Data Retention Policy
All businesses must keep personnel and financial records in order to run their business efficiently and to comply with statutory requirements. The type of record will determine the length of time the record must be kept for.
Remember that:
- All records must be kept in accordance with data protection laws. Extra care should be taken with ‘sensitive personal data’ i.e. data relating to race, ethnic origin, political or religious opinions or philosophical beliefs, trade union membership, data concerning health or a person’s sex life or sexual orientation or criminal records.
- Businesses collecting personal data must register with the Information Commissioner’s Office;
- You are not required to keep the original of all documents – copies can be stored but they must be stored in writing, including in electronic format.
- If erasing or destroying records, then destruction must be done securely.
Ten2Two Retention and Disposal policy
- Purpose
1.1 The purpose of this policy is to detail the procedures for the retention and disposal of information to ensure that we carry this out consistently and that we document any actions taken. Unless otherwise specified the retention and disposal policy refers to both hard and soft copy documents.
- Review
2.1 Review is the examination of closed records to determine whether they should be destroyed or retained for a further period.
- How long we should keep records
3.1 Records should be kept for as long as they are needed to meet the operational needs of the Business, together with legal and regulatory requirements. We have assessed our records to:
- Determine their value as a source of information about the Business, its operations and relationships
- Assess their importance as evidence of business activities and decisions
- Establish whether there are any legal or regulatory retention requirements (including: Data Protection Act 1998, the General Data Protection Regulation 2018).
- Retention schedule (Annex 1)
4.1 A retention schedule is a key document in the management of records and information. It is a list of series or collections of records for which predetermined periods of retention have been agreed.
4.2 Records on the retention schedule will fall into two main categories:
4.2.1 Destroy after an agreed period – where the useful life of a series or collection of records can be easily predetermined (for example, destroy after 3 years; destroy 2 years after the end of the financial year).
4.2.2 Review – see 2 above.
4.3 Records can be destroyed in the following ways:
- Non-sensitive information – can be placed in a normal rubbish bin
- Personal/Confidential information – cross cut shredded or burnt
- Sensitive Personal data – cross cut shredded and pulped or burnt
- Electronic equipment containing information – permanently deleted from the holding systems.
- Sharing of information
5.1 Where information has been shared between offices or staff, duplicate records should be destroyed.
5.2 Where we share information with other bodies, we will ensure that they have adequate procedures for records to ensure that the information is managed in accordance with the Business’s policies, relevant legislation and regulatory guidance.
- An audit trail
6.1 You do not need to document the disposal of records which have been processed in line with the retention schedule. Documents disposed of outside of the schedule either by being disposed of earlier or kept for longer than listed will need to be recorded for audit purposes.
6.2 This will provide an audit trail for any inspections conducted by the Information Commissioner and will aid in addressing Freedom of Information requests, where we no longer hold the material.
- Monitoring
7.1 Responsibility for monitoring the retention policy rests with the Director in charge of Data Protection. The policy will be reviewed every 5 years or more often if required.