This feature enables the organisation’s Data Protection Officer / teams to set data retention policies for Personally Identifiable Information (PII) stored in Centrik.
It also allows authorised users to delete or clear system records that need to comply with data protection policies.
Only users who have been granted the ‘Data Protection Officer’ access right can access the Data Retention Configuration page.
For Centrik 5, users with the ‘Data Protection Officer’ access right will see a widget labelled Data Protection within the Module summary tab of the main Dashboard.
Selecting Data Retention Status takes you to a dedicated configuration page, where you can establish specific policies that govern how data is retained across various modules / areas of the system. These areas include, but are not limited to, Audits, Findings, Safety Cases, Documents, Workflows, Contacts and Training.
These policies let you manage how long and under what conditions various data types are stored.
By default, all items will be set to Retain indefinitely. You can change this by activating edit mode and choosing one of three options under Policy:
- Retain indefinitely - No data protection applied.
- Delete - Permanently and irretrievably delete the records governed by that policy. Unrecoverable as per GDPR regulations, even by Centrik staff
- Clear text - Removes data fields but keeps the record. Free text is replaced with “[CLEARED] Text has been cleared in accordance with Data Protection Compliance.”
When a policy is modified to either Delete or Clear text, a new option labelled Policy Retain Period becomes visible as a dropdown menu. By default, the retention period is set to Never. However, users can configure this setting according to their requirements. The available options include specifying the retention period in terms of Days, Weeks, Months, Years or selecting Never or Immediate.
- Immediate – This option means the policy will be enforced immediately.
Never – This option indicates that the policy will not be applied at any point in time.
The Rationale is a freeform text field that allows the user to provide detailed explanations regarding the chosen data retention period. This field is designed to capture the reasoning behind the specific duration chosen for retaining data (for example legal requirements or organisational policies).
Once the changes have been made, the Save button can be selected.
It is important to note that once the data retention policy settings have been configured, the system will not automatically delete any data. Instead, this setup functions primarily as an alerting mechanism. It notifies users when certain items require deletion, either immediately or in the near future.
These items will then be displayed on the dashboard shortcut and will include a corresponding colour to help users prioritise actions.
Items marked with a yellow status indicate that they are approaching the end of their retention period and are due to be deleted or have text cleared within the next month. Conversely, items marked with a red status signify that they have already exceeded their retention period and should be reviewed as a matter of priority.
Review button
Back within the Data Retention Configuration page, there is a Review button associated with each section. This allows the Data Protection officer or any users who have been granted sufficient access rights to review items that are due for deletion or require clearing, ensuring compliance with data protection policies and organisational guidelines.
After selecting Review, to take action on all items or specific items, which could either be to delete the items or to clear their text content, users need to select the check box corresponding to each item they wish to act upon.
Once the selections have been made, the user must then select the Apply to Selected button, to execute the chosen action according to the defined policy.
Deleting:
If any of the selected items are subject to a delete policy, the system will display an on-screen advisory message before you can proceed by clicking the Apply button.
The advisory is a warning that the action will permanently delete the associated item or items and the deletion cannot be undone.
Clearing Text:
When an item is associated with a ‘Clear Text’ policy, the user will be presented with an advisory message before they proceed to select the Apply option.
After the user choses the Apply option, an additional on-screen completion will appear.
Furthermore, the selected item will be updated by removing the relevant text from the item.
This means that any specific information previously captured within the item will be cleared and replaced with a ‘Cleared’ remark.
For example, consider a Safety report where certain information fields initially contained text. After selecting Apply, the fields will display with a ‘Cleared’ remark, indicating that the information that was formerly present has now been removed or ‘cleared.’
Making specific items exempt from data retention policies:
In some scenarios, users may wish to mark specific items as exempt from the policies set. To do this, after selecting Review, on the next interface, there are Exempt buttons for each item. When selected, the user will be required to enter a Reason for Exemption and provide a date for the Exempt Until field. By selecting the Exempt button, the corresponding item will be removed from the visible list.
However, please note that the item is not permanently deleted; it can still be accesses and viewed by clicking on the Include Exempt button.