data retention and deletion policy ref no: org020
TRANSCRIPT
Page 1 of 27 V 0.5
Data Retention and Deletion Policy Ref No: ORG020
Please contact HR if you require the document in large print, Braille or another language or alternative format.
Issue Date: 3rd Feb 2021 Review date : 2022
Publication/Distribution
• Publication on the shared drive
• Cascade through relevant line management
Target Audience:
• All employees and Volunteers
Related documents
• ORG08 Data Protection Policy
Name Stephen Conway
Signature
Position Chief Executive
Date 3rd February 2021
Page 2 of 27 V 0.5
Document Version Control
Date Version Status Author Details of Change
April 18 0.1 Draft Clare
Watson Draft new policy
June 18 0.2 Live SMG Review
December 2018
0.3 Draft Clare
Watson Additional items added
Feb 2020 0.4 Live Clare
Watson Member and volunteer retention
changes
Feb 2021 0.5 Live Clare
Watson Retention changes and responsibilities
1 Purpose
Page 3 of 27 V 0.5
The purpose of this policy is to detail the procedures for the retention and disposal of information to ensure that the Deafblind UK Group carry out consistently and fully document any actions taken. Unless other wise stated retention and disposal refers to both electronic and paper documents. 2. How long should we keep our records? Under the UK General Data Protection Regulation records should only be kept for as long as necessary for the purpose of which it was collected. The primary actors that inform decisions on retention are:
1. Business Need 2. Legislative and regulatory requirements 3. National Archive requirements/legislation
3. Disposal Schedule 3.1 This section sets out approved document retention periods in order that the DBUK Group may meet its statutory and legal responsibilities and comply with the General Data Protection Regulation and other legal obligations. 3.2 Retention Documentation may be retained for a longer period of time than stated in this document, but explicit reasons for doing so must be recorded. 3.3 Formats Paper (e.g. files, forms, folders) or electronic (e.g. word processed documents, databases, spreadsheets, web, scanned images). Records held electronically must not remain accessible once deleted. 3.4 Storage and Disposal Records on disposal schedules will fall into three main categories.
1. Destroy after the agreed period. Where the useful life of records can be easily predetermined
2. Automatically select for permanent preservation. Where certain groups of records can be readily defined as worthy of permanent retention
3. Review 3.5 Destruction
• Information containing personal data must be placed in a secure shredding bin or put through the supplied shredder
• Electronic equipment containing information should be destroyed using killdisc for individual folders. Alternatively, a certificate should be obtained from an approved provider stating that killdisc had been used
• Destruction of electronic records should render them non-recoverable
• Permanent Disposal: Before undertaking permanent disposal of data approval should be obtained by a Head of Service or above.
Page 4 of 27 V 0.5
4 Sharing of information 4.1 Duplicate records should be destroyed. Where information is regularly shared between departments only the original record should be retained. 4.2 Where information is shared outside of the Deafblind UK Group we will ensure that adequate procedures are in place to ensure information is managed inline with the UK General Data Protection Regulation and other regulatory guidance. 5 Refreshing Details It is essential that we have a process in place to refresh that data and consent we hold to ensure that the information is accurate and up to date.
Record Type Refresh Period
Method Where recorded
Members and Carers
3 years Ongoing as part of all interactions Raisers Edge
Employees 2 years Personal details refresh form/email to self update on Capita
Capita
Volunteers 2 years As part of yearly survey Raisers Edge
Donors and Event participants
2 Years Ongoing as part of all interactions Raisers Edge
Customers
2 Years Part of annual support plan review S/Drive
Trusts 2 Years Ongoing as part of all interactions Raisers Edge
Professionals
2 Years Ongoing as part of all interactions Raisers Edge
Organisations 2 Years Ongoing as part of all interactions Raisers Edge
6 Audit Trail 6.1 You are required to document the disposal of records that are either shredded or deleted either within or outside the deletion periods in the schedule below. 6.2 This will provide an audit trail for any inspections carried out by the ICO 6.3 Please see relevant process within your department 7 Monitoring Responsibility for monitoring the disposal of documents rests with the Executive Management Team . 8 Disposal Schedule
Page 5 of 27 V 0.5
Department Human Resources
Heading Data / Document Type Required Retention
Comments Responsibility
Networx Candidate Account Deactivated automatically
after 12 months of
inactivity and data deleted
A deactivated candidate will no longer be searchable in the
candidate system or sent any emails from the system.
There will be no possibility of recovering the deleted information
1 month after deletion.
Director of Finance and Deputy Chief Executive
Recruitment Files Application Forms, CV’s 1 year Deleted automatically on ATS system by Networx and/or deleted from folders 12 months after role
closes.
Director of Finance and Deputy Chief
Executive
Interview Notes Non-successful
candidates 12 Months
Successful candidates 6
years after the end of
contract.
For non-successful candidates interview notes are deleted 12
months after role closes
For successful candidate paper copies are passed to HR and kept
on employee paper file
Director of Finance and Deputy Chief
Executive
Appointment details 6 years after the end of
Such as application form, authorisation to appoint, proof of
Director of Finance and Deputy Chief
Page 6 of 27 V 0.5
contract eligibility to work in the UK, qualification certificates, employment references).
Executive
Employee Files and Board Member
Files
Paper and hard copy files 6 years after the end of contract
Includes:
• Personal details form which includes information the
protected characteristics and bank details.
• Personnel files
• Contract of employment and conditions of service
• Redundancy details
• Disciplinary Warnings
• voluntervolunteersrecord
Director of Finance and Deputy Chief
Executive
Records relating to working time
2 years from the date on which they were made
Director of Finance and Deputy Chief
Executive
Health Health Records (During Employment)
During employment
Director of Finance and Deputy Chief Executive
Health Records (Reason for termination is concerned
with health)
3 years Director of Finance and Deputy Chief Executive
Occupational Health Records
Medicals- Retain until employee aged 100
Director of Finance and Deputy Chief Executive
Page 7 of 27 V 0.5
Other- 7 years after
assistance
Access to Work Access to Work non successful candidate
delete immediately
Successful candidate 6
years after the end of contract
Director of Finance and Deputy Chief
Executive
Sickness Records Annual Leave, Sickness, statutory maternity Pay
records and calculations, certificates or other medical
evidence
6 years after the end of the employment
contract
3 years after the end of the
tax year in which the maternity
period ends
Director of Finance and Deputy Chief
Executive
And
Head of Finance
Statutory Sick pay records and calculations
3 years after the end of the
tax year to which they
relate
Head of Finance
Page 8 of 27 V 0.5
Criminal Disclosure Checks
Photos of DBS documents After DBS submitted destroyed
Director of Finance and Deputy Chief
Executive
Information about criminal records
After conclusion of
review
• unless clearly relevant to ongoing employment
• Keep record that check was satisfactory
• Delete once conviction spent
Director of Finance and Deputy Chief
Executive
DBS Panel Review Paperwork
After conclusion of
review
• unless clearly relevant to ongoing employment
• Keep record that check was satisfactory
• Delete once conviction spent
Director of Finance and Deputy Chief
Executive and Director of Operations
Employee Benefits Perkbox 6 Years after the end of contract
Director of Finance and Deputy Chief
Executive
Busy Bees 6 Years after the end of contract
Director of Finance and Deputy Chief
Executive Pension and Retirement
Pension details 6 years Head of Finance
Income Tax Records and
Wages
Income tax and NI returns 6 years after the end of the pay reference
Tax records and correspondence with Inland Revenue
Head of Finance
Page 9 of 27 V 0.5
Department Volunteer Management
Heading Data / Document Type Required Retention
Comments Responsibility
Recruitment Files Application Form - Online or paper based
12 Months Volunteers application on ATS auto delete after 12
months. Volunteer application
download Volunteer interview
questions
Director of Finance and Deputy Chief Executive
period
Wage/salary records, 6 years Including overtime and bonuses Head of Finance
Trustee’s Minutes books Permanently Chief Executive Officer
Staff Management 121 Notes Destroy immediately
after employment ended unless
pending investigation
Director of Finance and Deputy Chief Executive
Supervision Notes 7 years after employment has ended
Director of Operations
PDRs 6 years after employment
ended
Director of Finance and Deputy Chief Executive
Page 10 of 27 V 0.5
Electronic HR file on boarding paperwork
Until cleared as volunteer
If withdraw
deleted immediately
If a volunteer goes on hold, will have to reapply after 3 months and initial paper
work destroyed
Director of Finance and Deputy Chief Executive
Volunteer Files Raisers Edge Record 6 years after inactive date
Or 6 months after the last contact with
the volunteer if not matched
Volunteer on boarding paperwork and Raisers Edge
record.
At 6 months the record becomes anonymised but
generic data held for reporting
Director of Operations
Electronic File 3 months once cleared as a
volunteer
All documents in electronic Director of Operations
LMS Platform records 3 months after inactive date
Director of Operations
Criminal Disclosure Checks
DBS Documentation Destroyed once check completed
Email and any copies of documents
Director of Finance and Deputy Chief Executive Director of Operations
DBS Panel Review Paperwork
Immediately • unless clearly relevant to ongoing employment
• Keep record that check was satisfactory
• Delete once conviction spent
Director of Finance and Deputy Chief Executive
and Director of Operations
Page 11 of 27 V 0.5
Training Training Accounts Account to be deleted once made inactive
Director of Operations
Training Certificates 3 years after inactive date Or 12 months after the last contact with
the volunteer if not matched
Director of Operations
Department Fundraising and Marketing
Heading Data / Document Type Required Retention
Comments Responsibility
Marketing Press releases, statements and distribution campaigns
Permanent To be kept on S-drive Director of Fundraising
Marketing collateral, print and online including,
advertisements, brochures, leaflets, show programs,
banners, posters
Permanent Incase ASA bring a complaint forward for
investigation
For archive purposes
Director of Fundraising
Logos & branding Permanent For archive purposes Director of Fundraising
Case studies Photos 3 years from date of consent
Refresh consent after 2.5 Years in photo still required
Director of Fundraising
Photographs 3 years from date of
Refresh consent after 2.5 Years if photo still required
Director of Fundraising
Page 12 of 27 V 0.5
consent
Fundraising campaign plans, promotional materials and event
statistics
5 Years In case ASA bring a complaint forward for
investigation
Director of Fundraising
Staff News Letter 7 years Director of Fundraising
Website and Online Communications
Website Content Current Only 3 Years for Photos and Case studies unless new
consent gained
Director of Fundraising
Website Updates Destroy consent after 7
years
Director of Fundraising
Facebook and Twitter posts 3 years 3 Years for Photos and Case studies unless new consent
gained
Director of Fundraising
Fundraising Trust’s Records (Paper and electronic)
Destroyed after 20 years
Archived after 5 years Director of Fundraising
Corporate Records Archived after 5 years
Director of Fundraising
Donors Records (Paper and Electronic)
6 years after Inactive date
5 years
If Gift Aid
If No gift Aid
Inactive 2 years after last donation
Director of Fundraising
Legator Records (Paper and electronic)
5 years after Inactive date
Director of Fundraising
Gift Aid Declaration 6 years from the end of the
Director of Fundraising and Head
Page 13 of 27 V 0.5
accounting period they
relate to
of Finance
Direct Debit mandate The period the DD is valid
Director of Fundraising and Head
of Finance
Funding applications (Not awarded)
1Year Director of Fundraising and Head
of Finance
Funding applications (awarded)
6 years after the end of the
funding
Director of Fundraising and Head
of Finance
Contract monitoring 2 years after the end of the
funding
Director of Fundraising and Head
of Finance
Events Information in relation to planning events
5 years after the event
Director of Fundraising and Head
of Finance
Department Membership Services
Heading Data / Document Type Required Retention
Comments Responsibility
Recruitment Member and Carers referral forms, enquiry forms and
membership forms
Paper referral form, email and scan -1 month from
dated added to system
PDF version scanned and attached to members record
Director of Operations
Page 14 of 27 V 0.5
Member File Member/Carers File Inactive on request
Director of Operations
Deceased and inactive members/Carers
6 years after inactive date
Director of Operations
Request to be removed Immediately delete
Exception:- donated to DBUK and includes Gift Aid
Director of Operations
Member enquiry (potential member)
2 months after enquiry
If not converted to full member
Director of Operations
Email Enquires (CS referrals and CS enquires
mailboxes)
Delete 2 months after enquiry or
referral received
Director of Operations
Organisations Organisation File 2 years after inactive date
Director of Operations
Employee File 2 years after inactive date
Director of Operations
Casework Member High Level Case Work
Destroy 2 years after last correspondenc
e
Director of Operations
Legal Case Work Advice 6 years after support has
ended
Director of Operations
Deafblind Assessment
Assessment booking form
6 years after assessment submitted
6 Years after assessment
Director of Operations
Page 15 of 27 V 0.5
completed
Counselling Counselling Assessment 4 years after sessions
completed
Director of Operations
Department Care and Support Customers
Heading Data / Document Type Required Retention
Comments Responsibility
New Customers Contract Request Forms 12 months after request if not accepted
as care package
Or
7 years after ceasing to be a
customer
To be kept on S:/Drive Director of Operations
Customer File Initial Assessment 7 years after ceasing to be a
customer
Director of Operations
Support Plan 7 years after ceasing to be a
customer
Director of Operations
Daily Support Records
7 Years Director of Operations
Incident forms
7 Years Director of Operations
Medication administration records (MAR Sheets)
7 years Director of Operations
Page 16 of 27 V 0.5
Death Notices 10 Years Director of Operations
Heading Data / Document Type Required Retention
Comments Responsibility
Department Facilities
Heading Data / Document Type Required Retention
Comments Responsibility
Health and Safety Accident and Incidents records/reports
3 years Unless the individual is
under 21
To kept on S-Drive until deleted
Director of Finance and Deputy Chief Executive
Health Records 40 Years Director of Finance and Deputy Chief Executive
RIDDOR 3 years Director of Finance and Deputy Chief Executive
Page 17 of 27 V 0.5
Risk Assessments 3 years Director of Finance and Deputy Chief Executive Director of Operations
Safe Operation procedures and Safe Systems of Work
40 years Director of Finance and Deputy Chief Executive
Contractors Contractors Details 2 years after job completed
or after contract ends
Director of Finance and Deputy Chief
Executive
Crime Reports 3 years Director of Finance and Deputy Chief Executive
Asset Management Asset and Depreciation records
6 years after the end of the financial year they relate to
Director of Finance and Deputy Chief Executive
Building and Land Managements
Records relating to property
5 years after property is no
longer owned or if paperwork supersedes
previous documents.
Director of Finance and Deputy Chief Executive
Records of Health and Safety Inspections
7 years from the end of the financial l year to which they
relate
Director of Finance and Deputy Chief Executive
Page 18 of 27 V 0.5
Building inspections Retain until superseded
CCTV Recordings Destroy 4 weeks from the date recorded except where required as evidence
Director of Finance and Deputy Chief Executive
CCTV Audit Logs 1 year
Fire Risk Assessments Retain until superseded
Director of Finance and Deputy Chief Executive
COSH Assessments Retain until superseded
Director of Finance and Deputy Chief Executive
Department Quality and Compliance
Heading Data / Document Type Required Retention
Comments Responsibility
Feedback Complaints 7 years after date resolved
Director of Finance and Deputy Chief Executive
Compliments 3 years after date received
Director of Finance and Deputy Chief Executive
Surveys Paper copy destroyed after 6 months, pdf
version held on file if individual
has given
Director of Finance and Deputy Chief Executive
Page 19 of 27 V 0.5
permission to use
Accident/Incidents Accident, Incident and Near Miss Reports
3 years after the event
Director of Operations
Safeguarding Safeguarding Reports 6 years Director of Operations
Information Governance
Information relating to compliance with information
governance policies
5 years Director of Finance and Deputy Chief Executive
Breaches Information/reports in relation to Data Breaches
6 Years Director of Finance and Deputy Chief Executive
Data Protection Rights Request 8 Years Director of Finance and Deputy Chief Executive
Audits Audit Logs 2 Years Director of Finance and Deputy Chief Executive
Department Governance
Heading Data / Document Type Required Retention
Comments Responsibility
Risk Management Risk Management 6 years Chief Executive
Risk Register 6 years Chief Executive
Policies Formal Policies 5 years Chief Executive
Page 20 of 27 V 0.5
Internal, Committees and
Groups
Internal Committee meeting minutes
7 years Chief Executive
Member Forums 3 years Chief Executive
Business Continuity
Details of arrangements made for maintaining
Deafblind UKs capability to deliver services
7 years after event
Chief Executive
Department Business Development
Heading Data / Document Type Required Retention
Comments Responsibility
Procurement Closed Tender Files 1 year Director of Operations
Contracts/Agreements 6 years after the end of the
contract
Including contract amendments
Director of Operations
Contract Monitoring 2 years from the end of the
contract
Director of Operations
E-tender Correspondence 6 months Director of Operations
Strategy, policy and procedure documentation
5 years Director of Operations
Stakeholder engagement
Meetings, speaking, engagement and
correspondence with
2 years after engagement has ended
Director of Finance and Deputy Chief Executive
Page 21 of 27 V 0.5
business, LA etc
Research Projects Research data
Anonymised research data
Director of Operations
Department Finance
Heading Data / Document Type Required Retention
Comments Responsibility
Financial Management
Payments cash book or record of BACS/cheque
payments
6 years Director of Finance and Deputy Chief Executive
and Head of Finance
Purchase Ledger 6 years Director of Finance and Deputy Chief Executive and Head of Finance
Invoice 6 years Director of Finance and Deputy Chief Executive and Head of Finance
Petty cash record 6 years Director of Finance and Deputy Chief Executive and Head of Finance
PO’s 6 years Director of Finance and Deputy Chief Executive and Head of Finance
Page 22 of 27 V 0.5
Credit Card Req 6 years Director of Finance and Deputy Chief Executive and Head of Finance
Accounting Records 6 years Director of Finance and Deputy Chief Executive and Head of Finance
Payroll Income Tax and NI returns 3 years Director of Finance and Deputy Chief Executive and Head of Finance
Pension Opt Out Records 3 years Director of Finance and Deputy Chief Executive and Head of Finance
New starter payroll set up paper work
6 years Director of Finance and Deputy Chief Executive and Head of Finance
Statutory Notices (Matb1, SSP, Shared Parental, tax
code changes
7 years Director of Finance and Deputy Chief Executive and Head of Finance
Sage Payroll 6 years Director of Finance and Deputy Chief Executive and Head of Finance
Expenses Volunteer 6 years Director of Finance and Deputy Chief Executive and Head
Page 23 of 27 V 0.5
of Finance
Employee 6 years Director of Finance and Deputy Chief Executive and Head of Finance
Suppliers Records on SAP 6 years after last invoice
date
Director of Finance and Deputy Chief Executive and Head of Finance
Suppliers Invoices 6 years (Paper)
Director of Finance and Deputy Chief Executive and Head of Finance
Banking Bank Statements 6 years (Paper)
Director of Finance and Deputy Chief Executive and Head of Finance
Legacy Legacy paperwork 6 Years from receipt of
funds
Director of Finance and Deputy Chief Executive and Head of Finance
Budgeting Budget Management Records
6 Years Director of Finance and Deputy Chief Executive and Head of Finance
Insurance Insurance Claims 3 Years Director of Finance and Deputy Chief Executive and Head of Finance
Page 24 of 27 V 0.5
Insurance Policies Permanent Director of Finance and Deputy Chief Executive and Head of Finance
Department Training
Heading Data / Document Type Required Retention
Comments Responsibility
Training Training booking forms 2 Years Director of Operations
Research Projects Research data
Anonymised research data
3 years after project
comepletyed
Direct`or of Operations
Webinars and eLearning
Enrolment registration on LMS
6 months Director of Operations
Department Information Technology
Heading Data / Document Type Required Retention
Comments Responsibility
Raisers Edge Downloads
Exports 1 Month after export
All excel sheets with member and volunteer data
to be deleted
Director of Operations/ Director
of Fundraising
Downloads Download Folder 1 Month To be emptied each month and content of recycle bin
deleted
EMT
Department folders To be reviewed quartley
EMT
Scans Scans Folder To be deleted
Page 25 of 27 V 0.5
once moved/attached to relevant
folder or record
EMT
Mail boxes Emails 3 Years Containing Personal Details EMT
Email Attachments 3 Years Containing Personal Details EMT
Office 365
Achieved Emails 6 Months All achieved emails automatically deleted every
6 months
Director of Finance and Deputy Chief
Executive
Department SharePoint Files & Folders
1 Month All Data no longer required on SharePoint in each
department to be deleted
Director of Finance and Deputy Chief
Executive
Personal SharePoint Files & Folders
1 Month Personal Data on Personal SharePoint Storage to be
deleted – 1TB Limit
Director of Finance and Deputy Chief
Executive
Microsoft Office Teams (Internal communication)
6 Months All Microsoft Teams Chat histories containing to be deleted every 6 months
Director of Finance and Deputy Chief
Executive
Anti Virus Log messages 3 Months Director of Finance and Deputy Chief
Executive
Page 26 of 27 V 0.5
Active user profiles
Inactive Accounts: Emails, SharePoint Files & Folders, Teams Communication &
Accounts
1 Year
6 Months after left
Staff & Volunteer members that have left DBUK, All
Emails, SharePoint Personal Storage, Teams and
Account data to be deleted after 6 Months of leave date.
Director of Finance and Deputy Chief
Executive
Ticket System Resolved Tickets 6 Months All resolved & closed tickets in the last 6 Months to be
deleted
Director of Finance and Deputy Chief
Executive
Users Details 3 Months All Staff that raised a ticket that are no longer with
DBUK – Details from the system to be deleted
Director of Finance and Deputy Chief
Executive
Appendix 1 Definitions ‘Personal Data’ Meaning any information relating to an identifiable living person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, email, location data, National Insurance Number, IP Address
Page 27 of 27 V 0.5
‘Special categories of personal data’ The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.