Retention and Disposal of Records Policy
Contents
- Purpose
- Definition
- Storage and Disposal of Records
3.1 Storage of Records
3.2 Retention Periods
3.3 Review
3.4 Disposal
3.5 Destruction
3.6 Responsibilities
3.7 Training Awareness
3.8 Review of the Policy
1. Purpose
The purpose of this policy is to ensure that Puraffinity implement an effective system to maintain records, in both electronic and hard copy format, in accordance with the requirements of applicable law and that records of personal or sensitive data that is no longer required is disposed of in a timely manner.
UK GDPR Article 5(1)(e) about storage limitation specifies that personal data shall be kept for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of UK GDPR.
This policy provides guidelines for the retention of documents that are used under normal commercial circumstances. It is also for the purposes of aiding our employees in understanding their obligations in retaining electronic documents, including emails, web files, text files, audio and movie files, pdf documents, all MS Office Suite or other formatted files.
2. Definitions
Term - Definition
Disposal - A variety of processes related to destruction, transfers or permanent archiving of the records
Records - Any means of data or information including letters, pictures, certifications, licenses, hardcopies, voicemails, servers, desktops, etc.
Retention - The condition or length of the time for keeping the records
3. Storage and Disposal of Records
The data subject’s information and records may be stored electronically or physically and may include data such as:
- Administrative records including HR, finances, budget information, etc.
- Working papers
- Phone messages
- Video tapes
- Computer media
- Audio tapes
All data classified as personally identifiable or sensitive [e.g. sexual orientation, ethnicity, religion etc.] data must be periodically reviewed by the data owner and if it is no longer needed it should be deleted or anonymised as appropriate (refer to Pseudonymisation and Anonymisation Policy).
Anonymised data is not subject to UK GDPR or the Data Protection Act 2018.
3.1 Storage of Records
Electronic records should be stored on secure servers (whether on-premise or in the cloud) with only one copy of the approved record. Hard copy records should be stored in a secured location such as a locked filling room. Data owners will comply with the health, environmental, and safety requirements in order to protect and control records for which they are accountable in case of fire, theft, or any other incident.
3.2 Retention Periods
Retention periods are driven by legislation and/or business need. If there is no legally defined retention period for corporate information it is the responsibility of the relevant data owners to determine an appropriate retention period. We will assign clearly defined retention periods to our information to ensure it is kept for the appropriate length of time.
Each retention period is subject to three elements:
- Trigger – the action which begins the retention period (e.g., ‘End of Financial Year’ or ‘End of Employment’)
- Retention period – the length of time the information will be kept.
- Action – either ‘review’ or ‘destroy’.
- If the action is ‘review’ the information must be reviewed to ensure it is no longer required before destruction. Outcomes of a review may be – dispose, archive, or temporary extension to review again at a future date.
- If the action is ‘destroy’, this means the information can be destroyed without further review.
3.3 Review
When data has reached the end of its retention period it may need to be reviewed to ensure that it is no longer required. Information that has an action of ‘destroy’ can be disposed of securely without review.
Where a review is required the data owner should consider the data and decide whether it can be destroyed. If a high volume of data is being reviewed at once then this should be conducted at a macro level, i.e., not line by line. If data is subject to a legal hold, a more thorough review (involving the DPO and/or legal consul) may be necessary.
Information should only be retained beyond its retention period in limited circumstances.
When conducting a review, the following factors should be taken into account:
- Is the information required to fulfil a statutory or regulatory requirement?
- Is the information relevant to ongoing litigation / subject to a legal hold?
- Is the information the subject of an information request or relate to information recently disclosed in a response?
- Is retention required to evidence events in the case of a dispute?
- Is there any another demonstrable business need for retaining the information? If the information is deemed to still be required, an extension of two years is given, the information needs to be reviewed again at the end of the extension.
The retention period must not be extended indefinitely. You should consult the DPO if you still intend to keep data after applying a two-year extension period.
3.4 Disposal
The disposal of records does not refer only to the destruction of the records, but also to the transfer of records to different media, or the transfer of records from one organisation to another. In case the records are being transferred from one organisation to another, a contract should be signed with the third party (see Controller Processor Agreements Policy), including how the records will be archived and who will be authorised to access them.
When accessing an archived record, a record should document:
- The date of the access
- The details of the authorised person to access the records
- The reason for accessing the records
When removing a record from the archive, a record should document:
- The person removing the record
- The person’s signature
- The date expected to be returned
3.5 Destruction
When records are no longer required by the organisation and do not have archival value they should be securely destroyed via a safe and secured process in order to avoid any accidental loss of information.
Records should be destroyed with the level of security required by the confidentiality of their contents (refer to Information Classification Policy). For example, if records containing special category data have been shredded, then the shredded paper should be handled and disposed of securely. Records awaiting destruction must be stored securely.
Electronic records to be deleted should include all back-ups. Deletions should be carried out by someone with appropriate access to the system from which they are being deleted. Digital documents should be deleted and not overwritten.
Destruction of records should not be proceed without sign off by the relevant data owner. Evidence of the destruction of the records should be recorded and maintained.
3.6 Responsibilities
All Puraffinity employees should comply with the records management requirements. All heads of the departments should communicate the retention of records policy and take all the necessary steps to ensure that employees are complying with the policy. The Data Protection Officer is responsible for auditing compliance to this policy.
3.7 Training and Awareness
Senior management should ensure that all staff are trained and aware of the retention policy and the necessary steps to be taken when storing and disposing records of data subjects.
3.8 Review of the Policy
The retention and disposal of records policy and procedure will be reviewed every two years by the top management and relevant managers. In case there is any change that needs to be implemented, they should first be drafted and afterwards approved by senior management.