Retention Policy

1. Introduction

This Retention (“Policy”) applies to Bristow & Sutor.

This Policy covers all records and documentation, whether analogue or digital and are subject to the retention requirements of this Policy.

For the purpose of this Policy, the terms ‘document’ and ‘records’ include information in both hard copy and electronic form and have the same meaning hereby referred to as Documents or Documentation.

In certain circumstances it will be necessary to retain specific records in order to fulfil statutory or regulatory requirements and to meet operational needs.  Any retention of specific records should be retained under the retention period specified in Retention of Records Schedule 1 and Retention of Digital Records Schedule 2.

2. Scope

Bristow & Sutor is bound by various obligations regarding the documentation and electronic data it retains.  These obligations include the period of retention for Documentation and when and how this documentation is disposed.

Article 5 of GDPR provides “personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”.  The purpose of this Policy is to ensure that necessary records, documents and electronic data of Bristow & Sutor are adequately protected, archived and disposed of at the correct retention period, and to provide all staff with clear instructions regarding the appropriate retention and disposal of Documentation.

This Policy will also aid paper records and electronic data storage issues identified throughout the business and to eliminate the need to retain paper and electronic records unnecessarily.

Bristow & Sutor will ensure that information is not kept longer than is necessary and will retain the minimum amount of information that it is required to hold to meet its statutory functions and the provision of its services.

3. Legal Obligation

Please refer to the External Publication Register.

4. Retention Procedure

All decisions relating to the retention and disposal of Documents should be taken in accordance with this Policy in particular:

Schedule 1 – Retention of Records Schedule - Provides the required retention periods, including the statutory minimum retention period for specific Documents.

Schedule 2 – Retention of Digital Records – Provides the required retention periods for all digital Documents.

In circumstances where a retention period of a specific document has expired, a review should always be carried out prior to a decision being made to dispose of the record.

5. Retention of Encrypted Data

Any information retained under this Policy that is in an encrypted format, consideration must be taken for the secure storage of any encryption keys.  Encryption keys must be retained as long as the data that the keys decrypt is retained.

6. Retention of Digital Data

Any digital data including media and emails are retained. Email files are saved within the Exchange Server, network shared files are saved on the secure Dell EqualLogic SAN. The backup of electronic data is saved daily onsite and offsite in 2 different secure data centres.

The process for accessing stored electronic data is restricted by permissions managed by Active Directory. There is a full audit trail of user activity, to identify when data has been accessed, edited, deleted and by whom. Files lost or deleted can be recovered within a period of 60 days. 

All portable / removable storage media are physically destroyed. This is done internally following the erasure of the data contained. The exception is for company mobile phones, these are factory reset before being disposed of.

Bristow & Sutor does not store records of cryptographic keys.

7. Archiving and Retention of Documentation

Archiving is defined as the process by which inactive data, in any format is securely stored for long periods of time in accordance with a retention schedule.

Bristow & Sutor archives paper records onsite. This includes all forms of paper-based records, which hold Personal Information for staff and debtors. Such as letter, paper files, personnel files, visitors’ books and accident books.

Information on current staff and leavers are stored for up to seven years in electronic form and hardcopy depending on the type of data. Sales & Marketing records are stored as hard copies. Most data on debtors and clients are stored in electronic form. Hard copies of debtors’ data are scanned, then shredded within 7 days of receipt.

Hard copies are disposed of by shredding, following the retention period. This is carried out onsite by the ‘approved contractor’.

There may be exceptions where documentation will need to be retained for longer periods on site, such as personnel details and Arrest Warrant documentation. In these instances, the managers in charge will be responsible for ensuring that the documentation is held in a safe and secure location.

8. Archiving Process

The method of archiving selected for a particular document will vary between departments and services.  Any questions regarding archiving should be raised in the first instance with the department manager.

9. Disposal of Records

Any record containing confidential information must be disposed of by staff putting in the locked secure bins ‘shreddy bins’, to have ready for shredding during the scheduled days.

Disposal of documents that do not contain confidential information may be disposed of in the normal way or recycled.

Record of disposal is maintained by means of a Waste Transfer Note, which is provided by the contractor, which is a Certification of Destruction. The certificate details the date and the invoice number.

10. Disposal of Electrical Hardware

IT equipment and devices that have the ability and capability to store personal data include:

  • PCs
  • Laptops
  • Mobile Phones
  • Multi-Functional Devices – printers / scanners
  • Servers
  • USB Memory Sticks and external hard drives

IT equipment disposal must be managed by the Head of ICT. All computer equipment, recycling or refurbishing must be disposed of in accordance with the Waste Electric and Electronic Equipment Regulations 2013.

11. Document Owner

The Data Protection Officer is the owner of this document and is responsible for ensuring that this Policy is reviewed in line with the review requirements of GDPR.

SCHEDULE 1

RETENTION OF RECORDS SCHEDULE

RECORD TYPE

CONTACT

RETENTION PERIOD

RETENTION JUSTIFICATION

LOCATION STORED

Application Forms - unsuccessful candidates

MLB

6 Months after notification to candidate

Dispute resolution purposes relating to employment law

Locked cabinet in F&P office

Company Financial Records

MLB

6 + 1 years

Companies Act 2006

Locked cabinet in F&P office

Capability and Disciplinary Documents (Substantiated)

 

MLB and all other departmental managers

2 years following the issue of the warning

(Annual Review)

TUPE 2006

Case law permitting expired warnings to be referred to (but not built upon).

Unreasonable to refer back after 2 years

Personnel files

Client Files

SB

6 + 1 years

Used for business purposes.

This may be kept indefinitely as there is the likelihood for contracts to be renewed within 7 years from last transaction.

Block 1 (double office)

Court Documents

CJF

Indefinitely

Used for business purposes

Compliance

Health & Safety - accident books, records and reports

MLB

15 years

3 years from last entry (or until person is 21 years old) The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and max. 15 years for negligence (in respect of latent damage) Limitation Act 1980

Hard copies are scanned and saved electronically then the originals are shredded bi-annually.

Holidays request records

MLB

12 months

Used for business purposes

Locked cupboard in the finance office

Letters and documents relating to debtors/third parties

DW

1 week

N/A

Hard copies are scanned and saved electronically then the originals are shredded within a week.

Main Personnel file

MLB

6 years after staff leave the organisation

For ‘reasons of employment contract’

Locked cabinet in F&P office

Paying-in books

JOB

2 years

(Annual Review)

Legitimate Interest

 

EA Office. These do not need to be kept for more than 2 years as the record of payment is copied to Finance.

Receipt Books

Enforcement & General Office Managers

2 years

(Annual Review)

Legitimate Interest

 

Enforcement & General Office. Completed booklets may be archived (locked). These do not need to be kept for more than 2 years as the record of payment is copied to Finance.

Records from reception – “Payment records.”

MLB

1 year

(Annual Review)

Legitimate Interest

Secure Cash Office

Supplier Contracts

RJS

6 + 1 years from expiry

Limitation Act 1980

Locked cupboard in the Finance office

Sickness Records

MLB

12 months

Health & Safety Act 1974

Locked cupboard in the Finance office but electronic copy available. Refer to Schedule 2

 Timesheets 

MLB

6 years

Working Time Regs 1998

Locked cupboard in the Finance office but electronic copy available. Refer to Schedule 2

 

SCHEDULE 2

RETENTION OF DIGITAL RECORDS SCHEDULE

RECORD TYPE

CONTACT

RETENTION PERIOD

RETENTION JUSTIFICATION

APPLICATION REQUIREMENT/DEVICE

DISPOSAL METHOD

GENERAL PRACTICES

 

 

 

 

 

Audit Schedules

DM

4 + 1 Years

As an organisation NQA retention policy is to keep 2 audit cycles worth of reports for every client.

An audit cycle is usually 2 years.

Stored in Central Files

Manual - following annual review

ANPR Camera

JOB

After 5000 records

It is used to see if any hit can be enforced. The system records all number plates that cross the camera and overwrites them if there are no matches. The data that is not relevant is held for a maximum of one week.

Spreadsheet

Automatic deletion (Data overwritten)

 

 

 

 

Body Worn Video recordings

JOB

90 days

Monitor the performance of employees and agents, including use for ongoing training purposes (in which case they are anonymised) Ensure compliance with applicable laws and to be able to respond adequately and fairly in the event that complaints are made. If there is an issue on a case that requires us to keep it longer than the 90 days stated, the footage is stored on Q drive – this is reviewed annually by JOB & SB and deleted if it’s no longer relevant

Encrypted video cameras - The video cameras are encrypted, and all data is encrypted. The data is not stored on a memory card but within the camera. Some of these are also downloaded and stored in Central Files. Subject Access Requests for video recordings are also stored in Central Files and OneDrive for secure sharing.

 

Automatic deletion and manual deletion for reviewed recordings.

 

 

 

 

CCTV

IWL

1 to 7 months from the date of recording (each location has a different storage facility)

EA Office:
Up to 7 months

Server Room 2: Up to 1 month

Cash Office: 6 months

Monitoring & Security

Images captured by the system are recorded and stored within a secure server room, the Enforcement Manager’s Office and the Cash Office. Monitors are sited within the secure server room and the Enforcement Manager’s office. Web-based access is also available for restricted staff.

Automatic - overwrite footage once the retention time is reached.

Complaints

SB

6 + 1 years from the completion of the case.

(But archived after 2 years) as Case enquiry

Analyse any trends

Details of complaints (which include debtors’ names and employees’ names, as well as council names) are stored on the Intranet, as well as Central Files.

Complaint Responses can be either via letter or email.  Letters are scanned to the case via case enquiry and saved in Central Files.

Manual - following annual review

 

 

 

 

 

 

 

 

 

Compliments

SB

Indefinitely

Marketing, although data is anonymised

Access to Central Files

N/A

Data Breach Records

SB

6 + 1 years

Retained in case required by ICO or other appropriate authority

Central Files

Manual - following annual review

Document Change Notices

DM

6 + 1 years

Quality Assurance

Central Files

Manual - following annual review

Emails

IWL

6 + 1 years

To satisfy customer complaints.

Access to Microsoft Outlook

Deletion from account (automatic). Also managed manually by each account holder

Enforcement Agent Employment Portal

JOB

1 week

Workflow is deleted weekly and automatically overwrites with new route details.

Log-in from internal network, PDA or externally via website portal.

Automatic deletion

Main Case Information

JM

2 + 5 years

2 years after completion. After this, the cases will then be archived for a further 5 years with restricted access - for legal obligations to HMRC and reason of dispute resolution, complaints, and defence of legal claims. Restricted access to Operational Managers (including Directors), Audit staff, IT Development & Support staff) only

Case Enquiry

Automatic archiving and deletion

 

Minutes of meetings

DM

Indefinitely

They are a record of when we introduced changes to our processes and why

Access to Central Files

N/A

 

 

 

 

New Client Initiation Form / Amendment Forms/ New Client Amendment checklists

(ECS Contact)

SB

6 + 1 years

(after end of relationship with the client)

Staff and Clients’ names to show who agreed what with whom – can be needed for many years after we’ve ceased working for a client. Ideally, we’d like to keep indefinitely in case of later disputes or defence of possible claims.

Access to Central Files

Manual - following annual review

Non-compliance reports

DM

Indefinitely

Personal Information may be redacted where necessary

Access to Central Files

N/A

Purchases

MLB

Indefinitely

Used for business purposes

Stored in Central Files

N/A

Safeguarding Reports

JOB

2 years

Public interest - to help protect vulnerable adults/children

Stored in Central Files

Manual delete, following review.

Sales & Marketing database

SH

Indefinitely

Marketing data is stored indefinitely unless the data subject opts out

Accessed via the Intranet

N/A

Staff Rotas

Dept. Managers

2 years

Used for business purposes

Stored in Central Files

Manual delete, following review.

Staff DSE Forms

DM

6 + 1 years

Used for business purposes

Stored in Central Files

Manual delete, following review.

Staff Training Records (Skills Matrix)

Dept. Managers

1 year following end of employment 

Used for business purposes

Stored in Central Files

Manual delete, following review.

Suggestion Forms (Environment)

DM

6 + 1 years 

Used for business purposes

Access to Central Files

Manual - following annual review

Telematics

JOB

2 years

Monitoring, providing support and insurance purposes

Greenroad Server in Ireland

Data is deleted by Greenroad

 

 

 

Telephone Recordings

(Contact Centre)

JM

1 year

Monitoring the performance of employees. Ensure compliance with applicable laws and to be able to respond adequately and fairly in the event that complaints are made.

Mitel MX One phone system records name and extension number and updates Active Directory. Some of these are recorded and stored in central files. Subject Access Requests for Telephone recordings are also stored in OneDrive for secure sharing.

 

 

Automatic deletion

PAYROLL & FINANCE

 

 

 

 

 

Accounting Records

MLB

6 + 1 years

Section 221 of the Companies Act 1985 as modified by the Companies Acts 1989 and 2006

Access to Central Files

Deleted manually following annual

Expense Accounts

MLB

6 + 1 years following year end

Companies Act 1985, section 222 as modified by the Companies Act 1989 and Companies Act 2006

 

Access to Central Files

Deleted manually following annual

Inland Revenue/HMRC approvals

MLB

Permanently

Recommended practice (CIPD)

 

Access to Central Files

Deleted manually following annual

Audit reports

MLB

6 + 1 years

HMRC Requirements

Access to Central Files

Manual - following annual review

Staff Data: (Main file, including Qualifications, Professional Insurance)

MLB

6 years after staff leave the organisation

 

For ‘reasons of employment contract’

Access to Sage (Snowdrop)

Deleted manually following annual review

Staff Data: Right to work checks

MLB

Two years after employment

Recommended practice (Home Office)

Staff File

Deleted manually following annual review

Staff Data: Grievance documents

MLB

6 months following end of employment

Limitation incl. EC for ‘last straw’ constructive dismissal and discrimination claims etc

Staff File

Deleted manually following annual review

Staff Data: References issued for employment

MLB

1 year

Defamation Act 1996 1 - year limitation (in respect of any shared comments)

Staff File

Deleted manually following annual review

Staff Data: Redundancy – documentation

MLB

6 years following end of redundancy

Limitation Act 1980

Staff File

Deleted manually following annual review

Staff Data: References issued for employment

MLB

1 year

Defamation Act 1996 1-year limitation (in respect of any shared comments)

Staff File

Deleted manually following annual review

Staff Data: References and correspondence that may produce legal affects (mortgage, loan, etc)

MLB

3 years following issue

Limitation Act 1980 – limitation for negligence when immediately aware

Staff File

Deleted manually following annual review

Staff Data: Wage/salary records (also overtime, bonuses, expenses)

MLB

6 years

Taxes Management Act 1970.

Staff File

Deleted manually following annual review

Staff Data: Pension records

MLB

12 years after benefit ceases. Avoid access unless required

Recommended practice (CIPD)

 

Staff File

Deleted manually following annual review

 

 

Staff Data: Statutory Adoption, Paternity and Maternity Pay records, calculations, matching certificates and leave

MLB

3 years after the end of the tax year

Maternity & Parental Leave Regulations 1999

 

Staff File

Deleted manually following annual review

Staff Data: Sickness and injury records (work related)

(other than those listed under ‘Health and Safety’)

MLB

15 years

3 years for personal injury claim15 years for negligence (in respect of latent damage) Limitation Act 1980

Staff File

Deleted manually following annual review

Unsuccessful Candidate Data: Application forms and interview notes

MLB

6 – 12 months

 

Defamation

Act 1996 1 year limitation (in respect of any shared comments)

Access to Sage (Snowdrop)

Automatic deletion

 

Staff Data: Next of Kin Details

MLB

3 months following end of employment

Vital interest

Access to Sage (Snowdrop)

Automatic deletion from snowdrop (6m)

Manually following annual review for detailing in staff file.

HEALTH & SAFETY

 

 

 

 

 

Accident books, records and reports

MLB

15 years

3 years from last entry (or until person is 21 years old) The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and max. 15 years for negligence (in respect of latent damage) Limitation Act 1980

Locked Cabinet in F&P

Deleted manually following annual review

First aid training

MLB

6 years after employment

Health and Safety (First-Aid) Regulations 1981

Certificates on wall and copy filed in F&P

Deleted manually following annual review

H&S representatives training

MLB

5 years after employment

Health & Safety (Consultation with employees) Regulations 1996

Certificates on wall and copy filed in F&P

Deleted manually following annual review

H&S training - employees

MLB

5 years after employment

H&S Information for Employees Regulations 1989

Certificates on wall and copy filed in F&P

Deleted manually following annual review

 

 

Health records made in connection with health surveillance (according to HSE)

 

MLB

40 years

Recommended practice (HSE) The Control of Substances Hazardous to Health Regulations 1999 and 2002

There is database on the Intranet that first aiders / managers have access to employees (both past and present) medical conditions.

Deleted manually following annual review

Risk assessments

DM

Indefinite

(dependent on the type)

Recommended practice (CIPD)

Staff file. Also the Health & Safety Risk Assessments are also stored in Central Files, on the Company Intranet and some of them on the Enforcement Agent’s Portal.

 

N/A

 

Andy Rose – Chief Executive Officer

Bristow & Sutor
Last Review Date: 4th June 2019

BSPOL 12 Retention Policy Rev 02 18.09.19