PSA consults on guidance on the retention of data

February 11, 2019

The Phone-paid Services Authority (PSA) has issued a consultation about guidance on the retention of data.

In the consultation, the PSA proposes to clarify the PSA’s expectations as to how long providers will retain certain types of Relevant Data, including personal data, so that the PSA can request such data if there is an investigation into the service or provider. This is in light of changes in May 2018 introduced by the GDPR and the Data Protection Act 2018 concerning the protection and processing of personal data.

The proposals can be summarised as the retention of all Relevant Data (including personal) for two years from the point at which it was first collected.This is with two exceptions, the first being that all Relevant Data concerning providers’ or networks’ Due Diligence, Risk Assessment and Control (DDRAC) of a client or service should be retained for three years from the point at which it was first collected. The second exception is that where an investigation is opened during the two- or three-year periods described above, all Relevant Data should be retained until such time that a provider or network is advised that the case or matter is closed.

The consultation ends on 3 April 2019.