Cardiff Records Retention and Confidentiality Bylaws

This guide explains records retention schedules and confidentiality obligations for council-held information in Cardiff, Wales, including how retention is managed, who enforces rules and how to request or challenge records. Cardiff Council maintains data-protection and access-to-information policies and operational guidance on handling personal data and Freedom of Information requests; see the council pages below for official procedures and contacts Data protection^[1].

Scope and legal basis

Records retention and confidentiality for Cardiff public records are governed by a mix of council policy, the UK Data Protection Act / UK GDPR for personal data, and Freedom of Information obligations for recorded information. The council’s corporate information governance team and the council's Data Protection Officer oversee policy implementation and operational compliance.

Key duties for council services

• Maintain a documented retention schedule identifying record types and retention periods.
• Apply secure storage and controlled disposal for confidential and personal records.
• Report personal data breaches to the Data Protection Officer and, where required, to the Information Commissioner.
• Provide published channels for subject access, FOI requests and complaints.

Penalties & Enforcement

Cardiff Council enforces confidentiality and retention policies through its Information Governance team and the corporate Data Protection Officer; serious personal data breaches may be reported to the Information Commissioner’s Office. Specific monetary fines or fixed penalty figures are not consistently specified on the council pages; where statutory enforcement exists it is through national law and regulator action rather than a municipal fixed-fine schedule.^[2]

• Monetary fines: not specified on the cited page for local bylaws; ICO or national legislation sets potential fines for data-protection breaches.
• Escalation: first incident and repeat/continuing offences are managed case-by-case and may lead to internal disciplinary action, remediation orders or referral to external regulators (not specified in a single council fine table).
• Non-monetary sanctions: internal enforcement, orders to cease processing, mandated corrective actions, secure deletion or court action where lawful.
• Enforcer: Cardiff Council Information Governance/Data Protection Officer and, for statutory data-protection enforcement, the Information Commissioner (external regulator).
• Inspection and complaints: complaints can be submitted via the council complaints process or specific FOI/data-protection contact channels.
• Appeal and review routes: internal review and complaint procedures within the council, followed by referral to the Information Commissioner; time limits for statutory requests are provided by national law and council guidance (see council pages).

Applications & Forms

Common application types and where to find them:

• Subject Access Request (SAR): request copy of personal data held by the council; see the council’s Data Protection page for submission details and any required identity verification.
• Freedom of Information (FOI) request: use the council FOI submission route for recorded information; statutory FOI timescales typically apply.
• Fees: FOI requests are usually free, though costs or charges for disbursements may apply where statutory exemptions permit—check the FOI guidance.

Common violations and typical outcomes

• Unauthorized disclosure of personal data — outcome: internal investigation, remedial action and possible referral to the ICO (financial sanction not specified on the cited page).
• Failure to follow retention schedule (over-retention) — outcome: direction to securely delete or archive records per policy.
• Late or non-response to FOI requests — outcome: internal review and potential ICO complaint; statutory FOI response times apply.

FAQ

How long does Cardiff keep council records?

The council publishes retention guidance and schedules for different record types; specific retention periods vary by record class and are provided in council policy or departmental schedules, or are not specified on the cited page.

How do I request my personal data or other council information?

Submit a Subject Access Request for personal data or a Freedom of Information request for recorded information through the council’s online pages and contact channels Freedom of Information^[2].

How do I report a confidentiality or data-protection breach?

Report the incident to the council’s Information Governance/Data Protection Officer using the contact details on the council’s data-protection page; keep a dated record of your report and any responses.

How-To

1. Identify whether you need a Subject Access Request (personal data) or a Freedom of Information request (recorded information).
2. Find and complete the council’s online submission form or email the relevant access-to-information contact listed on the council pages.
3. Provide proof of identity where requested and give clear details about the records you want to help the council locate them.
4. Await the council’s response within the statutory timeframes (see FOI and data-protection guidance); if unsatisfied, request an internal review then consider contacting the Information Commissioner.

Key Takeaways

• Cardiff Council holds formal retention and confidentiality policies administered by its Information Governance team.
• Use the council’s published FOI and Data Protection pages to submit requests or report breaches.

Help and Support / Resources

• Cardiff Council - Contact us
• Cardiff Council - Data protection
• Cardiff Council - Freedom of Information
• Information Commissioner’s Office (ICO)

1. [1] Cardiff Council - Data protection
2. [2] Cardiff Council - Freedom of Information