Data Retention Policy

  1. Purpose

The purpose of this policy is to detail procedures for the retention and disposal of information and personal data. This policy refers to both hard and soft copy documents, unless specifically stated otherwise.

  1. Scope

This policy covers all data collected by and stored on the Company owned or leased systems and media, regardless of location. It applies to both data collected and held electronically (including photographs, video and audio recordings) and data that is collected and held as hard copy or paper files. The need to retain certain information may be mandated by federal or local law, federal regulations and legitimate business purposes, as well as the EU General Data Protection Regulation (GDPR).

  1. Reasons for Data Retention

The Company retains only that data that is necessary to effectively conduct its program activities, fulfil its mission and comply with applicable laws and regulations. Reasons for data retention include:

  1. Providing an ongoing service to the data subject (e.g. sending a newsletter, publication or ongoing program update to an individual, ongoing training or participation in the Company’s programs, processing of employee payroll and other benefits);
  2. Compliance with applicable laws and regulations associated with financial and programmatic reporting by the Company to its funding agencies and other donors;
  3. Compliance with applicable labour, tax and immigration laws;
  4. Other regulatory requirements;
  5. Security incident or other investigation;
  6. Intellectual property preservation;
  7. Litigation.
  1.  Review

Each department processing personal data must go through its ‘closed records’ at least every 6 months to determine whether the records should be destroyed, retained for a further period or transferred to an archive for permanent preservation.

  1. Retention period for paper records
  1. Records should only be kept for as long as they are needed to meet the operational needs of the business, and to fulfil legal and regulatory requirements.
  2. If any (or more) below applies then you must determine the length the records should be kept for, otherwise the records must be destroyed in line with this policy.

Is it necessary as a source of information for operations at A2Z Formations?

Is it necessary as evidence of business activities and decisions?      

Is it necessary because of legal or regulatory retention requirements?

  1. Destruction of records

No destruction of a record should take place without assurance that:

  • The record is no longer required by any part of the business;
  • No work is outstanding by any part of the business;
  • No litigation or investigation is current or pending which affects the record;
  • There are no current to pending Subject Access Requests which affect the record.

Records should be destroyed in the following ways:

Non-sensitive information

Information/records that are clearly in the ‘public domain’ can be placed in a normal recycling rubbish bin.

Confidential information

Must be cross cut shredded and placed in paper rubbish sacks for collection by an approved disposal firm.

Electronic devices containing information (must be overseen by the Head of IT)

Option 1 – ‘Factory’ system restore

Option 2 – destroy all information using specialised software programs.

A2Z Formations may work with approved contractors to recycle redundant IT equipment and must securely sanitise all hard drives. A certificate confirming the complete destruction of records must be provided by the contractors.

Equipment must be kept in a secure location until collected.

Managers of each department must ensure locally stored confidential information is removed as appropriate before a device is reassigned to another person in their team.

  1. Audit trail
  1. There is no requirement to document the disposal of records which have been listed on the records retention schedule.
  2. If records are disposed of earlier or kept for longer than listed on the records retention schedule, then they must be recorded for audit purposes.
  3. This will provide an audit trail for any inspections conducted by the Information Commissioner Office and will aid in addressing Subject Access Request, where we no longer hold the material.

Disposal Schedule

Should you become aware of any records missing from the schedule, please notify the Company so that they may be added at the next opportunity.

Heading

Description

Retention Period

Comments

Payroll

Employee pay records

for the period of employment plus six 6 years after the employee leaves the organisation

Salary records

for the period of employment plus six 6 years after the employee leaves the organisation

Copy of payroll sheets

for the period of employment plus six 6 years after the employee leaves the organisation

Employee Files

Paper and hardcopy employee files

for the period of employment plus six 6 years after the employee leaves the organisation

Limitations Act 1980

Income Tax Records and Wages

Income Tax and NI returns, Income tax records and correspondence with the Inland Revenue

At least 3 years after the end of the financial year to which they relate

The Income Tax (Employments) Regulations 1993

Wages/salary records (including overtime, bonuses, expenses)

for the period of employment plus six 6 years after the employee leaves the organisation

Taxes Management Act 1970

National minimum wage records

3 years after the end of the pay reference period following the one that the records cover

National Minimum Wage Act 1998

Pensions and Retirement

Autoenrollment member and scheme details

for the period of employment plus six 6 years after the employee leaves the organisation

Autoenrollment regulations

Sickness records

Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence

3 years after the end of the tax year in which the maternity period ends

The Statutory Maternity Pay (General) Regulations 1986

Statutory Sick Pay records, calculations, certificates, self- certificates

3 years after the end of the tax year to which they relate

The Statutory Sick Pay (General) Regulations 1982

Employee Files – General Exceptions

Records relating to working time

2 years from the date on which they were made

The Working Time Regulations 1998

Accident books, accident records/report

3 years after the date of the last entry

The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995

WHERE TO GO FOR ADVICE AND QUESTIONS

Questions, comments, complaints and requests regarding this policy are welcomed and should be addressed to our office address at 4th Floor 14 Museum Place, Cardiff, Wales, CF10 3BH  or to our Data Protection Officer at info@a2zformations.co.uk.

In addition, please do not hesitate to contact us if you suspect any privacy or security breaches.

OTHER RELEVANT POLICIES

This policy supplements and should be read in conjunction with our other policies and procedures in force from time to time, including without limitation our:

  • Data Protection Policy;
  • Privacy Policy;
  • IT and Communications Systems Policy and any other IT, security and data related policies, which are available on the Portal; and
  • Code of Professional & Ethical Conduct.