Merge pull request #970 from alphagov/sevenYearDataDeletion

Seven year data deletion
alphagov · Jul 9, 2024 · 4a59db3 · 4a59db3
2 parents 394599f + a647fef
commit 4a59db3
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/source/reporting/index.html.md.erb b/source/reporting/index.html.md.erb
@@ -47,6 +47,8 @@ The minimum payout for Stripe is £1.
 
 You can find payments in the GOV.UK Pay admin tool or [through the API](#use-the-api-to-find-payments).
 
+GOV.UK Pay retains payment data for 7 years. You can generate reports that show transaction volumes and values from over 7 years ago, but you will not be able to get information about individual transactions. You can [read more about how we handle your data](/security/#how-gov-uk-pay-handles-transaction-data).
+
 ### Use the admin tool to find payments
 
 When you log into the [GOV.UK Pay admin tool](https://selfservice.payments.service.gov.uk/login), you can view transactions for all your services or payments made to your bank account.

diff --git a/source/security/index.html.md.erb b/source/security/index.html.md.erb
@@ -78,6 +78,16 @@ If you make risk management fraud checks, you must [contact us](/support_contact
 
 GOV.UK Pay has implemented the Cloud Security Principles. Read the National Cyber Security Centre guidance on [implementing the Cloud Security Principles](https://www.ncsc.gov.uk/collection/cloud-security?curPage=/collection/cloud-security/implementing-the-cloud-security-principles) for more information.
 
+## How GOV.UK Pay handles transaction data
+
+We only collect the data necessary to run GOV.UK Pay.
+
+We will not retain data any longer than we need it, and definitely no longer than 7 years. After 7 years, you can generate reports that show transaction volume and values, but you will not be able to get information about specific transactions.
+
+We'll only share transaction data if it’s necessary to run GOV.UK Pay or if required by law.
+
+GOV.UK Pay is the data processor and your service is the data controller. The data protection/data processing agreement is in schedule 4 of the memorandum of understanding and schedule 5 of the contract. Both documents are available from the GOV.UK Pay admin tool.
+
 ## Payment Card Industry (PCI) compliance
 
 Anyone involved with the processing, transmission, or storage of cardholder