Datawarehouse Data Retention Policy

Purpose

The purpose of this document is to define the retention periods for each of the personal data elements or records processed (ie., collected, used, transmitted, shared, stored, archived) by the CKI Datawarehouse governed by the requirements established in Red Hat Corporate Records Management Policy and in compliance with “Data Retention” principle described in Red Hat Global Privacy Policy.

Scope

The scope of this retention policy is limited to personal data elements or records processed by the CKI Datawarehouse and do not apply to upstream or downstream systems/services that could process the same personal data elements or records. Data retention periods of the personal data processed by those upstream or downstream systems/services shall be governed by the data retention policies of those respective systems/services.

Policy Statement

Ownership & Responsibilities

All personal data elements or records collected, used, transmitted, shared, stored, archived or otherwise processed by the CKI Datawarehouse is owned by the CKI project and is responsible for establishing, maintaining and enforcing this policy.

Retention Periods

The following personal data elements or records are processed by the CKI Datawarehouse and shall comply with the following retention periods. These retention periods shall be enforced on any personal data transmitted to third party vendors or service providers including various cloud or SaaS providers.

What Purpose Max. Retention Period
User ID Authentication and authorization of users Until the termination of user’s relationship with Red Hat
Name and Email Address Communication with users Until the termination of user’s relationship with Red Hat
Application or System Log Files For logging events 6 months

Storage

Maintenance and storage of personal data processed by this service shall be governed by the requirements established in Red Hat Corporate Records Management Policy. Any personal data in electronic format should be maintained and stored in a Red Hat approved repository (or an approved cloud/service provider) in compliance with Data Encryption & Secure Key Management Guidelines.

Policy Compliance

Compliance Measurement

Compliance with this data retention policy is mandatory. Compliance to this policy is measured through various methods including but not limited to, reports from available business tools, internal and external audits, self-assessment, and/or feedback to the policy owner.

Non-compliance & Exceptions

Any request to keep records beyond the maximum time period or retention requirements must be justified and approved in writing by the policy owner.

Revision History

When Who What
10/02/2021 Martin Iñaki Malerba (imalerba) Initial Policy drafted and published
Last modified May 7, 2021: Add explicit docs about customizing CI runs for MRs (d2a28c8)