Data Retention Policy
- Purpose
The purpose of this policy is to detail procedures for the retention and disposal of information and personal data. This policy refers to both hard and soft copy documents, unless specifically stated otherwise.
- Scope
This policy covers all data collected by and stored on the Company owned or leased systems and media, regardless of location. It applies to both data collected and held electronically (including photographs, video and audio recordings) and data that is collected and held as hard copy or paper files. The need to retain certain information may be mandated by federal or local law, federal regulations and legitimate business purposes, as well as the EU General Data Protection Regulation (GDPR).
- Reasons for Data Retention
The Company retains only that data that is necessary to effectively conduct its program activities, fulfil its mission and comply with applicable laws and regulations. Reasons for data retention include:
- Providing an ongoing service to the data subject (e.g. sending a newsletter, publication or ongoing program update to an individual, ongoing training or participation in the Company’s programs, processing of employee payroll and other benefits);
- Compliance with applicable laws and regulations associated with financial and programmatic reporting by the Company to its funding agencies and other donors;
- Compliance with applicable labour, tax and immigration laws;
- Other regulatory requirements;
- Security incident or other investigation;
- Intellectual property preservation;
- Litigation.
- Review
Each department processing personal data must go through its ‘closed records’ at least every 6 months to determine whether the records should be destroyed, retained for a further period or transferred to an archive for permanent preservation.
- Retention period for paper records
- Records should only be kept for as long as they are needed to meet the operational needs of the business, and to fulfil legal and regulatory requirements.
- If any (or more) below applies then you must determine the length the records should be kept for, otherwise the records must be destroyed in line with this policy.
Is it necessary as a source of information for operations at A2Z Formations? |
Is it necessary as evidence of business activities and decisions? |
Is it necessary because of legal or regulatory retention requirements? |
- Destruction of records
No destruction of a record should take place without assurance that:
- The record is no longer required by any part of the business;
- No work is outstanding by any part of the business;
- No litigation or investigation is current or pending which affects the record;
- There are no current to pending Subject Access Requests which affect the record.
Records should be destroyed in the following ways:
Non-sensitive information |
Information/records that are clearly in the ‘public domain’ can be placed in a normal recycling rubbish bin. |
Confidential information |
Must be cross cut shredded and placed in paper rubbish sacks for collection by an approved disposal firm. |
Electronic devices containing information (must be overseen by the Head of IT) |
Option 1 – ‘Factory’ system restore Option 2 – destroy all information using specialised software programs. A2Z Formations may work with approved contractors to recycle redundant IT equipment and must securely sanitise all hard drives. A certificate confirming the complete destruction of records must be provided by the contractors. Equipment must be kept in a secure location until collected. Managers of each department must ensure locally stored confidential information is removed as appropriate before a device is reassigned to another person in their team. |
- Audit trail
- There is no requirement to document the disposal of records which have been listed on the records retention schedule.
- If records are disposed of earlier or kept for longer than listed on the records retention schedule, then they must be recorded for audit purposes.
- This will provide an audit trail for any inspections conducted by the Information Commissioner Office and will aid in addressing Subject Access Request, where we no longer hold the material.
Disposal Schedule Should you become aware of any records missing from the schedule, please notify the Company so that they may be added at the next opportunity. |
|||
Heading |
Description |
Retention Period |
Comments |
Payroll |
Employee pay records |
for the period of employment plus six 6 years after the employee leaves the organisation |
|
Salary records |
for the period of employment plus six 6 years after the employee leaves the organisation |
||
Copy of payroll sheets |
for the period of employment plus six 6 years after the employee leaves the organisation |
||
Employee Files |
Paper and hardcopy employee files |
for the period of employment plus six 6 years after the employee leaves the organisation |
Limitations Act 1980 |
Income Tax Records and Wages |
Income Tax and NI returns, Income tax records and correspondence with the Inland Revenue |
At least 3 years after the end of the financial year to which they relate |
The Income Tax (Employments) Regulations 1993 |
Wages/salary records (including overtime, bonuses, expenses) |
for the period of employment plus six 6 years after the employee leaves the organisation |
Taxes Management Act 1970 |
|
National minimum wage records |
3 years after the end of the pay reference period following the one that the records cover |
National Minimum Wage Act 1998 |
|
Pensions and Retirement |
Autoenrollment member and scheme details |
for the period of employment plus six 6 years after the employee leaves the organisation |
Autoenrollment regulations |
Sickness records |
Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence |
3 years after the end of the tax year in which the maternity period ends |
The Statutory Maternity Pay (General) Regulations 1986 |
Statutory Sick Pay records, calculations, certificates, self- certificates |
3 years after the end of the tax year to which they relate |
The Statutory Sick Pay (General) Regulations 1982 |
|
Employee Files – General Exceptions |
Records relating to working time |
2 years from the date on which they were made |
The Working Time Regulations 1998 |
Accident books, accident records/report |
3 years after the date of the last entry |
The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 |
WHERE TO GO FOR ADVICE AND QUESTIONS
Questions, comments, complaints and requests regarding this policy are welcomed and should be addressed to our office address at 4th Floor 14 Museum Place, Cardiff, Wales, CF10 3BH or to our Data Protection Officer at info@a2zformations.co.uk.
In addition, please do not hesitate to contact us if you suspect any privacy or security breaches.
OTHER RELEVANT POLICIES
This policy supplements and should be read in conjunction with our other policies and procedures in force from time to time, including without limitation our:
- Data Protection Policy;
- Privacy Policy;
- IT and Communications Systems Policy and any other IT, security and data related policies, which are available on the Portal; and
- Code of Professional & Ethical Conduct.