GDPR – DATA RETENTION POLICY WITH SCHEDULE
This is the Data Retention Policy of Shropshire Youth Support Trust.
Introduction
We recognise that in the running of our business, we collect and process personal data from a variety of sources. This personal information is collated in several different formats including letters, emails, legal documents, employment records, operations records, images and statements. The personal data is held in both hard copy and electronic form.
Aims of the policy
Our business will ensure that personal data that we hold is kept secure and that it is held for no longer than is necessary for the purposes for which it is being processed. In addition, we will retain the minimum amount of information to fulfil our statutory obligations and the provision of goods or/and services – as required by the data protection legislation, including the General Data Protection Regulation (GDPR).
Retention
This retention policy (with its schedule), is a tool used to assist us in making decisions on whether a particular document should be retained or disposed of. In addition, it takes account of the context within which the personal data is being processed and our business practices.
Decisions around retention and disposal should be taken in accordance with this policy.
Where a retention period of a specific document has expired, a review should always be carried out prior to the disposal of the document. This does not have to be time-consuming or complex. If a decision is reached to dispose of a document, careful consideration should be given to the method of disposal.
Responsibility
The General Manager and Chairman are responsible to keep this retention schedule up to date, to reflect changing business needs, new legislation, changing perceptions of risk management and new priorities for our business.
The General Manager and Chairman are responsible for determining (in accordance with this Policy) whether to retain or dispose of specific documents.
The General Manager or Chairman may delegate the operational aspect of this function to SYST Administrators
SYST Administrators should inform The General Manager or Chairman if in any doubt about minimum retention periods or if the retention of a document is necessary for a potential claim.
Disposal
We must ensure that personal data is securely disposed of when it’s no longer needed. This will reduce the risk that it will become inaccurate, out of date or irrelevant.
The method of disposal should be appropriate to the nature and sensitivity of the documents concerned and includes:
• Non-Confidential records: place in waste paper bin for disposal
• Confidential records: shred documents
• Deletion of Computer Records
• Transmission of records to an external body
• Cloud storage
• External hard or flash drive storage; deletion or Shred as appropriate
The table below contains the retention period that we have assigned to each type of record. This will be adhered to wherever possible, although it is recognised that there may be exceptional circumstances which require documents to be kept for either shorter or longer periods.
Exceptional circumstances should be reported to the General Manager or Chairman without delay.
Date created: 17th May 2018
Date of review: 1st June 2021
Appendix 1: Document retention schedule
Type of record Retention period Where is it stored? Reason Method of deletion
Employment records:
PAYE records 3 years from end of tax year they relate to Electronic & paper locked filing cabinet in locked office Legal Secure shredding, Electronic deletion
Maternity and paternity pay records 3 years from end of tax year in which the maternity/paternity period ends Electronic Legal Electronic deletion
Medical and health records 30 years from the date of last entry Electronic, paper locked in filing cabinet in locked office Legal Secure shredding, Electronic deletion
Unsuccessful candidates 6 months after last action Electronic, paper locked in filing cabinet in locked office
Company Policy – for any future vacancies Secure shredding, delete electronic records
Accident report forms 3 years after last action (or, if the accident involves a child/ young adult, then until that person reaches the age of 21). Electronic, paper locked in filing cabinet in locked office Legal – A civil claim for an injury can be made up to 3 years after incident Secure shredding, delete electronic records
Parental leave records
5 years from birth/adoption of the child or 18 years if the child receives a disability allowance
Electronic, paper locked in filing cabinet in locked office Company Policy – No legal requirement Secure shredding, delete electronic records
Employment records: redundancy, equal opportunities; health & welfare records 6 years after last action Electronic, paper locked in filing cabinet in locked office Legal Secure shredding, delete electronic records
Employees that left the business: emergency contacts and bank account details i.e. Delete immediately after making final salary payment Electronic, paper locked in filing cabinet in locked office – Until employees have left then deleted Company Policy – No legal requirement Secure shredding, delete electronic records
Pay & tax: pay deductions, tax forms, payroll, loans 3 years from end of tax year they relate to Electronic, paper locked in filing cabinet in locked office Legal Secure shredding delete electronic records
Records of formal disciplinary actions in employee file 6 years after employment ceases Electronic, paper locked in filing cabinet in locked office Company Policy – No legal requirement Secure shredding, delete electronic records
Records of formal grievances in employee file 6 years after last action Electronic, paper locked in filing cabinet in locked office Company Policy – No legal requirement Secure shredding, delete electronic records
SYST Specific Records
Client Records 12 months (if no contact after 6 months SYST will not make contact, if no contact from client after 12 months then records deleted Electronic, paper locked in filing cabinet in locked office Company policy – marketing, offering support, news updates Secure shredding delete electronic records
Mentor Records Delete records after 12 month of no longer being a mentor Electronic, paper locked in filing cabinet in locked office Company policy – to contact mentors regarding clinics/workshops/events Secure shredding delete electronic records
Trustee Records Delete records after 5 years if no longer in post Electronic, paper locked in filing cabinet in locked office Company policy – to contact Trustees regarding meetings, events, updates Secure shredding delete electronic records
Partner Organisations Records Review every 12 months. Delete upon request Electronic, paper locked in filing cabinet in locked office Company policy, to organise events and meetings with clients Secure shredding delete electronic records
3rd Party Organisations Review every 12 months. Delete upon request Electronic, paper locked in filing cabinet in locked office Company policy, to organise events and meetings with clients Secure shredding, delete electronic records
Tenant Records 6 years after tenant leaves Electronic, paper locked in filing cabinet in locked office Legal, Company policy – in case of civil claim or up to 7 years after the expiry of the tenancy agreement if accepted. Secure shredding, delete electronic records
Commercial contracts:
Contracts with suppliers 6 years after contract ends Electronic, paper locked in filing cabinet in locked office Legal / Company Policy in case of dispute Secure shredding, delete electronic records
Contracts signed as a deed 12 years after last action Electronic, paper locked in filing cabinet in locked office Legal / Company Policy Secure shredding, delete electronic records
Guarantees and indemnities i.e. state the term of the guarantee plus 6 years Electronic, paper locked in filing cabinet in locked office Legal / Company Policy
Seven years (based on the UK Statute of Limitations) is generally the time limit within which proceedings founded on a contract may be brought. Note there are exceptions to this so a longer retention period may be required on a case by case basis Secure shredding, delete electronic records
Purchase orders and invoices 6 years from end of financial year Electronic, paper locked in filing cabinet in locked office Legal / Company Policy Secure shredding, delete electronic records
Tax and Accounting Records:
Tax returns 10 months after the end of the tax year the tax return is for
Electronic, paper locked in filing cabinet in locked office Legal – HMRC Guidelines Secure shredding, delete electronic records
Accounting & financial management information 6 years from end of last company financial year Electronic, paper locked in filing cabinet in locked office Legal – HMRC Guidelines Secure shredding, delete electronic records
Stock transfer forms and share certificates 20 years from purchase Electronic, paper locked in filing cabinet in locked office Legal / Company Policy Secure shredding, delete electronic records
Marketing records: Secure shredding, delete electronic records
Mailing lists 1 year after last action unless consent given. Review every 12 months Electronic, paper locked in filing cabinet in locked office Legal / Company Policy Secure shredding, delete electronic records
Operational records: Secure shredding, delete electronic records
Vehicles i.e. Keep asset and depreciation records for 6 years after end of financial year to which they relate Electronic, paper locked in filing cabinet in locked office Legal / Company Policy Secure shredding, delete electronic records
Closed circuit television recordings Destroy 4 weeks from the date recorded except where required as evidence Electronic Company Policy Secure shredding, delete electronic records
Fire Risk Assessments Retain until superseded Electronic, paper locked in filing cabinet in locked office Legal / Company Policy Secure shredding, delete electronic records
Policies/Procedures Retain until superseded Company Policy Secure shredding, delete electronic records
Complaints 3 years from end of fiscal year Electronic, paper locked in filing cabinet in locked office Legal / Company Policy Secure shredding, delete electronic records
Building (i.e. lease/deeds) Destroy 6 years after property is no longer occupied Electronic, paper locked in filing cabinet in locked office Legal / Company Policy Secure shredding, delete electronic records
Maintenance contracts 15 years from last action Electronic, paper locked in filing cabinet in locked office Legal / Company Policy Secure shredding, delete electronic records
Website FAQs 6 months from last action Electronic, paper locked in filing cabinet in locked office Legal / Company Policy Secure shredding delete emails
Property plans and surveys 25 years ??? should this be an amount of time after the property has been left? Electronic, paper locked in filing cabinet in locked office Legal / Company Policy
Lifetime of building, pass originals to new building owner. Keep copy for 3 years Secure shredding delete emails
Insurance schedules 10 years Electronic, paper locked in filing cabinet in locked office Company Policy – No legal requirement however claims may be made after Secure shredding, delete electronic records
Pat tests, fire hazard tests 6 years from last action Electronic, paper locked in filing cabinet in locked office Legal / Company Policy
There is no legal requirement to label equipment that has been inspected or tested, nor is there a requirement to keep records of these activities. However, a record and / or labelling can be a useful management tool for monitoring and reviewing the effectiveness of the maintenance scheme – and to demonstrate that a scheme exists. Secure shredding, delete electronic records
Register of members Life of company Electronic, paper locked in filing cabinet in locked office Legal / Company Policy
Should someone cease to be a shareholder, their name will remain on the register of members but a note will be recorded alongside with the date they ceased to be a member. The name of the former shareholder will remain on the register of members for ten years after the date they ceased being a shareholder. After this date their name can be removed from the register. Secure shredding, delete electronic records
Memorandum of association Life of company Electronic, paper locked in filing cabinet in locked office Legal / Company Policy
A printed or electronic copy of the memorandum needs to be kept at your registered office, or another inspection location, should it not be your registered office. Secure shredding, delete electronic records
Register of directors and secretaries Life of company Electronic, paper locked in filing cabinet in locked office Legal / Company Policy
A copy of the directors’ or members’ decision must be kept at your registered office address, along with the minutes of the board meeting or general meeting at which the resolution was passed.
You must remember to update your company’s register of directors as soon as possible after any fresh appointment. This register is accessible to the public for inspection and therefore it is a crime not to keep it accurate and updated regularly.
Secure shredding, delete electronic records
Employer’s liability insurance certificates Life of company Electronic, paper locked in filing cabinet in locked office Legal / Company Policy
The Employer’s Liability (Compulsory Insurance) Regulations 1998 came into force on lst January 1999. For the first time the Regulations imposed a duty on all employers to retain a copy of each certificate for a period of 40 years beginning on the date on which the insurance to which the certificate relates commences or is renewed. As from 1 October 2008, you are no longer legally required to retain copies of out of date Employer’s Liability (Compulsory Insurance) (ELCI) Certificates . However, this practice should be continued as in the event of an Employers’ Liability claim arising in the future the information contained on the ELCI Certificate regarding your Insurer, policy number, and period of cover will be required. If you fail to keep details of your historic insurance details, you place your business at risk of having to meet the costs of such claims. Secure shredding, delete electronic records
Intellectual property records: Secure shredding, delete electronic records
Copyright material 50 years from expiry Electronic, paper locked in filing cabinet in locked office Legal / Company Policy
All scanned paper documents will be retained for 7 years from the date of scanning before being shredded.
Any documents relating to matters dealt with by Litigation Section, applications for SPCs and patent applications under the PCT will be retained for 10 years from the date of scanning.
Secure shredding, delete electronic records
Email records:
Email correspondence Archive emails after 6 months Electronic, paper locked in filing cabinet in locked office Legal / Company Policy
This email retention policy is secondary to policy on Freedom of Information and Business Record Keeping. Any email that contains information in the scope of the Business Record Keeping policy should be treated in that manner. All email information is categorized into four main classifications with retention guidelines: • Administrative Correspondence (4 years) • Fiscal Correspondence (4 years) • General Correspondence (1 year) • Ephemeral Correspondence (Retain until read, destroy) Secure shredding, delete electronic records
How stored electronically – Email, Online SYST Website or third party websites or cloud,
Data stored with 3rd parties is deleted in accordance with their privacy policy