From e3b844a0f8b42b30fc5a66d3bc81a4f931bfcfa1 Mon Sep 17 00:00:00 2001
From: NathanD-GDS <nathan.driver@digital.cabinet-office.gov.uk>
Date: Mon, 8 Jul 2024 16:19:30 +0100
Subject: [PATCH 1/5] Adds information about our 7 year data deletion policy

---
 source/security/index.html.md.erb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/source/security/index.html.md.erb b/source/security/index.html.md.erb
index 4d3be908..3add81ee 100644
--- a/source/security/index.html.md.erb
+++ b/source/security/index.html.md.erb
@@ -78,6 +78,14 @@ If you make risk management fraud checks, you must [contact us](/support_contact
 
 GOV.UK Pay has implemented the Cloud Security Principles. Read the National Cyber Security Centre guidance on [implementing the Cloud Security Principles](https://www.ncsc.gov.uk/collection/cloud-security?curPage=/collection/cloud-security/implementing-the-cloud-security-principles) for more information.
 
+## Data handling principles
+
+We only collect the data necessary to run GOV.UK Pay.
+
+We won’t retain that data any longer than we need it, and definitely no longer than 7 years, and only share it if it’s necessary to run GOV.UK Pay or if required by law.
+
+GOV.UK Pay is the data processor and your service is the data controller. The data protection/data processing agreement is in schedule 4 of the memorandum of understanding and schedule 5 of the contract. Both documents are available from the GOV.UK Pay admin tool.
+
 ## Payment Card Industry (PCI) compliance
 
 Anyone involved with the processing, transmission, or storage of cardholder

From edadcdec0b4d741b08910245e633ffcbe53de4b9 Mon Sep 17 00:00:00 2001
From: NathanD-GDS <nathan.driver@digital.cabinet-office.gov.uk>
Date: Mon, 8 Jul 2024 16:20:11 +0100
Subject: [PATCH 2/5] Minor wording fix

---
 source/security/index.html.md.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source/security/index.html.md.erb b/source/security/index.html.md.erb
index 3add81ee..e1e65a6a 100644
--- a/source/security/index.html.md.erb
+++ b/source/security/index.html.md.erb
@@ -78,7 +78,7 @@ If you make risk management fraud checks, you must [contact us](/support_contact
 
 GOV.UK Pay has implemented the Cloud Security Principles. Read the National Cyber Security Centre guidance on [implementing the Cloud Security Principles](https://www.ncsc.gov.uk/collection/cloud-security?curPage=/collection/cloud-security/implementing-the-cloud-security-principles) for more information.
 
-## Data handling principles
+## Data handling
 
 We only collect the data necessary to run GOV.UK Pay.
 

From 07a4452c35f5f987e0621babf0a5c94e7c313a2f Mon Sep 17 00:00:00 2001
From: NathanD-GDS <nathan.driver@digital.cabinet-office.gov.uk>
Date: Tue, 9 Jul 2024 10:05:45 +0100
Subject: [PATCH 3/5] Style guide tweaks and line in reporting

---
 source/reporting/index.html.md.erb | 2 ++
 source/security/index.html.md.erb  | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/source/reporting/index.html.md.erb b/source/reporting/index.html.md.erb
index 01fd2362..a8af3c43 100644
--- a/source/reporting/index.html.md.erb
+++ b/source/reporting/index.html.md.erb
@@ -15,6 +15,8 @@ This page covers:
 * [how to find payments in the admin tool and through our API](#find-payments)
 * [reconciling your payments through the admin tool and the API](#check-your-payments-are-correct-39-reconciliation-39)
 
+GOV.UK Pay retains payment data for 7 years. You can [read more about how we handle your data](/security/#data-handling).
+
 ## How payouts work
 
 The way payments come into your bank account is different depending on whether your PSP is Worldpay or Stripe.
diff --git a/source/security/index.html.md.erb b/source/security/index.html.md.erb
index e1e65a6a..908e46bf 100644
--- a/source/security/index.html.md.erb
+++ b/source/security/index.html.md.erb
@@ -82,7 +82,7 @@ GOV.UK Pay has implemented the Cloud Security Principles. Read the National Cybe
 
 We only collect the data necessary to run GOV.UK Pay.
 
-We won’t retain that data any longer than we need it, and definitely no longer than 7 years, and only share it if it’s necessary to run GOV.UK Pay or if required by law.
+We will not retain that data any longer than we need it, and definitely no longer than 7 years. We'll only share data if it’s necessary to run GOV.UK Pay or if required by law.
 
 GOV.UK Pay is the data processor and your service is the data controller. The data protection/data processing agreement is in schedule 4 of the memorandum of understanding and schedule 5 of the contract. Both documents are available from the GOV.UK Pay admin tool.
 

From 8a9446ca65c495c86310d550e18cf3723c6b1771 Mon Sep 17 00:00:00 2001
From: NathanD-GDS <nathan.driver@digital.cabinet-office.gov.uk>
Date: Tue, 9 Jul 2024 10:17:13 +0100
Subject: [PATCH 4/5] Adds caveats around what data is deleted

---
 source/reporting/index.html.md.erb | 4 ++--
 source/security/index.html.md.erb  | 6 ++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/source/reporting/index.html.md.erb b/source/reporting/index.html.md.erb
index a8af3c43..9d8df315 100644
--- a/source/reporting/index.html.md.erb
+++ b/source/reporting/index.html.md.erb
@@ -15,8 +15,6 @@ This page covers:
 * [how to find payments in the admin tool and through our API](#find-payments)
 * [reconciling your payments through the admin tool and the API](#check-your-payments-are-correct-39-reconciliation-39)
 
-GOV.UK Pay retains payment data for 7 years. You can [read more about how we handle your data](/security/#data-handling).
-
 ## How payouts work
 
 The way payments come into your bank account is different depending on whether your PSP is Worldpay or Stripe.
@@ -49,6 +47,8 @@ The minimum payout for Stripe is £1.
 
 You can find payments in the GOV.UK Pay admin tool or [through the API](#use-the-api-to-find-payments).
 
+GOV.UK Pay retains payment data for 7 years. You can generate reports that show transaction volumes and values from over 7 years ago, but you will not be able to get information about individual transactions. You can [read more about how we handle your data](/security/#how-gov-uk-pay-handles-transaction-data).
+
 ### Use the admin tool to find payments
 
 When you log into the [GOV.UK Pay admin tool](https://selfservice.payments.service.gov.uk/login), you can view transactions for all your services or payments made to your bank account.
diff --git a/source/security/index.html.md.erb b/source/security/index.html.md.erb
index 908e46bf..88484bf2 100644
--- a/source/security/index.html.md.erb
+++ b/source/security/index.html.md.erb
@@ -78,11 +78,13 @@ If you make risk management fraud checks, you must [contact us](/support_contact
 
 GOV.UK Pay has implemented the Cloud Security Principles. Read the National Cyber Security Centre guidance on [implementing the Cloud Security Principles](https://www.ncsc.gov.uk/collection/cloud-security?curPage=/collection/cloud-security/implementing-the-cloud-security-principles) for more information.
 
-## Data handling
+## How GOV.UK Pay handles transaction data
 
 We only collect the data necessary to run GOV.UK Pay.
 
-We will not retain that data any longer than we need it, and definitely no longer than 7 years. We'll only share data if it’s necessary to run GOV.UK Pay or if required by law.
+We will not retain data any longer than we need it, and definitely no longer than 7 years. After 7 years, you will not be able to get information about specific transactions. You can still generate reports that show transaction volumes and values from over 7 years ago.
+
+We'll only share transaction data if it’s necessary to run GOV.UK Pay or if required by law.
 
 GOV.UK Pay is the data processor and your service is the data controller. The data protection/data processing agreement is in schedule 4 of the memorandum of understanding and schedule 5 of the contract. Both documents are available from the GOV.UK Pay admin tool.
 

From a647fef4a71b9dc6d7bd7fcf6d383543d20c9277 Mon Sep 17 00:00:00 2001
From: NathanD-GDS <nathan.driver@digital.cabinet-office.gov.uk>
Date: Tue, 9 Jul 2024 10:18:35 +0100
Subject: [PATCH 5/5] Tightens up wording

---
 source/security/index.html.md.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source/security/index.html.md.erb b/source/security/index.html.md.erb
index 88484bf2..b07175ed 100644
--- a/source/security/index.html.md.erb
+++ b/source/security/index.html.md.erb
@@ -82,7 +82,7 @@ GOV.UK Pay has implemented the Cloud Security Principles. Read the National Cybe
 
 We only collect the data necessary to run GOV.UK Pay.
 
-We will not retain data any longer than we need it, and definitely no longer than 7 years. After 7 years, you will not be able to get information about specific transactions. You can still generate reports that show transaction volumes and values from over 7 years ago.
+We will not retain data any longer than we need it, and definitely no longer than 7 years. After 7 years, you can generate reports that show transaction volume and values, but you will not be able to get information about specific transactions.
 
 We'll only share transaction data if it’s necessary to run GOV.UK Pay or if required by law.