Data Retention

This portal retains personal data only for as long as it is required to deliver the service securely and in line with legal obligations. Data is managed in accordance with the UK GDPR, the Data Protection Act 2018, and the Welsh Language Standards.

Retention periods

• Audit logs
  Records of logins, report views and status changes are retained for 3 years. This allows the University to evidence service standards and investigate security incidents if required.

• Referrals and assessment records
  Referral details and assessment statuses are retained while the student is actively engaged with the service. These may be exported to the University on request or at the end of the service contract.

• Reports
  Assessment reports are held in the portal for as long as they are required for the student’s course of study. Reports can be exported to the University on request or at contract exit. The portal does not alter or edit report content.

• User accounts and session data
  Accounts are authenticated through Microsoft Entra SSO and not stored locally in the portal. Session data is deleted automatically when you sign out or close your browser.

• Backups
  Database and file backups are retained securely off-site with a recovery point objective (RPO) of ≤ 60 minutes and a recovery time objective (RTO) of ≤ 4 hours. Backups are encrypted and replicated within the UK/EEA.

Data export and exit

At the end of the contract, or on request, all data held within the portal can be exported in standard formats (CSV/JSON plus files). This ensures continuity of service and allows the University to retain a complete record.

Secure deletion

When data is no longer required, it is securely deleted in line with University policies and industry standards for information security.

Last updated: August 2025