Data Retention & Disposal Policy
Last Updated 2 Aug 2022 in Data Protection
Overview
This Policy ensures that the Society will only keep personal data for as long as is necessary and will retain the minimum amount of personal data in order to comply with its legal and regulatory obligations and to carry our business.
1. Policy Statement
1.1. The Society is mindful of the rights and obligations established by the General Data Protection Regulation 2016 and the Data Protection Act 2018 (hereinafter together “the Applicable Legislation”) in relation to the management and processing of personal data - and special category data, as defined under the Applicable Legislation.
1.2. The Society will ensure that personal data is kept no longer than is necessary and will retain the minimum amount of personal data in order to comply with its legal and regulatory obligations, and to carry out its business.
1.3. This Policy should be read in conjunction with our Data Protection Policy, as well as other relevant Society’s policies and procedures concerning the processing of personal data, all of which are available on Colleagues Connect or, alternatively, by contacting the Society’s Data Protection Manager (DPM) by email - on Data-Protection@midcounties.coop.
2. Introduction
2.1. A large number of documents exist in the Society and new documents are being generated every day. It is therefore important that the documents are appropriately retained or disposed of in accordance with this Policy.
2.2. Documents take many forms and include, for example, financial information, personnel records, legal documents or property records. These records need to be properly retained for a number of reasons, such as to meet the Society’s business needs, any relevant regulatory or legal requirements, and to ensure that any records of historic value are preserved.
2.3. Information is one of the Society’s assets and needs to be managed accordingly. Records management is important not just in terms of managing the Society’s storage capacity (both physical and electronic), but also in knowing which documents need to be retained (for legal or evidential reasons) and which documents can (or should) be disposed of.
2.4. Information held for longer than is necessary carries additional risk and cost to the Society, and records and information should only be retained for legitimate business use. A clear document retention policy is necessary because:
- some records must be kept for periods specified by law
- records can be kept for evidential reasons
- in some cases, keeping personal data records for longer than necessary can be illegal under the law
- maintaining physical storage space for paper records is expensive
- dealing with the accumulation of records on a preventative basis helps to contain potential risks to the Society.
It is therefore important that the Society has in place systems and processes for the efficient retention and secure disposal of documents when these are no longer required for business purposes.
3. Purpose
3.1. The key objective of this Policy is to provide colleagues with a simple framework which will govern decisions on whether a particular document should be retained or disposed of. The Policy sets out the length of time the Society’s records should be retained for, and the processes for disposing of records at the end of the retention period. The Policy also helps to ensure that the Society operates within the applicable regulatory framework of the Applicable Legislation and any relevant good commercial practices.
3.2. It is envisaged the Policy will assist the Society in complying with its legal and regulatory requirements and improve the efficiency with which records are retrieved.
4. Scope
4.1. The Policy covers the records listed in Appendix 1, irrespective of the media on which they are created or held including:
- paper
- electronic files (eg. database, Word documents, PowerPoint presentations, spreadsheets, webpages, e-mails etc.)
- photographs, scanned images, USB memory storage devices, CD-ROMs, video tapes and CCTV footage.
4.2. The sections above refer to all types of records which the Society may create or hold, such as:
- customers’ and members’ personal details
- minutes of meetings
- contracts and invoices
- registers
- legal advice obtained in the course of business
- file notes
- financial accounts and information
- colleagues’ personal data
- Society’s publications.
4.3. While the scope of this Policy is wide, it is essential that colleagues are particularly mindful of these guidelines in relation to the processing of people’s personal data, to ensure the Society remains compliant with the Applicable Legislation at all times.
4.4. Should you be aware of any records missing from those listed in Appendix 1, or where the relevant legislation has changed and retention obligations differ from those listed in Appendix 1, please notify the Society’s DPM as soon as possible, so that the Policy can be updated accordingly.
5. Applicability
5.1. The Policy applies equally to full-time and part-time colleagues on a substantive or fixed term contract, and to any associated persons who work for the Society such as agency staff, contractors and others employed under a contract of service.
5.2. This policy does not form part of any colleague's contract of employment and the Society may amend it at any time.
Minimum Retention Period
5.3. Unless a record has been marked for ‘permanent preservation’, it should only be retained for a limited period of time.
5.4. A recommended minimum retention schedule is provided for each category of record in Appendix 1 to this Policy. The retention period applies to all records within that category and the recommended minimum retention period derives from either business needs or legal requirements.
6. Retention and Disposal of Data
6.1. Decisions relating to the retention and disposal of documents should be taken in accordance with this Policy, in particular Appendix 1, on the recommended and statutory minimum periods for specific types of documents and records.
6.2. Where a retention period for a specific document has expired, a review should always be carried out prior to a decision being taken to dispose of it. Where the decision is taken to dispose of a document, consideration should be given to the method of disposal, particularly where personal data is involved.
6.3. Documents containing personal data should be stored safely and securely at all times. Physical documents should be stored in a locked drawer, cabinet or room. Electronic documents should be stored on a secure network drive with appropriate access restrictions. You should also consider password protection of electronic documents and only use an encrypted USB drive, where it is necessary to do so. When sending documents containing personal data by email, the AIP function should be used to ensure the email is appropriately categorised so that the attachments are protected. If you have any questions about how AIP works, you should speak to the DPC for your area.
7. Roles and Responsibilities
7.1. The Executive Team member or COO for each area is ultimately responsible for determining, in accordance with this Policy, whether to retain or dispose of specific documents within their own business area.
7.2. Each business group’s Data Protection Champions (DPCs) are responsible to ensure that the retention and disposal of data is carried out in accordance with this Policy and their Executive Team member or COO’s determination.
7.3. Further guidance should always be sought from the Society’s DPM if uncertain about the appropriate retention period for a particular document.
7.4. DPCs are responsible for keeping their business group’s retention records up to date.
8. Data Disposal
8.1. Where available, confidential waste bins and sacks located around the Society's offices should be used, in order that confidential documents can be destroyed appropriately. It is essential that any documents containing personal data are disposed of in accordance with this Policy, in order to avoid breaches of any provisions under the Applicable Legislation. Any documents containing personal data awaiting destruction must be stored securely, such as in a locked cabinet or room.
8.2. If your business group does not have a confidential bins/sacks process in place, the most appropriate solution is to shred the information using the shredders provided by the Society. Colleagues should check with the Property Services via Colleagues Connect to ascertain what document disposal facilities are available.
8.3. Disposal of documents other than those containing personal data may be effected by using general waste bins or in recycling bins located around the Society’s offices.
8.4. For electronic records, the electronic record/document should be permanently deleted including back-ups. Deletions should be carried out by someone with appropriate access to the system from which they are being deleted. Digital documents should be deleted and not overwritten. For the secure destruction of hard drives or laptops, colleagues should refer to the IT department for further guidance.
8.5. When information is destroyed, all copies of the information should be destroyed at the same time (both digital and physical). Information cannot be considered to have been completely destroyed unless all copies have been destroyed as well.
9. Changes to this Policy
9.1. This Policy will be reviewed when and as necessary and, in any case, at least every two years by the Society’s DPM.
10. Who to Contact
10.1. Colleagues who require further assistance, or have specific queries about data protection compliance, should contact their business group’s DPCs in the first instance. Alternatively, colleagues may contact the Society’s DPM directly.
10.2. Data Protection Manager (DPM) email: data-protection@midcounties.coop
10.3. Data Protection Champions (DPCs) - A contact list is available on Colleagues Connect.
|
Policy name: |
Data Retention & Disposal Policy |
Date of last review: |
July 2022 |
|
Policy owner: |
Secretariat |
Issue number: |
002 |
Appendix 1
APPENDIX 1
Data Retention Schedules
Retention Schedule 1 – Accounting and Tax Records
|
Record description |
Regulatory retention period and source |
Recommended retention period |
Form in which to be kept |
Reasons and remarks |
|
Accounting records to comply with Companies Act 1985/CA 2006 |
Ltd – 3 years
PLC – 6 years |
6 years |
Any |
Normally 6 years for tax purposes |
|
Report and accounts (signed copies) |
|
Keep for as long as the board mins at which accounts approved |
Original |
Tax evidence/business |
|
Budgets and periodic internal financial reports |
|
At least 6 years, though as long as board mins at which considered |
Any |
Evidence/Best Practice/Internal Control |
|
Corporation tax records |
Later of: (a) 6 years from end of assessment period or (b) The completion of any enquiry into the return or (c) The last date on which HMRC may launch an enquiry |
7 years from year end |
Originals |
|
|
PAYE records |
At least 3 years after the end of the tax year to which they relate |
|
Any |
|
|
VAT records |
6 years [VAT Act] |
|
Any |
|
|
SDLT records |
Later of: (a) 6 years after the anniversary of the transaction or (b) The completion of any enquiry or (c) The last date on which HMRC may launch an enquiry |
|
|
|
|
Cheques |
|
6 years |
|
Limitation |
|
Bank statements |
Ltd 3 years PLC 6 years [CA] |
|
|
Limitation |
|
Instructions to banks |
|
6 years after ceasing to be effective |
|
Evidence/Limitation |
Retention Schedule 2 – Employment and Pension Records
|
Record description |
Regulatory retention period and source |
Recommended retention period |
Form in which to be kept |
Reasons and remarks |
|
Recruitment records for unsuccessful candidates, including job applications, references and interview records |
|
At least 3 months after notifying unsuccessful candidates but no longer than 12 months unless applicants are notified or records are required to defend an action |
Any |
Evidence to protect against actions for discrimination etc. Data protection principles suggest a short retention period unless applicants are notified otherwise |
|
Personnel and training records ie. applications, qualifications, references, appraisals, disciplinary matters |
|
6 years after employment ceases |
Any |
Statutory period for bringing claims, although health and safety and medical records may need to be kept for longer |
|
Written particulars of employment, contracts of employment and changes to terms and conditions |
|
6 years after employment ceases |
Any |
Evidence of compliance: written particulars must be given to employees. Employer does not need to keep a paper copy. |
|
Working time opt-out forms |
2 years after the opt-out has been rescinded or has ceased to apply [Working Time Regs 1998] |
|
Originals not required |
Statutory |
|
Records to show compliance with Working Time Regs incl timesheets |
2 years [Working Time Regs 1998] |
|
Any |
Statutory |
|
Annual Leave records |
|
Two years |
Any |
Best Practice |
|
PAYE records |
|
|
|
See Retention Schedule [1] |
|
Wage records, incl overtime, bonuses, expenses, bik |
3 years after the end of the relevant tax years [Social Security (Contributions) Regs 2001 |
6 years after the end of the relevant accounting period |
Any |
See Retention Schedule [ ] |
|
Statutory sick pay records |
3 years after the end of the relevant tax year [Statutory Sick Pay (General) Regs 1982 |
|
|
|
|
Statutory maternity pay records |
3 years after the end of the tax year in which the maternity pay period ends [Statutory Maternity Pay (General) Regs 1986] |
|
|
|
|
Bank details |
|
No longer than necessary |
Any |
Business needs/Data Protection |
|
Death benefit nomination forms |
|
While employment continues or 6 years after payment of benefit |
Any |
|
|
Medical and health records |
|
|
|
See Retention Schedule 7 |
|
Member information |
6 years under the Regs[1] |
|
Any |
|
|
Pension Scheme trust deeds and rules |
|
Life of the scheme |
Originals |
If merged with another scheme, 12 years after merging |
|
Statement of principles and policies required by s.35 Pensions Act 1995 |
|
12 years after revision |
Any |
Evidence/Limitation |
|
Pension Scheme investment policies |
|
12 years after final cessation of any benefit payable under the policy |
Any |
Evidence/Limitation |
|
Revenue approvals |
|
Life of scheme |
Originals |
Best practice |
Retention Schedule 3 – Property Records
|
Record description |
Regulatory retention period and source |
Recommended retention period |
Form in which to be kept |
Reasons and remarks |
|
Title Deeds |
|
Until sold or transferred |
Original |
Will be transferred to new owner |
|
Leases (signed copies) |
|
15 years after expiry |
Original |
|
|
Subletting agreements |
|
15 years after expiry |
Original |
|
|
Wayleave agreements |
|
15 years after expiry |
Original |
|
|
Landlord’s consents |
|
15 years after expiry |
Original |
|
|
Licences |
|
15 years after expiry |
Original |
|
|
Planning consents |
|
Until property sold |
Original |
Commercial |
|
Asset registers |
|
Permanently |
Any |
|
|
Specifications |
|
Up to 25 years |
Any |
Evidence/Limitation/Business needs |
|
Maintenance contracts and related files |
|
6/12 years after end of contract depending on whether contract or deed |
Originals |
Evidence/Limitation |
Retention Schedule 4 – Contracts
|
Record description |
Regulatory retention period and source |
Recommended retention period |
Form in which to be kept |
Reasons and remarks |
|
Contracts executed as a Deed |
|
12 years after performance |
Original |
Tax/Limitation |
|
Other contracts |
|
6 years after performance |
Any, though original if of significant value |
Tax/Limitation |
|
Contracts relating to building, maintenance, repairs etc. |
|
15 years after performance |
Any, though original if of significant value |
Limitation (longer because of the possibility of latent damage) |
Retention Schedule 5 - Sales
|
Record description |
Regulatory retention period and source |
Recommended retention period |
Form in which to be kept |
Reasons and remarks |
|
Standard terms and conditions |
|
6 years |
Any |
Tax/Limitation |
|
Marketing consents |
|
While still on an active marketing list |
Any |
|
|
Requests to be removed from marketing lists |
|
Until person has been removed |
|
Name should also be added to a permanent exception list rather than deleted from a database altogether |
Retention Schedule 6 – Insurance Records
|
Record description |
Regulatory retention period and source |
Recommended retention period |
Form in which to be kept |
Reasons and remarks |
|
Insurance policies, proposal forms, renewal notices and certificates
|
|
Until claims under policy are barred and all outstanding claims are settled
|
Original preferable
|
Tax/Commercial
|
|
Claims correspondence |
|
At least 3 years after settlement |
Any |
Normally keep for longer for business purposes |
Retention Schedule 7 – Health & Safety and Medical Records
|
Record description |
Regulatory retention period and source |
Recommended retention period |
Form in which to be kept |
Reasons and remarks |
|
Health and Safety at Work Act 1974 |
||||
|
Health and Safety Policy |
All employers must have one [HSWA] |
Permanent |
Original in paper form |
Statutory/Evidence/Evidence of compliance |
|
Risk Assessments carried out under Health and Safety at Work Regs 1999 |
Until superseded by a later assessment |
Permanent |
Any |
Statutory/Evidence/Evidence of compliance |
|
Health and safety training records |
|
Permanent |
|
Compliance |
|
RIDDOR Regs 1995 |
||||
|
Records of any reportable occurrence |
3 years [RIDDOR] |
Permanent |
Any |
Statutory/Evidence |
|
Accident book required by Social Security (Claims and Payments) Regs 1979 |
3 years |
Permanent |
Any |
Statutory |
|
COSHH Regs 2002 |
||||
|
Control of Asbestos at Work Regs 2002 |
||||
|
Significant findings of asbestos risk assessment |
Duration of the work at the premises |
|
Any |
Statutory |
|
Plan or work |
Duration of the work at the premises |
|
Paper |
Statutory |
|
Maintenance records |
5 years |
|
Any |
Statutory |
Retention Schedule 8 – Company Records
|
Record description |
Regulatory retention period and source |
Recommended retention period |
Form in which to be kept |
Reasons and remarks |
|
Register of directors/secretaries/charges etc |
Life of company [CA] |
|
Any form |
|
|
Copies of legal charge |
Life of company [CA] |
|
Originals |
|
|
Certificate of Incorporation/change of name |
|
Life of company |
Original |
Evidence |
|
Memorandum and Articles of Association |
|
Life of company |
Original |
Evidence |
|
Copies of resolutions |
Whilst in force [CA] |
|
Any |
|
|
Directors service contracts |
At least 1 year for inspection [CA] |
6 years after termination or expiry |
Any |
Limitation |
Retention Schedule 9 – Meetings and Minutes
|
Record description |
Regulatory retention period and source |
Recommended retention period |
Form in which to be kept |
Reasons and remarks |
|
Agenda papers for board meetings |
|
For at least as long as the minutes of the relevant meeting are held |
Original copy signed by Chairman |
Limitation/commercial |
|
Board minutes (signed) and written resolutions |
10 years for meetings held on or after 1.10.2007 [CA 2006]. Permanently for meetings held before that date [CA 1985] |
Life of the company |
Usually paper and electronic form |
|
Retention Schedule 10 – Legal Records
|
Record description |
Regulatory retention period and source |
Recommended retention period |
Form in which to be kept |
Reasons and remarks |
|
Intellectual property records |
||||
|
Certificates of registration |
|
6 years after cessation of registration |
Originals |
Evidence/Limitation. Copy also held in Registry |
|
Assignments/licences |
|
6 years after expiry |
Originals |
Evidence/Limitation |