TSA Learning Hub Data Retention Policy
Purpose:
This policy sets out how long personal data will be retained within our Learning Management System (LMS), in accordance with the UK GDPR, the Data Protection Act 2018, and relevant sector guidance (e.g. TEC Quality Standards Framework, CQC requirements).
1. Retention Principles
- Personal data will be kept only as long as necessary to meet:
- Training and compliance requirements
- Legal and safeguarding obligations
- Audit or regulatory inspections (e.g., TEC Quality Framework or CQC)
- After the retention period ends, personal data will be securely deleted or anonymised.
2. Retention Periods by Data Type
| Data Type | Description | Retention Period | Justification |
|---|---|---|---|
| User profiles | Name, email, job title, role, employer, location | 3 years after last activity | Supports regulatory audits, staff turnover tracking, re-certification |
| Course completions | Course names, dates, pass/fail, duration, scores | 3 years | Ensures training compliance, safeguarding, and quality assurance |
| Assessment results | Quiz scores, feedback, attempts | 3 years | For audit trails and training effectiveness |
| CPD evidence | CPD hours logged, certificates issued | 3 years | May be used for ongoing competence or regulatory checks |
| Login/activity logs | Timestamps, IPs, sessions | 3 years | For security monitoring and basic usage reporting |
| Support requests & helpdesk logs | User-submitted technical queries | 2 years | For quality monitoring and response analysis |
| Unregistered invitees / non-activated accounts | Invited but never used LMS | 12 months | Allows re-invite tracking; deleted if unused after a year |
| Course feedback & surveys | User comments, ratings | 2 years | Supports quality improvement, anonymised if retained beyond this point |
3. Secure Disposal
- Personal data will be permanently deleted or fully anonymised after the stated period.
- Backups will be managed to ensure no long-term storage of expired personal data.
- Deletion logs will be retained for internal audit purposes.
4. Responsibilities
- The TSA Data Protection Officer oversees retention compliance.
- TSA Learning Hub administrators are responsible for scheduling reviews and applying retention rules.
- TSA Learning Hub member organisation administrators are responsible for ensuring that user accounts remain up-to-date.
5. User Rights
- Individual users can request data deletion earlier, subject to legal or regulatory exceptions.
- Requests should be submitted to Shantelle Million-Lawson at s.million-lawson@tsa-voice.org.uk