Policy Regulating the Retention of Digitised and Physical documents held by the Department for Social Security
Table of Contents
Click on header title to view the information related
Scope
Background
Objectives
Administration
Documentation held by the Department of Social Security
Security of Digistised and Physical Documentation
Retention Period
Conclusion
Scope
This Policy is aimed at regulating the retention, maintenance and disposal of documentation, both personal and other, within the Department for Social Security as provided in the Social Security Act (Cap. 318.), and in consonance with the principles of data protection legislation, and other legal provisions in Maltese Law, particularly the General Data Protection Regulation (EU) 2016/679(GDPR) and the Data Protection Act 2018 (Cap. 586.) regulating the processing of personal data.
Background
The GDPR puts forward the principle that personal data and sensitive personal data should not be retained for periods that are longer than necessary. In this context, the Department for Social Security will be putting forward a retention policy for all data and documentation that collects and processes, with the purpose of ensuring compliance to the Regulation and to ensure that no resources are utilised in the processing and archiving of data which is no longer of relevance.
Objectives
This policy aims to achieve the following objectives:
- Establish a retention period;
- Regulate the retention of and disposal of the various types of documentation whether held in relation to all applications for contributory and non-contributory benefits in manual or automated filing systems within the Department for Social Security, while adhering to the Data Protection principle that personal data should not be retained for a period that is longer than necessary;
- Dispose of unnecessary electronic and physical documentation that is no longer relevant;
- Promote the digitisation of documentation as may be reasonably possible in order to minimize the use of storage space required to store required documentation, as well as to promote a sustainable use of paper and printing consumables.
Administration
This Policy is applicable to all such documentation in relation to all the applications for contributory and non-contributory benefits and will be the responsibility of the Data Controller to ensure that all provisions of this Policy are adhered to. In case of any issues with personal data, the final decision rests with the Director’s General as Data Controller of the Department of Social Security.
Documentation held by the Department of Social Security
As part of its operating requirements, the Department for Social Security, requests, keeps and maintains documentation which may include personal data. The various types of documentation utilised by the Department for Social Security may be categorised as follows:
- Personal Data of Beneficiaries
- Data related to Applicants
Security of Digistised and Physical Documentation
- Documentation is maintained in an accessible but secure location with adequate access provided to data-subjects who request it and to officials who have clearance level to access the relevant documentation. Documents with sensitive personal data will require higher clearance levels and access control protocols to ensure that these are fully adhered to and to ensure that only those that have the required security clearance can access such documentation.
- In the case of personal data, the GDPR also stipulates that only those required to process personal data should have access to personal records.
- Personnel who are found to be in breach of these security protocols, and thus in breach of the GDPR, will be subject to disciplinary action without prejudice to any other action it may deem fit and proportionate to the caused harm.
- In terms of retention periods, it needs to be pointed out that the same retention period will apply for both electronic and manual data, with this policy particularly applicable to digitised documentation.
Retention Period
Retention of such digitised and physical documents should be of 12 months that start running from the date when the benefit was terminated for any reason whatsoever or the date of death of the beneficiary, whichever of the circumstances occurs first [1].
However, the retention period for data and documentation in relation to means-tested benefits or that such data and/or documentation is relevant to an unresolved matter, shall be 5 years.
Provided further, that in case where there is data that is common in more than one file appertaining to the same beneficiary; the fact that data is destroyed from the file relating to the benefit that is terminated does not automatically mean that the same data is destroyed from the file relating to the benefit that is still running or is the subject of an unresolved matter.
Conclusion
This retention period aims to achieve an adequate balance between the retention of useful and related information and the destruction of data that is no longer required for the established purpose. Data that needs to be destroyed after the noted timeframes will be disposed of in an efficient matter to ensure that such information will no longer be available within the Department for Social Security.
Data Protection Controllers, Director Generals, Directors and DPOs are aware of the noted retention periods and will instruct all their personnel to follow the indicated procedures accordingly.
It shall also be noted that anonymised or statistical data do not fall within the parameters of this Retention Policy, since they do not constitute identifying personal data.
It shall also be stated that this Policy acknowledges Article 8(2) of Cap. 477 (National Archives Act) of the Laws of Malta, except data and information that falls under article 133(b) of Cap. 318 ( Social Security) that strictly prohibits the transfer of ownership of data and information acquired by the Director General (Social Security) under such article.
[1] Following a research both on foreign and local articles, the 5 year period has been established as the most common. This also on the basis of article 2156 of Cap 16 of the Laws of Malta, which establishes the actions that are time-barred by the lapse of 5 years, particularly sub-article (f) which reads as follows: ‘actions for the payment of any other debt arising from commercial transactions or other causes, unless such debt is, under this or any other law, barred by the lapse of a shorter period or unless it results from a public deed and also after taking into consideration the average retention period as established in the Common Retention and Disposal Schedule of the Council of Europe DS/COE(2017)5.
This policy has been approved on the 06 October 2022 by the National Archives of Malta (NAM), (Retention Policy no. REP2022-12) and the Department of Social Security. This policy will be reviewed at least every five (5) years from the date of issue to ensure that all the processes and documentation categories are still valid and relevant in view of any changes of procedures or law. It also supersedes any retention policy that might have been implemented in the past for the same records.