Data Retention and Destruction

I. Policy Statement

Priceless Health LLC-FZ (the PH) maintains various records and data, including health services records, personal information, and other data collected in the PH platform. The PH is committed to effective records management, retention, and disposal to ensure that it:

1. Complies with the principles relating to the processing of personal data set out in the PH Data Privacy Policy, such as purpose limitation, data minimization, and storage limitation;
2. Optimizes the use of space;
3. Minimizes the cost and associated risk of record retention; and
4. Securely destroys records.

II. Scope

This Policy applies to all PH platforms, management, staff, customers, service providers, and platform users. It relates to all personal data as defined in the PH policy and all specified non-personal data records to which data protection legislation does not apply.

III. Data Retention

The retention period shall be 6 months, starting from the time the data was last active or in use (e.g., from the date of discharge).

There may be instances where certain data held by PH is relevant to litigation, government investigation, audit, or another event that must be preserved and not deleted, disposed of, or changed. This exception is referred to as a "Legal Hold" and takes priority over any previous or subsequent retention schedules for those records.

If it is unclear if this exception applies, or if a staff member suspects that it may possibly apply, they should contact the Managing Director of PH in the first instance. If destruction of the data has commenced, it must be stopped immediately as soon as the legal hold becomes known.

Information may be retained if it is likely to be needed in the future and if the consequences of not having it would be substantial. It is impossible to accommodate every conceivable need; therefore, a balanced and common-sense approach must be taken, weighing up the likelihood and impact both for and against retaining the information.

IV. Data Destruction

Once the retention period has lapsed and provided there is no exceptional reason for the data to be retained longer (e.g., legal hold), the information must be disposed of appropriately and securely. Records can be destroyed in the following ways:

1. Non-sensitive/non-confidential/non-business information – can be placed in the regular PH recycling bin.
2. Confidential information – can be placed in a shredding console or shredded by a nominated and approved waste disposal firm. N.B. client files must never be disposed of in a shredding console.
3. Electronic equipment containing information – destroy using kill disc and individual folders; they will be permanently deleted from the system. Destruction of electronic records should render them non-recoverable, even using forensic data recovery techniques.

Destruction of records must be authorized by the Managing Director of PH and recorded accordingly. Where records are to be destroyed by a professional contractor, a certificate of destruction must be issued.

V. Data Destruction Logs

A record in the form of a register/log issued by PH is to be maintained for all records destroyed, providing verifiable authorized proof of destruction. The log should be kept in perpetuity and should provide details of all records destroyed.