Data Retention Strategy & Policy

TechB – Technology for Business is committed to protecting and respecting your privacy. TechB – Technology for Business Ltd is currently registered under the Data Protection Act 1998, for further information please visit the Information Commissioners Website at www.ico.org.uk.

For the purpose of the Data Protection Act 1998 and the General Data Protection Regulation (the “Act”), in certain instances the data controller is dependent on the given activity and use of the information obtained and will be TechB – Technology for Business Ltd (of 18 Batten Road, Downton Business Centre, Salisbury, SP5 3HU). If you have any questions regarding this Policy you should contact TechB in the first instance via [email protected] or to the following address:

The Data Protection Office
TechB – Technology for Business
18 Batten Road
Downton Business Centre
Salisbury, SP5 3HU

Introduction

Information and data is one of TechB’s key corporate assets. In the course of carrying out its’ various functions, TechB accumulates information from both individuals and external organisations. TechB also generates a wide range of data, which is recorded in documents and records. TechB strives to maintain data in accordance with the Act.

These documents and records are in several different formats, examples of which include, (but are not limited to) communications such as letters, emails and attendance notes; financial information including invoices, statements and reports; legal documents such as contracts; and information relating to vendors, applicants, buyers and other individuals taking an interest in our IT services.

For the purposes of this Policy, the terms ‘document’, ‘data’ and ‘records’ include information in both hard copy and electronic form.

In certain circumstances, it will be necessary to retain specific documents in order to fulfil statutory or regulatory requirements and also to meet justifiable operational needs. Document retention may also be useful to evidence events or agreements in the case of disputes, and also to preserve information which has historic value. TechB has developed this Policy with the intention of benefitting TechB and the data subjects to strike a careful balance between legal obligations, operational efficiency and retention of data for periods which are reasonable and appropriate in the circumstances.

TechB will retain some data and forms of information for longer than others. In line with principle 5 of the Act, information is not sought to be kept longer than is necessary.

The retention of all documents and records is impractical and appropriate disposal forms an important aspect of this Policy. Disposal will assist TechB to maintain sufficient electronic and office storage space and will de-clutter office accommodation. TechB operates a “paper light” approach to hard copy documents with the majority of records being retained electronically rather than as hard copies where possible.

TechB’s Policy schedule is a tool used to ensure the retention of business information, personal data and sensitive personal data for as long as it is needed and justified in accordance with our balanced approach referred to in paragraph 4 above. TechB is keen to be transparent and proactive to proactively provide data subjects with transparency on how data will be retained by TechB and ultimately destroyed. This Document Retention Strategy and Policy should be read in combination with our Privacy Policy https://www.TechB.co.uk/privacy-policy. It takes account of the context within which TechB operates, including the legal and regulatory environment, for example compliance with the fifth data protection principle, the expectations of stakeholders and TechB’s ongoing legal obligations. It is intended primarily as a resource to inform you about how data is held, processed, archived and destroyed to enable disposal activity to be carried out in a consistent and controlled manner.

A table containing the intended retention period is given for each relevant data category. The retention period applies to all records in that category default, and will be adhered to wherever possible, although it is recognised by TechB that there may be exceptional circumstances which require documents to be kept for either shorter or longer periods. In addition, it should be noted that, in line with the Act and TechB’s obligation to implement appropriate physical and technical security measures, the data and information held by TechB electronically is regularly and periodically backed up. These back up copies are maintained indefinitely and in accordance with TechB’s Security Policy to ensure the consistency and stable framework upon which TechB operates its business. On this basis these back up copies are unaffected by the retention periods for each relevant data category which form part of this Policy. The data set which forms part of each backup copy will be unaffected by the retention periods and action taken in line with the retention periods as referred to below.

Retention periods also apply to all formats of records, i.e. paper and electronic, unless specifically stated otherwise.

The primary factors that inform decisions on retention are:

Business need.

Services provided to our customers.

Provision of IT Solutions and associated activities.

Our experience of when retention of information and data is likely to be beneficial to the data subject as relevant to the specific services they seek from TechB.

Legislative and regulatory requirements – for example compliance with the fifth data protection principle. Where relevant legislation is listed.

Informed and express consent of the data subject.

In our experience, data subjects are often keen to consent to TechB maintaining data and information beyond the periods referred to as part of this Policy. The reason and justification for these extended periods of retention, by way of example, can include:

Provision of extended record keeping services.

Removing an administrative burden from data subjects.

Enabling an ease of operation between TechB and the data subject.

Maintaining an ongoing business relationship, which may be limited to matters such as a data subject’s ongoing interest primarily in IT security, beyond the periods maintained as part of the Policy.

It is therefore not unusual for data subjects to provide free and unambiguous consent to TechB to retain data beyond the periods forming part of this Policy.

Data Retention Schedule - Summary

1. Purpose of this document
A vital part of TechB’s Data Protection Policy and practice is for personal data to be retained for the appropriate period of time – neither too long nor too short. It is TechB’s policy to retain all information only for as long as specified in the Data Retention Schedule and, in general, no longer than two years plus the current year.

This document is a summary of the Data Retention Schedule, and gives an indication of the categories of personal data held by TechB and the basis on which TechB often retains data and information for longer than the two years stipulated in the Policy.

2. Current plus two-year rule
Personal data is not usually held for more than two years after it ceases to be current, unless there is a specific reason for doing so (see below for the specific categories requiring different retention periods). The definition of current will vary according to the personal data: for example, it will mean a service contract has completed, or until a member of staff has ceased being employed by TechB where it relates to staff.

The ‘current plus two years’ rule is a target period for retention. If there is no need to keep the personal data that long, then it may be disposed of securely before the two years’ time-limit. TechB will aim to assess and update data held in accordance with this Policy on a quarterly basis which means the two-year plus current rule will ultimately be subject to this quarterly variance.

3. Exceptions to the two-year rule
This section gives a guide to the categories which have legislation determining the length of time for which personal data within that category should be retained. An indication is given to the main section of the Data Retention Schedule dealing with this category.

Category Examples & Retention period
Financial records
  • Tax information, Purchase ledger, sales ledger, cash book payments etc.

Payroll data
Current year plus 6 years

Complaints
  • Correspondence with complainants, correspondence with The Property

Ombudsman
Current year plus 6 years

Contractual arrangements
  • Supplier agreements, Service level agreements

Legal contracts
Tender documentation
Life of contract plus 6 years

Governance papers
  • Articles, Instruments and company administration records

Agendas and minutes of meetings
Current year plus 6 years

Data Protection requests
  • Correspondence regarding Data Subject Access requests

Current year plus six years

Personnel records
  • Wide variety of specific retention limits – please see Schedule below

from 6 months to 75 years

Health and Safety records
  • Please refer to Health and Safety Officer

Retention Schedule Up to 50 years

Given our experience of document and data retention, TechB operates a Policy where usually data is firstly archived. Archived data can then either become live data on the basis of repeated operation or alternatively can lead to deletion of the data after the periods of retention forming part of this Policy. Data which is archived is held on the following basis:

Once data has been archived this means it will not be actively used by TechB. Unless the data becomes current and/or the data subject requests such data to become current.

Once data becomes current again the two year plus current year rule will be reapplied to such data.

Data which has been archived and remains archived for the period set out in the table below will then be destroyed or anonymised.

Data Retention periods (Detailed)

Data Category Records Held (type of data) Retention Timescale years Purpose of Retention Action Following Retention Legal Basis/Relevant TechB Policy
Payroll
Payroll Records Current Tax Year + 6 Legal Compliance Destroy HMRC Policy
Time Sheets Current Year + 2 Consistent with Policy Destroy HR Policy
Salary Details Current Tax Year + 6 Legal Compliance Destroy HRMC Policy
Overtime Records Date of Termination + 3 Consistent with Policy Destroy HR Policy
P45 Current Tax Year + 5 Legal Compliance Destroy Taxes Management Act 1970
P60 Lists Previous Year + 2 Consistent with Policy Destroy HR Policy
Finance
Annual Accounts Previous Year +2+ Archive Consistent with Policy Permanent Finance Policy
Monthly Financial Statements Current Year + 2 Consistent with Policy Destroy Finance Policy
Internal Audit Reports Current Financial Year + 2 Consistent with Policy Destroy Finance Policy
External Audit Reports Previous Year + 2 + Archive Consistent with Policy Permanent Finance Policy
Tax Documentation Current Financial Year + 5 Legal Compliance Destroy Value Added Tax Act 1994
VAT Administration Current Tax Year + 5 Consistent with Policy Destroy Finance Policy
Cheque Reconciliations Creation until after Audit then 6 Consistent with Policy Destroy Finance Policy
Travel/Staff Expenses, etc. Current Year + 5 Consistent with Policy Destroy Finance Policy
BACS prints Current Financial Year + 3 Consistent with Policy Destroy Finance Policy
Legal Costs Current Financial Year + 5 Consistent with Policy Destroy Finance Policy
Invoices Current Year + 5 Consistent with Policy Destroy Finance Policy
Orders Current Year + 5 Consistent with Policy Destroy Finance Policy
Purchase Records Current Tax Year + 5 Consistent with Policy Destroy Finance Policy
Human Resources
Current Staff Details Retain and check currency Legal Compliance Retain CIPD Recommendation
Former Staff Details Date of Termination + 6 Legal Compliance Destroy CIPD Recommendation
Staff Career Development Reviews Retain for current staff. Former staff Termination + 2 Consistent with Policy Retain/Destroy HR Policy
Attendance Records Date of Termination + 4 Consistent with Policy Destroy HR Policy
Occupational Health Reports Date of Termination + 4 Consistent with Policy Destroy HR Policy
Employee Counselling Returns Date of Termination + 4 Consistent with Policy Destroy HR Policy
Exit Interview Forms Date of Termination + 1 Consistent with Policy Destroy HR Policy
Employment Tribunal Records Date of Termination + 1 Consistent with Policy Destroy HR Policy
Personal and Domestic Leave Requests Date of Termination + 2 Consistent with Policy Destroy HR Policy
Declaration of Outside Employment Date of Termination + 4 Consistent with Policy Destroy HR Policy
Holiday/Leave Registers Date of Termination + 2 Consistent with Policy Destroy HR Policy
Pension Documents Date of Termination + 6 Consistent with Policy Destroy HR Policy
References Date of Termination + 3 Consistent with Policy Destroy HR Policy
Disclosure Certificates (clear) Record Receipt Only Consistent with Policy Destroy HR Policy
Disciplinary Records Date of Termination + 1 Consistent with Policy Destroy HR Policy
Grievance Records Date of Termination + 1 Consistent with Policy Destroy HR Policy
Agency Worker CV Active + 1 Consistent with Policy HR Policy
Data held on HR System Date of Termination + 6 Consistent with Policy Destroy HR Policy
Maternity Leave Requests Current Tax Year + 3 Consistent with Policy Destroy HR Policy
Flexible Working Requests Date of Termination + 2 Consistent with Policy Destroy HR Policy
Personnel Files Date of Termination + 6 Consistent with Policy Destroy HR Policy
Training Records Date of Termination + 6 Consistent with Policy Destroy HR Policy
Redundancy Details Active + 6 Consistent with Policy Destroy HR Policy
Recruitment Documents 6 months Legal Compliance Destroy CIPD Recommendation
Previous Employment Details Related to 6 months Legal Compliance Destroy CIPD Recommendation
Successful Post Applications Transfer to staff file Legal Compliance Transfer to staff file CIPD Recommendation
Unsuccessful Post Applications 1 Year Legal Compliance Destroy CIPD Recommendation
Interview Notes 1 Year Legal Compliance Destroy CIPD Recommendation
Bank Details Current Tax Year + 5 Consistent with Policy Destroy HR Policy
Health and Safety
Health and Safety Reports Current Year + 5 Consistent with Policy Destroy H&S Policy
Health and Safety Records 40 (COSHH) Consistent with Policy Archive H&S Policy
Legal Documentation Permanent Consistent with Policy Archive H&S Policy
Risk Assessment Reports Year of Assessment + 3 Legal Compliance Destroy Management of Health and Safety at Work Regulations 1992
Accident Book 4 years from date of last entry Legal Compliance Archive Legislation
Health and Safety Correspondence Current Year + 5 Legal Compliance Destroy Legislation
Safety Training Records Current Year + 6 Legal Compliance Destroy Legislation
Fire Safety Certificates Permanent Legal Compliance Archive Legislation
Fire Risk Assessment and Fire Plans Active Legal Compliance Archive Legislation
PPE Maintenance and Examination Current Financial Year + 5 Legal Compliance Archive Legislation
LEV Monitoring Current Financial Year + 6 Legal Compliance Archive Legislation
Lifting Operations - Examinations Active Legal Compliance Archive Legislation
Fire Occurrence Records Current Year + 5 Consistent with Policy Destroy H&S Policy
Insurance
Insurance Policies 12 years Legal Compliance Hold in Safe Legislation
Employers Liability Claims Permanent Legal Compliance Archive Legislation
Property
Building Plans Permanent Consistent Available Property Policy
Resource Management Current Financial Year + 2 Consistent with Policy Destroy Property Policy
Legal Documentation Permanent Consistent with Policy Archive Property Policy
Waste Transfer Notes Current Financial Year + 2 Legal Compliance Archive Legislation
Waste Consignment Notes Current Financial Year + 3 Legal Compliance Archive Legislation
Business Continuity Plan Active Consistent with Policy Archive Property Policy
Security Information Current Year + 5 years Consistent with Policy Destroy Property Policy
Leased Property Files End of lease + 5 years Consistent with Policy Destroy Property Policy
Property Files Current Financial Year + 5 Consistent with Policy Destroy Property Policy
Job Files Current Financial Year + 5 Consistent with Policy Destroy Property Policy
Leases End of lease + 5 years Consistent with Policy Destroy Property Policy
CCTV recordings 28 days Consistent with Policy Destroy unless legally required CCTV Policy
Record Management Record Retention Schedules Active + 6 years Consistent with Policy Destroy Record Management Policy
Marketing
Promotional Material Current Year + Archive Consistent with Policy Archive Marketing Policy
Public Relations Current Year + Archive Consistent with Policy Archive Marketing Policy
Community Liaison Current Year + Archive Consistent with Policy Archive Marketing Policy
Press Cuttings Current Year + Archive Consistent with Policy Archive Marketing Policy
Internal IT
Functional Specifications Active + 2 Consistent with Policy Destroy IT Policy
Current Technical Specifications Active Consistent with Policy Destroy IT Policy
Operating Logs Active + 1 Consistent with Policy Destroy IT Policy
Security Current Consistent with Policy Destroy IT Policy
Security Incident Report Current Year + 5 Consistent with Policy Destroy IT Policy
Emails Active + 2 Consistent with Policy Destroy IT Policy
Scanning Log Deleted after three months Consistent with Policy Destroy IT Policy
Corporation
Annual Report and Accounts Permanent Legal Compliance Archive Corporate Policy
Quarterly Reports Current Financial Year + 5 Legal Compliance Destroy Corporate Policy
Policy Documents Active + 5 Legal Compliance Destroy Corporate Policy
Board Committee Papers Current Year + 5 Legal Compliance Destroy Corporate Policy
Board Minutes Permanent Legal Compliance Destroy Corporate Policy
General Correspondence Current Year + 5 Legal Compliance Destroy Corporate Policy
SMT Senior Management Team Minutes Current Year + 5 Legal Compliance Destroy Corporate Policy
Senior Management Team Papers Current Year + 5 Legal Compliance Destroy Corporate Policy

Last updated 30 April 2018