Data Retention & Disposal Policy

1. Policy Statement

1.1. The Society is mindful of the rights and obligations established by the General Data Protection Regulation 2016 and the Data Protection Act 2018 (hereinafter together “the Applicable Legislation”) in relation to the management and processing of personal data - and special category data, as defined under the Applicable Legislation. Equally, the Society is aware of the ISO/IEC 27002 standard (code of practice for information security management) and that it should be an integral part of the Society’s approach to data management.

1.2. The Society will ensure that personal data is kept no longer than is necessary and will retain the minimum amount of personal data in order to comply with its legal and regulatory obligations, and to carry out its business.

1.3. This Policy should be read in conjunction with our Data Protection Policy and our Guidance on Retention & Disposal of Data, as well as other relevant Society’s policies and procedures concerning the processing of personal data, all of which are available on Colleagues Connect or, alternatively, by contacting the Society’s Data Protection Manager (DPM)1 directly.

 

2. Introduction

2.1. The growth of the Society in recent years has meant that there is now a large volume of documents in existence and new documents are being generated every day. This creates a number of issues for the Society; these are explained in more detail below.

2.2. Documents take many forms and include, for example, financial information, personnel records, legal documents or property records; all these records need to be properly retained to enable the Society to meet its business needs, any relevant legal requirements, to evidence events or agreements should allegations or disputes arise, and to ensure that any records of historic value are preserved.

2.3. Information is one of the Society’s assets and needs to be managed accordingly. Records management is important not just in terms of managing the Society’s storage capacity (both physical and electronic), but also in knowing which documents need to be retained (for legal or evidential reasons) and which documents can (or should) be disposed of.

2.4. Information held for longer than is necessary carries additional risk and cost to the Society, and records and information should only be retained for legitimate business use. A clear document retention policy is necessary because: - some records must be kept for periods specified by law - records can be kept for evidential reasons - in some cases, keeping personal data records for longer than necessary can be illegal under the law - maintaining physical storage space for paper records is expensive - dealing with the accumulation of records on a preventative basis helps to contain potential risks to the Society. It is therefore important that the Society has in place systems and processes for the efficient retention and secure disposal of documents when these are no longer required for business purposes.

 

3. Purpose

3.1. The key objective of this Policy is to provide colleagues with a simple framework which will govern decisions on whether a particular document should be retained or disposed of. The Policy sets out the length of time the Society’s records should be retained for, and the processes for disposing of records at the end of the retention period. The Policy also helps to ensure that the Society operates within the applicable regulatory framework of the Applicable Legislation and any relevant good commercial practices.

3.2. It is envisaged the Policy will assist the Society in complying with its legal and regulatory requirements and improve the efficiency with which records are retrieved.

 

4. Scope

4.1. The Policy covers the records listed in Appendix 1, irrespective of the media on which they are created or held including:

• paper

• electronic files (eg. database, Word documents, PowerPoint presentations, spreadsheets, webpages, e-mails etc.)

• photographs, scanned images, USB memory storage devices, CD-ROMs, video tapes and CCTV footage.

4.2. The sections above refer to all types of records which the Society may create or hold, such as:

• customers’ and members’ personal details

• minutes of meetings

• contracts and invoices

• registers

• legal advice obtained in the course of business

• file notes

• financial accounts and information

• colleagues’ personal data

• Society’s publications.

4.3. While the scope of this Policy is wide, it is essential that colleagues are particularly mindful of these guidelines in relation to the processing of people’s personal data, to ensure the Society remains compliant with the Applicable Legislation at all times.

4.4. Should you be aware of any records missing from those listed in Appendix 1, or where the relevant legislation has changed and retention obligations differ from those listed in Appendix 1, please notify the Society’s DPM as soon as possible, so that the Policy can be updated accordingly.

 

5. Applicability

5.1. The Policy applies equally to full-time and part-time colleagues on a substantive or fixed term contract, and to any associated persons who work for the Society such as agency staff, contractors and others employed under a contract of service. 

Minimum Retention Period

5.2. Unless a record has been marked for ‘permanent preservation’, it should only be retained for a limited period of time.

5.3. A recommended minimum retention schedule is provided for each category of record in Appendix 1 to this Policy. The retention period applies to all records within that category and the recommended minimum retention period derives from either business needs or legal requirements.

 

6. Retention and Disposal of Data

6.1. Decisions relating to the retention and disposal of documents should be taken in accordance with this Policy, in particular Appendix 1, on the recommended and statutory minimum periods for specific types of documents and records. Additionally, colleagues should read the Guidance on Retention & Disposal of Data, available on Colleagues Connect.

6.2. Where a retention period for a specific document has expired, a review should always be carried out prior to a decision being taken to dispose of it. Where the decision is taken to dispose of a document, consideration should be given to the method of disposal, particularly where personal data is involved.

 

7. Roles and Responsibilities

7.1. GGMs are ultimately responsible for determining, in accordance with this Policy, whether to retain or dispose of specific documents within their own business area.

7.2. Each business group’s Data Protection Champions (DPCs) are responsible to ensure that the retention and disposal of data is carried out in accordance with this Policy and their GGM’s determination.

7.3. Further guidance should always be sought from the Society’s DPM if uncertain about the appropriate retention period for a particular document.

7.4. DPCs are responsible for keeping their business group’s retention records up to date. 

 

8. Data Disposal

8.1. Where available, confidential waste bins and sacks located around the Society's offices should be used, in order that confidential documents can be destroyed appropriately. It is essential that any documents containing personal data are disposed of in accordance with this Policy, in order to avoid breaches of any provisions under the Applicable Legislation.

8.2. If your business group does not have a confidential bins/sacks process in place, the most appropriate solution is to shred the information using the shredders provided by the Society. Colleagues should check with the Specialist Services Group to ascertain what document disposal facilities are available.

8.3. Disposal of documents other than those containing personal data may be effected by using general waste bins or in recycling bins located around the Society’s offices.

8.4. For the permanent disposal of electronic records, colleagues should refer to the IT department for further guidance.

 

9. Changes to this Policy

9.1. This Policy will be reviewed when and as necessary and, in any case, at least on an annual basis by the Society’s DPM.

 

10.Who to Contact

10.1. Colleagues who require further assistance, or have specific queries about data protection compliance, should contact their business group’s DPCs in the first instance. Alternatively, colleagues may contact the Society’s DPM directly.

10.2. Data Protection Manager (DPM) email: data-protection@midcounties.coop

10.3. Data Protection Champions (DPCs) - A contact list is available on Colleagues Connect.