Data Retention Policy
This policy is linked to Strive Higher’s Privacy Policy and is an important resource for everyone working at Strive Higher.
It outlines how Strive Higher expects anyone working with us to retain and dispose of information in line with our business objectives and legal obligations. It applies to all information – whether physical or digital – wherever it is stored. We have developed it with the following pieces of legislation in mind:
-
Freedom of Information Act 2000
-
The UK General Data Protection Regulations
-
Data Protection Act 2018
The policy covers the following:
-
Your roles and responsibilities
-
Retention periods
-
Weeding
-
Reviewing information
-
Destruction of information
-
Disposal of assets
-
Permanent preservation
-
Legal holds
-
Strive Higher’s Retention and Disposal Schedule
Your roles and responsibilities
Everyone working with Strive Higher is responsible for managing the information they create and receive as part of their work with us and are expected to familiarise themselves with our records management processes and our Retention and Disposal Schedule.
All Project Leads have ownership of the information accumulated throughout the course of a project/event/programme and are therefore responsible for its secure storage, and the decisions taken with all interested stakeholders on its retention and/or disposal at the end of a project.
Retention periods
Strive Higher sets our retention periods according to our legal obligations and the business need agreed with our clients and/or key stakeholders. If there is no legally defined retention period for corporate information, it is the responsibility of the Project Lead to determine an appropriate retention period with the client and/or key stakeholders and if the information could be anonymised in any way on closure of the project. When agreeing the retention period with our clients, it is important to ensure the following:
-
Retention triggers are clear and consistent
-
Retention periods are not excessively long and are consistent with the rest of the schedule
Strive Higher has clearly defined retention periods for our information to ensure it is kept for the appropriate length of time. Each retention period has three elements:
-
Trigger – the action which begins the retention period (e.g., ‘End of Financial Year’ or ‘End of Employment’)
-
Retention period – the length of time the information will be kept
-
Action – either ‘review’ or ‘destroy’.
-
If the action is ‘review’ the information must be reviewed to ensure it is no longer required before destruction. Outcomes of a review may be – dispose, mark for permanent preservation, or temporary extension to review again at a future date.
-
If the action is ‘destroy’, this means the information can be destroyed
-
Retention and Disposal Schedule
Strive Higher’s Retention and Disposal Schedule sets out our retention periods for different types of data. Information should be kept for the length of time defined in the Schedule unless there is a legal requirement to destroy it sooner. The Schedule is arranged by function and this applies regardless of where it sits across Strive Higher’s business lines. Any additions or changes to the Schedule should be recorded on it for future reference.
The Schedule is reviewed on an annual basis by the Assistant Director, Operations with input from key stakeholders across the team e.g. Project Leads, the Digital Lead and Senior Project & Engagement Coordinators.
Weeding
Not all information has value. If information is either considered redundant, obsolete or trivial it should be weeded out as part of routine housekeeping. Everyone working for Strive Higher has responsibility for carrying out a regular review of their records and deleting any information which falls into this category. It does not require sign off by anyone else in the team.
Weeding should be carried out for 2 reasons:
-
To make sure we are making good use of available space whether physical or digital
-
To make the process of reviewing or retrieving records easier
Some examples of information which would fall into this category are:
-
Drafts: Draft documents may not be needed once a final version has been published. However, on some occasions where significant changes have been made, a draft may be retained to show how the final decision was made
-
Emails: Outlook has an automated retention policy that retains emails for 12 months. It is important that information assets are saved to shared spaces, to provide evidence of decisions made or action taken. Once a conversation has reached a significant point, any earlier emails from this chain can be deleted
-
Duplicates: We should not retain any duplications. Duplications can lead to multiple versions of information which can cause confusion
-
Limited Long Term Operational Value: Some information may be of importance for only a short period of time and then become redundant. This information should be weeded as soon as it is no longer required e.g social or internal meeting attendance lists
Weeding should be done on a regular basis to ensure that clutter does not build up over time. Strive Higher has a six-monthly schedule for routine weeding. This exercise should cover all our stores, paper or digital, regardless of the system or asset it is held on. This includes personal drives, mobiles and desktops.
Reviewing Information
When information has reached the end of its retention period it may need to be reviewed to ensure that it is no longer required. Information that has an action of ‘destroy’ on the Schedule can be disposed of securely without a review or approval. Where a review is required, the Assistant Director, Operations and the Project/Product Lead should consider the relevant information and decide whether it can be destroyed. If a large volume of information is being reviewed at once then this should be conducted at a macro level, i.e., not document by document. If information is marked for permanent preservation or subject to a legal hold it may be necessary to review every document. Information should only be retained beyond its retention period in limited circumstances.
When conducting a review, the following factors should be taken into account:
-
Is the information required to fulfil statutory or regulatory requirements?
-
Is the information relevant to ongoing litigation / subject to a legal hold?
-
Is the information the subject of an information request or relate to information recently disclosed in a response?
-
Is retention required to evidence events in the case of a dispute?
-
Does the information fall under the selection criteria for permanent preservation and transfer to The National Archives (TNA)?
-
Is the information required for a Public Inquiry?
-
Is there another demonstrable business need for retaining the information?
If the information is deemed to still be required, an extension of two years is given, the information needs to be reviewed again at the end of the extension. The only exception to this is where the information has been marked for permanent preservation
The retention period must not be extended indefinitely. You should contact the Assistant Director, Operations if you still intend to keep the information after applying the two-year extension period.
Destruction
When records are no longer required by the organisation and do not have archival value they should be securely destroyed. If the action on the retention schedule is ‘review’, destruction of records should not proceed without approval from the Assistant Director, Operations and the Project/Product Lead.
A record containing what has been destroyed, when it was destroyed and the individual who authorised the destruction should be made on the Retention and Disposal Schedule.
Records should be destroyed with the level of security required by the confidentiality of their contents. For example, if records containing special category data or protectively marked papers have been shredded, the shredded paper should be handled securely and not dumped. Records awaiting destruction must be stored securely. Paper records should be placed into the confidential waste bins and documents stored on electronic systems should be deleted, including back-ups. Deletions should be carried out by someone with appropriate access to the system from which they are being deleted. Digital documents should be deleted and not overwritten.
When information is destroyed, all copies of the information should be destroyed at the same time (both digital and physical). Information cannot be considered to have been completely destroyed unless all copies have been destroyed as well.
Disposal of assets
In line with the 7th principle of the DPA (‘appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to, personal data’), Strive Higher has set up a process to manage the destruction and recycling of our assets i.e. our laptops, phones, USB sticks, and tablets.
Strive Higher is keen to minimise its environmental impact so our policy is to recycle where we can. For this reason, we do not seek to destroy any assets but would cleanse them by reverting them to factory settings according to the guidance laid out by the National Cyber Security Centre (Guidance for buying & selling second-hand devices - NCSC.GOV.UK)
Who is responsible?
The Assistant Director, Operations is responsible for maintaining the inventory of Strive Higher assets and managing the cleansing of data at the end of their life and reverting them to factory settings.
Permanent Preservation
Documents should only be selected for permanent preservation if they meet the criteria below:
-
Cases attracting significant media attention
-
Cases relating to a public figure that generated significant contemporary interest or controversy
-
Cases that led to a change in the interpretation of the law
Any information which is selected for preservation should be clearly marked to ensure it is not destroyed accidentally.
Legal Holds
It is important we retain any information under a legal hold. A legal hold is the process of preserving all forms of information relevant to legal proceedings. If a legal hold is in place there is a freeze on the destruction of any relevant material held by the organisation.
A legal hold might be required if information relates to a Public Inquiry or if it pertains to any litigation that Strive Higher is involved with, such as an FOI Complaint which is subject to appeal. If you are unsure whether information in your possession falls under a legal hold, contact the Information Management Service for advice.
When information falls under a legal hold it should be clearly marked as such so it is not accidentally included in any scheduled destruction.
Strive Higher’s Retention and Disposal Schedule
Communications
Retention trigger | Retain for | Action | Retention source | Responsible | |
|---|---|---|---|---|---|
Staff mailboxes and Outlook | Creation | 12 months | Destroy | Business need | Automatically deleted by Microsoft
Asst Dir, Operations |
Physical correspondence | Creation | 12 month or longer if appropriate | Destroy | Business need | Asst Dir, Operations |
Internal email mailboxes | Creation | 12 months | Destroy | Business need | Automatically deleted by Microsoft
Asst Dir, Operations
|
Website
Retention trigger | Retain for | Action | Retention source | Responsible | |
|---|---|---|---|---|---|
Google Analytics | Creation | 14 months | Destroy | Business Need | Google
Asst Dir, Operations |
Events
Retention trigger | Retain for | Action | Retention source | Responsible | |
|---|---|---|---|---|---|
Public Events | Last action | 3 years | Review | Business Need | Asst Dir, Operations |
Staff Events and Briefings | Last action | 3 years | Review | Business Need | Asst Dir, Operations |
Operations
Retention trigger | Retain for | Action | Retention source | Responsible | |
|---|---|---|---|---|---|
Health & Safety inspections | Last action | 6 years | Review | Business Need | Asst Dir, Operations |
Asset records | Last action | 6 years | Review | Business Need | Asst Dir, Operations |
IT infrastructure | Last action | 3 years | Review | Business Need | Asst Dir, Operations |
Information Security | Last action | 6 years | Review | Business Need | Asst Dir, Operations |
Projects and programmes | Last action | 3 years | Review | Business Need | Asst Dir, Operations |
IT Back Ups | Last action | Up to 12 months | Destroy | Business Need | Asst Dir, Operations |
Financial Information | End of Financial Year | 6 years | Destroy | HMRC, Companies House | Asst Dir, Operations |
Payroll information | End of Financial Year | 6 years | Destroy | HMRC, Companies House, NEST | Asst Dir, Operations |
Employee files and professional development records | End of Employment | 6 years | Destroy | Asst Dir, Operations | |
Disciplinary and grievance | Last action | 6 years | Destroy | Limitation Act 1980 | Asst Dir, Operations |
Job descriptions and contracts | Last action | 6 years | Destroy | Limitation Act 1980 | Asst Dir, Operations |
General annual leave records | End of Financial Year | 3 years | Destroy | Employee personnel records | Asst Dir, Operations |
Maternity, Paternity, Adoption and Sick Leave | End of Financial Year | 4 years | Destroy | Statutory Pay | Asst Dir, Operations |
Successful recruitment candidate information | End of employment | 2 years | Destroy | Employee Personnel Records | Asst Dir, Operations |
Unsuccessful recruitment candidate information | Last action | 6 months | Destroy | Limitation Act 1980 | Asst Dir, Operations |
Staff pension, pay history, contracts, Offer letters, and termination reasons | From recruitment | At least 6 years and as long as they remain relevant | Destroy | Employee Personnel Records | Asst Dir, Operations |
Emergency contact details provided by staff member | End of employment | Immediate | Destroy | Business Need | Asst Dir, Operations |
Medical/self-certificate unrelated to occupational injury | End of absence | 4 years | Destroy | Employee Personnel Record | Asst Dir, Operations |
Secondary employment and outside interests declaration | End of employment | 6 years | Destroy | Business Need | Asst Dir, Operations |
MHFA application and training records | Acceptance to MHFA Scheme | 3 years | Destroy | Business Need | Asst Dir, Operations |
Significant draft versions of policies, advice and guidelines for significant pieces of work | Last action | 3 years | Review | Business Need | Asst Dir, Operations |
Team administration | Creation | 3 years | Review | Business Need | Asst Dir, Operations |
Templates | Superseded | 3 years | Review | Business Need | Asst Dir, Operations |
Procedures | Superseded | 3 years | Review | Business Need | Asst Dir, Operations |
Internal team meeting minutes | Last action | 3 years | Review | Business Need | Asst Dir, Operations |
Policies | Superseded | 3 years | Review | Business Need | Asst Dir, Operations |
Training materials | Superseded | 6 years | Destroy | Limitations Act 1980 | Asst Dir, Operations |
Staff photographs | End of employment | Up to 12 months | Review | Business Need | Asst Dir, Operations |
Legal
Retention trigger | Retain for | Action | Retention source | Responsible | |
|---|---|---|---|---|---|
Non-disclosure Agreements | Last action | 2 years | Review | Business Need | Asst Dir, Operations |
Unsuccessful tenders | Last action | 2 years | Review | Contractual records | Asst Dir, Operations |
Contracts | End of contract | 6 years | Review | Contractual records | Asst Dir, Operations |
Legal advice | Last action | 6 years | Review | Limitation Act 1980 | Asst Dir, Operations |
Regulatory
Retention trigger | Retain for | Action | Retention source | Responsible | |
|---|---|---|---|---|---|
Breach report – action taken | Case Closed | 6 years | Review | Limitation Act 1980 | |
Breach report – informal action taken and advice provided | Case Closed | 2 years | Destroy | Business Need | Asst Dir, Operations |
Breach report – no further action | Case Closed | 2 years | Destroy | Business Need | Asst Dir, Operations |
Data Protection Fee Information | Lapsed registration | 2 years | Destroy | Business Need | Asst Dir, Operations |
Data Protection and FOI complaints | Case closed | 2 years | Destroy | Business Need | Asst Dir, Operations |