustainable use of paper and
printing consumables.
ADMINISTRATION
4.
Documentation is held and recorded by the two Units forming the OR-GCES, namely the Administration Unit and the GCES Monitoring and Vetting Unit. This Policy is therefore applicable to all such documentation. It will be the responsibility of the relevant
afore-mentioned Units and OR-GCES’s Data Controller, Mr
Carmel L. De Gabriele, to ensure that all provisions of this Policy
are adhered to.
DOCUMENTATION HELD WITHIN OR-GCES
5.
As part of its operating requirements the
OR-GCES requests, keeps and maintains a range of documentation including
personal data. The various types of documentation utilised by OR-GCES may be
categorised as follows:
a)
Personal Data of OR-GCES’s staff members;
b)
Attendance and absence records;
c)
Discipline related records;
d) Financial records and procurement documentation;
e)
Medical records;
f)
Vetted IIP and GCES Applications Records;
g)
IIP and GCES Complaints;
h)
Correspondence (Manual and/or Electronic formats)
It should be noted that removing the identification
details in any record, rendering it anonymous, would be deemed as physically
deleted for the purpose of the GDPR and could be retained indefinitely for
future processing.
SECURITY OF DOCUMENTATION
6.
Documentation is maintained in an accessible but secure
location with adequate access provided to officials who have the clearance
level to access the relevant documentation.
In the case of documents with sensitive personal data with higher
clearance levels, access control protocols are fully adhered to, to ensure that
only those that have the required security clearance have access to such
documentation.
7.
In the case of personal data, the GDPR also stipulates
that only those required to process personal data should have access to
personal records.
8.
Personnel who are found to be in breach of these security
protocols, and thus in breach of the GDPR, will be subject to disciplinary
action.
MANUAL VS ELECTRONIC RECORDS
9.
In terms of retention periods it needs to be pointed out
that the same retention period applies for both electronic and manual data.
RETENTION PERIOD
10. Retention of different categories of documents is
governed by different requirements and different legislation and regulations.
The following schedule outlines the retention
requirements for the various categories of documentation within the OR-GCES:
Category
|
Retention
Period
|
|
|
HR Documentation
|
As per HR
Retention Policy
|
|
|
Financial
Documentation
|
|
Tax and
National Insurance Records
|
Twenty (20)
years
|
Accounting Records
|
Ten (10) years
|
Yearly Financial Statements
|
Five (5) years
|
|
|
IIP-related and GCES-related Records and relative documentation
|
|
Reports of vetted IIP and GCES Applications
|
The report of each vetted IIP and GCES application is recorded on specific templates designed by this office. Since the reports do not include personal data, these documents will be kept for an indefinite period.
|
Reports of vetted IIP and GCES Applications that include personal records
|
Within one
week from the date when any related issues are satisfactorily clarified
and/or addressed. Normally no personal data is recorded during vetting
sessions however, in exceptional circumstances – i.e. in
extremely rare occasions – such details might need to be recorded in order to verify
the eligibility or otherwise of the applicant in question.
|
Complaints et
simile including ad hoc correspondence
|
Within ten years from the date of last action taken or correspondence
exchanged (whichever is latest) on the complaint in question. This
does not apply in the case of pending complaints which shall be retained
until a formal decision is taken in their regard by the Regulator GCES.
After
the lapse of the said ten years, a copy of the conclusions and decision
reached by the Regulator (GCES), shorn of any personal data that may lead to
the identification of the complainant and/or of any third parties that might
have been involved, will, however, be kept on record.
|
General Correspondence
|
Within five years from the date of last action taken or correspondence
exchanged (whichever is latest) on the subject being addressed.
|
Annual Report |
The Annual Reports issued by the Office of the Regulator (GCES) in terms of the Maltese Citizenship Act (Cap 188) will be kept for an indefinite period. The Annual Reports do not include personal data. |
Special Reports |
Reports that are drawn up in specific circumstances or upon specific requests will be kept for an indefinate period. This retention period also applies for any records related to the Minutes of Meetings held with internal and / or external stakeholders. |
CONCLUSION
This retention policy aims to achieve a good
working balance between the retention of useful and meaningful information in
line with the provisions of the relevant legislation and the disposal of data
which is no longer required and is being archived unnecessarily. Data that
needs to be destroyed after the noted timeframes will be
disposed of in an efficient manner to ensure that such information will no
longer be available within the OR-GCES. Data Protection Controllers, Heads, and
DPOs are aware of the noted retention periods and will instruct
all relevant personnel to follow the indicated procedures accordingly.
It is to be noted that anonymous or
statistical data do not fall within the parameters of this Retention Policy,
since they do not constitute identifying personal data.
In the line with the provisions of the National Archives Act, Cap 477, this policy has been reviewed and endorsed by the National Archieves before implmentation. In the case that the Office of the Regulator, Granting of Citizenship for Exceptional Services does not remain operational, or there is a change in policy for the retention of records that according to this document are being retained on an indefinite period, the National Archives must be consulted in order to evaluate on the potential enduring historical value of the records in question.
Implimentation Date: March 2021
(REP 2021-02)