Retention Policy

1. Introduction

This Retention (“Policy”) applies to Bristow & Sutor.

This Policy covers all records and documentation, whether analogue or digital and are subject to the retention requirements of this Policy. 

For the purpose of this Policy, the terms ‘document’ and ‘records’ include information in both hard copy and electronic form and have the same meaning hereby referred to as Documents or Documentation. 

In certain circumstances it will be necessary to retain specific records in order to fulfil statutory or regulatory requirements and to meet operational needs.  Any retention of specific records should be retained under the retention period specified in Retention of Records Schedule 1 and Retention of Digital Records Schedule 2. 

2. Scope

Bristow & Sutor is bound by various obligations regarding the documentation and electronic data it retains.  These obligations include the period of retention for Documentation and when and how this documentation is disposed.  

Article 5 of GDPR provides “personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”.  The purpose of this Policy is to ensure that necessary records, documents and electronic data of Bristow & Sutor are adequately protected, archived and disposed of at the correct retention period, and to provide all staff with clear instructions regarding the appropriate retention and disposal of Documentation.  

This Policy will also aid paper records and electronic data storage issues identified throughout the business and to eliminate the need to retain paper and electronic records unnecessarily. 

Bristow & Sutor will ensure that information is not kept longer than is necessary and will retain the minimum amount of information that it is required to hold to meet its statutory functions and the provision of its services. 

3. Legal Obligation

Please refer to the External Publication Register.

4. Retention Procedure

All decisions relating to the retention and disposal of Documents should be taken in accordance with this Policy in particular: 

Schedule 1 – Retention of Records Schedule - Provides the required retention periods, including the statutory minimum retention period for specific Documents.  

Schedule 2 – Retention of Digital Records – Provides the required retention periods for all digital Documents. 

In circumstances where a retention period of a specific document has expired, a review should always be carried out prior to a decision being made to dispose of the record. 

5. Retention of Encrypted Data

Any information retained under this Policy that is in an encrypted format, consideration must be taken for the secure storage of any encryption keys.  Encryption keys must be retained as long as the data that the keys decrypt is retained. 

6. Retention of Digital Data

Any digital data including media and emails are retained. Email files are saved within the Exchange Server, network shared files are saved on the secure Dell EqualLogic SAN. The backup of electronic data is saved daily onsite and offsite in 2 different secure data centres. 

The process for accessing stored electronic data is restricted by permissions managed by Active Directory. There is a full audit trail of user activity, to identify when data has been accessed, edited, deleted and by whom. Files lost or deleted can be recovered within a period of 60 days.   

All portable / removable storage media are physically destroyed. This is done internally following the erasure of the data contained. The exception is for company mobile phones, these are factory reset before being disposed of. 

Bristow & Sutor does not store records of cryptographic keys. 

7. Archiving and Retention of Documentation

Archiving is defined as the process by which inactive data, in any format is securely stored for long periods of time in accordance with a retention schedule.  

Bristow & Sutor archives paper records onsite. This includes all forms of paper-based records, which hold Personal Information for staff and debtors. Such as letter, paper files, personnel files, visitors’ books and accident books.  

Information on current staff and leavers are stored for up to seven years in electronic form and hardcopy depending on the type of data. Sales & Marketing records are stored as hard copies. Most data on debtors and clients are stored in electronic form. Hard copies of debtors’ data are scanned, then shredded within 7 days of receipt. 

Hard copies are disposed of by shredding, following the retention period. This is carried out onsite by the ‘approved contractor’. 

There may be exceptions where documentation will need to be retained for longer periods on site, such as personnel details and Arrest Warrant documentation. In these instances, the managers in charge will be responsible for ensuring that the documentation is held in a safe and secure location. 

8. Archiving Process

The method of archiving selected for a particular document will vary between departments and services.  Any questions regarding archiving should be raised in the first instance with the department manager. 

9. Disposal of Records

Any record containing confidential information must be disposed of by staff putting in the locked secure bins ‘shreddy bins’, to have ready for shredding during the scheduled days. 

Disposal of documents that do not contain confidential information may be disposed of in the normal way or recycled. 

Record of disposal is maintained by means of a Waste Transfer Note, which is provided by the contractor, which is a Certification of Destruction. The certificate details the date and the invoice number. 

10. Disposal of Electrical Hardware

IT equipment and devices that have the ability and capability to store personal data include: 

  • PCs 
  • Laptops 
  • Mobile Phones 
  • Multi-Functional Devices – printers / scanners 
  • Servers 
  • USB Memory Sticks and external hard drives. 

IT equipment disposal must be managed by the Head of ICT. All computer equipment, recycling or refurbishing must be disposed of in accordance with the Waste Electric and Electronic Equipment Regulations 2013. 

11. Document Owner

The Data Protection Officer is the owner of this document and is responsible for ensuring that this Policy is reviewed in line with the review requirements of GDPR. 

SCHEDULE 1

RETENTION OF RECORDS SCHEDULE

RECORD TYPE

CONTACT

RETENTION PERIOD

RETENTION JUSTIFICATION

LOCATION STORED

Application Forms - unsuccessful candidates

MLB

6 Months after notification to candidate

Dispute resolution purposes relating to employment law

Locked cabinet in Finance office

Company Financial Records

MLB

6 + 1 years

Companies Act 2006

Locked cabinet in Finance office

Capability and Disciplinary Documents (Substantiated)

 

MLB and all other departmental managers

2 years following the issue of the warning

(Annual Review)

TUPE 2006

Case law permitting expired warnings to be referred to (but not built upon).

Unreasonable to refer back after 2 years

Personnel files

Client Contracts / SLA’s

SB

6 + 1 years

Used for business purposes.

This may be kept indefinitely as there is the likelihood for contracts to be renewed within 7 years from last transaction.

Central Files

Court Documents

CJF

Indefinitely

Used for business purposes

Compliance

Health & Safety - accident books, records and reports

MLB

15 years

3 years from last entry (or until person is 21 years old) The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and max. 15 years for negligence (in respect of latent damage) Limitation Act 1980

Hard copies are scanned and saved electronically then the originals are shredded bi-annually.

Holidays request records

MLB

12 months

Used for business purposes

Locked cupboard in the finance office

Letters and documents relating to debtors/third parties

DW

1 week

N/A

Hard copies are scanned and saved electronically then the originals are shredded within a week.

Main Personnel file

MLB

6 years after staff leave the organisation

For ‘reasons of employment contract’

Locked cabinet in Finance office

Paying-in books

JOB

2 years

(Annual Review)

Legitimate Interest

 

EA Office. These do not need to be kept for more than 2 years as the record of payment is copied to Finance.

Receipt Books

Enforcement & General Office Managers

2 years

(Annual Review)

Legitimate Interest

 

Enforcement & General Office. Completed booklets may be archived (locked). These do not need to be kept for more than 2 years as the record of payment is copied to Finance.

Records from reception – “Payment records.”

MLB

1 year

(Annual Review)

Legitimate Interest

Secure Cash Office

Supplier Contracts

RJS

6 + 1 years from expiry

Limitation Act 1980

Locked cupboard in the Finance office

Sickness Records

MLB

12 months

Health & Safety Act 1974

Locked cupboard in the Finance office but electronic copy available. Refer to Schedule 2

 Timesheets 

MLB

6 years

Working Time Regs 1998

Locked cupboard in the Finance office but electronic copy available. Refer to Schedule 2

 

SCHEDULE 2

RETENTION OF DIGITAL RECORDS SCHEDULE

RECORD TYPE

CONTACT

RETENTION PERIOD

RETENTION JUSTIFICATION

APPLICATION REQUIREMENT/DEVICE

DISPOSAL METHOD

GENERAL PRACTICES

 

 

 

 

 

Audit Schedules 

DM 

4 + 1 Years  

As an organisation NQA retention policy is to keep 2 audit cycles worth of reports for every client. 

An audit cycle is usually 2 years. 

Stored in Central Files 

Manual - following annual review 

ANPR Camera 

JOB 

After 5000 records 

It is used to see if any hit can be enforced. The system records all number plates that cross the camera and overwrites them if there are no matches. The data that is not relevant is held for a maximum of one week. 

Spreadsheet 

Automatic deletion (Data overwritten) 

 

 

 

 

Body Worn Video recordings 

JOB 

90 days  

Monitor the performance of employees and agents, including use for ongoing training purposes (in which case they are anonymised) Ensure compliance with applicable laws and to be able to respond adequately and fairly in the event that complaints are made. If there is an issue on a case that requires us to keep it longer than the 90 days stated, the footage is stored on Q drive – this is reviewed annually by JOB & SB and deleted if it’s no longer relevant 

Encrypted video cameras - The video cameras are encrypted, and all data is encrypted. The data is not stored on a memory card but within the camera. Some of these are also downloaded and stored in Central Files. Subject Access Requests for video recordings are also stored in Central Files and OneDrive for secure sharing. 

 

Automatic deletion and manual deletion for reviewed recordings.  

 

 

 

 

CCTV 

IWL 

1 to 7 months from the date of recording (each location has a different storage facility)  

EA Office:  
Up to 7 months 

Server Room 2: Up to 1 month 

Cash Office: 6 months 

Monitoring & Security 

Images captured by the system are recorded and stored within a secure server room, the Enforcement Manager’s Office and the Cash Office. Monitors are sited within the secure server room and the Enforcement Manager’s office. Web-based access is also available for restricted staff. 

Automatic - overwrite footage once the retention time is reached. 

Complaints 

SB 

6 + 1 years from the completion of the case. 

(But archived after 18 months) as Case enquiry 

Analyse any trends 

Details of complaints (which include debtors’ names and employees’ names, as well as council names) are stored on the Intranet, as well as Central Files. 

Complaint Responses can be either via letter or email.  Letters are scanned to the case via case enquiry and saved in Central Files. 

Manual - following annual review 

 

 

 

 

 

 

 

 

 

Compliments 

SB 

Indefinitely  

Marketing, although data is anonymised 

Access to Central Files 

N/A 

Data Breach Records 

SB 

6 + 1 years 

Retained in case required by ICO or other appropriate authority 

Central Files 

Manual - following annual review 

Document Change Notices 

DM 

6 + 1 years 

Quality Assurance 

Central Files 

Manual - following annual review 

Emails 

IWL 

6 + 1 years 

To satisfy customer complaints. 

Access to Microsoft Outlook 

Deletion from account (automatic). Also managed manually by each account holder 

Enforcement Agent Employment Portal 

JOB 

1 week 

Workflow is deleted weekly and automatically overwrites with new route details. 

Log-in from internal network, PDA or externally via website portal. 

Automatic deletion 

Main Case Information 

JM 

18 months + 5.5 years 

18 months after completion. After this, the cases will then be archived for a further 5.5 years with restricted access - for legal obligations to HMRC and reason of dispute resolution, complaints, and defence of legal claims. Restricted access to Operational Managers (including Directors), Audit staff, IT Development & Support staff) only 

Case Enquiry 

Automatic archiving and deletion  

 

Minutes of meetings 

DM 

Indefinitely 

They are a record of when we introduced changes to our processes and why 

Access to Central Files 

N/A 

 

 

 

 

 

 

New Client Initiation Form / Amendment Forms/ New Client Amendment checklists  

(ECS Contact) 

SB 

6 + 1 years  
 
(after end of relationship with the client) 

Staff and Clients’ names to show who agreed what with whom – can be needed for many years after we’ve ceased working for a client. Ideally, we’d like to keep indefinitely in case of later disputes or defence of possible claims. 

Access to Central Files 

Manual - following annual review  

Non-compliance reports 

DM 

Indefinitely 

Personal Information may be redacted where necessary 

Access to Central Files 

N/A 

Purchases 

MLB 

Indefinitely 

Used for business purposes 

Stored in Central Files 

N/A  

Safeguarding Reports 

JOB 

2 years 

Public interest - to help protect vulnerable adults/children 

Stored in Central Files 

Manual delete, following review. 

Sales & Marketing database 

SH  

Indefinitely 

Marketing data is stored indefinitely unless the data subject opts out 

Accessed via the Intranet 

N/A 

Staff Rotas 

Dept. Managers 

2 years 

Used for business purposes 

Stored in Central Files 

Manual delete, following review. 

Staff DSE Forms 

DM 

6 + 1 years  

Used for business purposes 

Stored in Central Files 

Manual delete, following review. 

Staff Training Records (Skills Matrix) 

Dept. Managers 

1 year following end of employment   

Used for business purposes 

Stored in Central Files 

Manual delete, following review. 

Suggestion Forms (Environment) 

DM 

6 + 1 years   

Used for business purposes 

Access to Central Files 

Manual - following annual review 

Telematics 

JOB 

2 years 

Monitoring, providing support and insurance purposes 

Greenroad Server in Ireland 

Data is deleted by Greenroad 

 

 

 

Telephone Recordings 

(Contact Centre) 

JM 

1 year 

Monitoring the performance of employees. Ensure compliance with applicable laws and to be able to respond adequately and fairly in the event that complaints are made. 

Mitel MX One phone system records name and extension number and updates Active Directory. Some of these are recorded and stored in central files. Subject Access Requests for Telephone recordings are also stored in OneDrive for secure sharing. 

 

 

Automatic deletion  

PAYROLL & FINANCE 

 

 

 

 

 

Accounting Records 

MLB 

6 + 1 years 

Section 221 of the Companies Act 1985 as modified by the Companies Acts 1989 and 2006 

Access to Central Files 

Deleted manually following annual  

Expense Accounts 

MLB 

6 + 1 years following year end 

Companies Act 1985, section 222 as modified by the Companies Act 1989 and Companies Act 2006 

 

Access to Central Files 

Deleted manually following annual  

Inland Revenue/HMRC approvals 

MLB 

Permanently 

Recommended practice (CIPD) 

 

Access to Central Files 

Deleted manually following annual  

Audit reports 

MLB 

6 + 1 years 

HMRC Requirements 

Access to Central Files 

Manual - following annual review 

Staff Data: (Main file, including Qualifications, Professional Insurance)  

MLB 

6 years after staff leave the organisation 

 

For ‘reasons of employment contract’ 

Access to Sage (Snowdrop) 

Deleted manually following annual review 

Staff Data: Right to work checks 

MLB 

Two years after employment 

Recommended practice (Home Office) 

Staff File 

Deleted manually following annual review 

Staff Data: Grievance documents 

MLB 

6 months following end of employment 

Limitation incl. EC for ‘last straw’ constructive dismissal and discrimination claims etc 

Staff File 

Deleted manually following annual review 

Staff Data: References issued for employment 

MLB 

1 year 

Defamation Act 1996 1 - year limitation (in respect of any shared comments) 

Staff File 

Deleted manually following annual review 

Staff Data: Redundancy – documentation 

MLB 

6 years following end of redundancy 

Limitation Act 1980 

Staff File 

Deleted manually following annual review 

Staff Data: References issued for employment 

MLB 

1 year 

Defamation Act 1996 1-year limitation (in respect of any shared comments) 

Staff File 

Deleted manually following annual review 

Staff Data: References and correspondence that may produce legal affects (mortgage, loan, etc) 

MLB 

3 years following issue 

Limitation Act 1980 – limitation for negligence when immediately aware 

Staff File 

Deleted manually following annual review 

Staff Data: Wage/salary records (also overtime, bonuses, expenses) 

MLB 

6 years 

Taxes Management Act 1970. 

Staff File 

Deleted manually following annual review 

Staff Data: Pension records 

MLB 

12 years after benefit ceases. Avoid access unless required 

Recommended practice (CIPD) 

 

Staff File 

Deleted manually following annual review 

 

 

Staff Data: Statutory Adoption, Paternity and Maternity Pay records, calculations, matching certificates and leave 

MLB 

3 years after the end of the tax year 

Maternity & Parental Leave Regulations 1999 

 

Staff File 

Deleted manually following annual review 

Staff Data: Sickness and injury records (work related) 

(other than those listed under ‘Health and Safety’) 

MLB 

15 years 

3 years for personal injury claim15 years for negligence (in respect of latent damage) Limitation Act 1980 

Staff File 

Deleted manually following annual review 

Unsuccessful Candidate Data: Application forms and interview notes  

MLB 

6 – 12 months  

 

Defamation 

Act 1996 1 year limitation (in respect of any shared comments) 

Access to Sage (Snowdrop) 

Automatic deletion  

 

Staff Data: Next of Kin Details 

MLB 

3 months following end of employment 

Vital interest 

Access to Sage (Snowdrop) 

Automatic deletion from snowdrop (6m) 

Manually following annual review for detailing in staff file. 

HEALTH & SAFETY 

 

 

 

 

 

Accident books, records and reports 

MLB 

15 years 

3 years from last entry (or until person is 21 years old) The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and max. 15 years for negligence (in respect of latent damage) Limitation Act 1980 

Locked Cabinet with H&S Officer 

Deleted manually following annual review 

First aid training 

MLB 

6 years after employment 

Health and Safety (First Aid) Regulations 1981 

Certificates on wall and copy filed in Central Files  

Deleted manually following annual review 

H&S representatives training 

MLB 

5 years after employment 

Health & Safety (Consultation with employees) Regulations 1996 

Certificates on wall and copy filed in Central Files.  

Deleted manually following annual review 

H&S training - employees 

MLB 

5 years after employment 

H&S Information for Employees Regulations 1989 

Certificates on wall and copy filed in Central Files.  

Deleted manually following annual review 

 

 

Health records made in connection with health surveillance (according to HSE) 

 

MLB 

40 years 

Recommended practice (HSE) The Control of Substances Hazardous to Health Regulations 1999 and 2002 

There is database on the Intranet that first aiders / managers have access to employees (both past and present) medical conditions. 

Deleted manually following annual review 

Risk assessments 

DM 

Indefinite 

(dependent on the type) 

Recommended practice (CIPD) 

Staff file. Also, the Health & Safety Risk Assessments are also stored in Central Files, on the Company Intranet and some of them on the Enforcement Agent’s Portal.  

 

N/A 

 

Richard Sutor – Chief Performance Officer

Bristow & Sutor
Last Review Date: 4th June 2019

BSPOL 12 Retention Policy Rev 05 08.04.20