Retention Policy

1. Introduction

This Retention (“Policy”) applies to Bristow & Sutor.

This Policy covers all records and documentation, whether analogue or digital and are subject to the retention requirements of this Policy.

For the purpose of this Policy, the terms ‘document’ and ‘records’ include information in both hard copy and electronic form and have the same meaning hereby referred to as Documents or Documentation.

In certain circumstances it will be necessary to retain specific records in order to fulfil statutory or regulatory requirements and to meet operational needs. Any retention of specific records should be retained under the retention period specified in Retention of Records Schedule 1 and Retention of Digital Records Schedule 2.

2. Scope

Bristow & Sutor is bound by various obligations with regard to the documentation and electronic data it retains. These obligations include the period of retention for Documentation and when and how this documentation is disposed.

Article 5 of GDPR provides “personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. The purpose of this Policy is to ensure that necessary records, documents and electronic data of Bristow & Sutor are adequately protected, archived and disposed of at the correct retention period, and to provide all staff with clear instructions regarding the appropriate retention and disposal of Documentation.

This Policy will also aid paper records and electronic data storage issues identified throughout the business and to eliminate the need to retain paper and electronic records unnecessarily.

Bristow & Sutor will ensure that information is not kept longer than is necessary and will retain the minimum amount of information that it is required to hold to meet its statutory functions and the provision of its services.

3. Legal obligation

Please refer to the External Publication Register.

4. Retention Procedure

All decisions relating to the retention and disposal of Documents should be taken in accordance with this Policy in particular:

Schedule 1 - Retention of Records Schedule - Provides the required retention periods, including the statutory minimum retention period for specific Documents.

Schedule 2 - Retention of Digital Records - Provides the required retention periods for all digital Documents.

In circumstances where a retention period of a specific document has expired, a review should always be carried out prior to a decision being made to dispose of the record.

5. Retention of Encrypted Data

Any information retained under this Policy that is in an encrypted format, consideration must be taken for the secure storage of any encryption keys. Encryption keys must be retained as long as the data that the keys decrypt is retained.

6. Retention of Digital Data

Any digital data including media and email files are retained. Email files are saved within the Exchange Server, network shared files are saved on the secure Dell EqualLogic SAN. The backup of electronic data is saved to tape daily onsite and offsite in a secure data centre.

The process for accessing stored electronic data is restricted by permissions managed by Active Directory. There is a full audit trail of user activity, to identify when data has been accessed, edited, deleted and by whom. Files lost or deleted can be recovered within a period of 60 days.

All portable / removable storage media are physically destroyed. This is done internally following the erasure of the data contained.

Bristow & Sutor does not store records of cryptographic keys.

7. Archiving and Retention of Documentation

Archiving is defined as the process by which inactive data, in any format is securely stored for long periods of time in accordance with a retention schedule.

Bristow & Sutor archives paper records onsite. This includes all forms of paper-based records, which hold Personal Information for staff and debtors. Such as letter, paper files, personnel files, visitors books and accident books.

Information on current staff and leavers are stored for up to seven years in electronic form and hardcopy depending on the type of data. Sales & Marketing records are stored as hard copies. Most data on debtors and clients are stored in electronic form. Hard copies of debtors’ data are scanned, then shredded within 7 days of receipt.

Hard copies are disposed of by shredding, following the retention period. This is carried out onsite by the ‘approved contractor’.

There may be exceptions where documentation will need to be retained for longer periods on site, such as personal details and Arrest Warrant documentation. In these instances, the managers in charge will be responsible for ensuring that the documentation is held in a safe and secure location.

8. Archiving Process

The method of archiving selected for a particular document will vary between departments and services. Any questions regarding archiving should be raised in the first instance with the department manager.

9. Disposal of Records

Any record containing confidential information must be disposed of by staff putting in the locked secure bins ‘shreddy bins’, to have ready for shredding during the scheduled days.

Disposal of documents that do not contain confidential information may be disposed of in the normal way or recycled.

Record of disposal is maintained by means of a Waste Transfer Note, which is provided by the contractor, which is a Certification of Destruction. The certificate details the date and the invoice number.

10. Disposal of Electrical Hardware

IT equipment and devices that have the ability and capability to store personal data include:

  • PCs
  • Laptops
  • Mobile Phones
  • Multi-Functional Devices – printers / scanners
  • Servers
  • USB Memory Sticks and external hard drives

IT equipment disposal must be managed by the Head of ICT. All computer equipment, recycling or refurbishing must be disposed of in accordance with the Waste Electric and Electronic Equipment Regulations 2013.

11. Document Owner

The Data Protection Officer is the owner of this document and is responsible for ensuring that this Policy is reviewed in line with the review requirements of GDPR.

SCHEDULE 1

RETENTION OF RECORDS SCHEDULE

Record type - Application forms for unsuccessful candidates
Contact
- MLB
Retention period
- 6 Months after notification to candidate
Retention justification
- dispute resolution purposes relating to employment law
Location stored
- Locked Cabinet in F&P office

Record type - Company Financial Records
Contact - 
MLB
Retention period - 6 + 1 years
Retention justification - Companies Act 2006
Location stored - 
Locked Cabinet in F&P office

Record type - Capability and Disciplinary Documents (Substantiated)
Contact
- MLB and all other departmental managers
Retention period - 2 years following the issue of the warning (Annual Review)
Retention justification - TUPE 2006 Case law permitting expired warnings to be referred to (but not built upon). Unreasonable to refer back after 2 years
Location stored
- Personnel files

Record type - Client files
Contact -
SB
Retention period - 6 + 1 years
Retention justification - Used for business purposes. This may be kept indefinitely as there is the likelihood for contracts to be renewed within 7 years from last transaction.
Location stored -
Block 1 (double office)

Record type - Court Documents
Contact -
CJF
Retention period - Indefinitely
Retention justification - Used for business purposes
Location stored -
Compliance

Record type - Health & safety, Accident books, records and reports
Contact -
MLB
Retention period - 15 years
Retention justification - 3 years from last entry (or until person is 21 years old) The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and max. 15 years for negligence (in respect of latent damage) Limitation Act 1980
Location stored -
Hard copies are scanned and saved electronically then the originals are shredded bi-annually.

Record type - Holidays request records
Contact -
MLB
Retention period - 12 months
Retention justification - Used for business purposes
Location stored - Locked cupboard in the Finance office

Record type - Letters and documents relating to debtors/third parties
Contact -
DW
Retention period - 1 week
Retention justification - N/A
Location stored - Hard copies are scanned and saved electronically then the originals are shredded within a week.

Record type - Main Personnel file
Contact -
MLB
Retention period - 6 years after staff leave the organisation
Retention justification - For 'reasons of employment contract'
Location stored - Locked cabinet in F&P office

Record type - Paying-in Books
Contact -
JOB
Retention period - 2 years (Annual Review)
Retention justification - Legitimate Interest
Location stored - EA Office. These do not need to be kept for more than 2 years as the record of payment is copied to Finance

Record type - Receipt Books
Contact -
Enforcement & General Office Managers
Retention period - 2 years (Annual Review)
Retention justification - Legitimate Interest
Location stored - Enforcement & General Office. Completed booklets may be archived (locked). These do not need to be kept for more than 2 years as the record of payment is copied to Finance

Record type - Records from reception – “Payment records.”
Contact -
MLB
Retention period - 1 year (Annual Review)
Retention justification - Legitimate Interest
Location stored - Secure Cash Office

Record type - Supplier Contracts
Contact -
RJS
Retention period - 6 + 1 years from expiry
Retention justification - Limitation Act 1980
Location stored - Locked cupboard in the Finance office

Record type - Sickness Records
Contact -
MLB
Retention period - 12 months
Retention justification - Health & Safety Act 1974
Location stored - Locked cupboard in the Finance office but electronic copy available. Refer to Schedule 2

Record type - Timesheets
Contact -
MLB
Retention period - 6 years
Retention justification - Working Time Regs 1998
Location stored - Locked cupboard in the Finance office but electronic copy available. Refer to Schedule 2

SCHEDULE 2

RETENTION OF DIGITAL RECORDS SCHEDULE

General Practices

Record type - Audit Schedules
Contact -
DM
Retention period - 4 + 1 Years
Retention justification - As an organisation NQA retention policy is to keep 2 audit cycles worth of reports for every client. An audit cycle is usually 2 years.
Application requirement/ device - Stored in Central Files
Disposal method: Manual - following annual review

Record type - ANPR Camera
Contact -
JOB
Retention period - After 5000 records
Retention justification - It is used to see if any hit can be enforced. The system records all number plates that cross the camera and overwrites them if there are no matches. The data that is not relevant is held for a maximum of one week.
Application requirement/ device - Spreadsheet
Disposal method: Automatic deletion (Data overwritten)

Record type - Body Worn Video recordings
Contact -
JOB
Retention period - 90 days
Retention justification - Monitor the performance of employees and agents. Ensure compliance with applicable laws and to be able to respond adequately and fairly in the event that complaints are made. If there is an issue on a case that requires us to keep it longer than the 90 days stated, the footage is stored on Q drive – this is reviewed annually by JOB & SB and deleted if it’s no longer relevant.
Application requirement/ device - Encrypted video cameras - The video cameras are encrypted and all data is encrypted. The data is not stored on a memory card but within the camera. Some of these are also downloaded and stored in Central Files. Subject Access Requests for video recordings are also stored in Central Files and OneDrive for secure sharing.
Disposal method: Automatic deletion and manual deletion for reviewed recordings.

Record type - CCTV
Contact -
IWL
Retention period - 1 to 7 months from the date of recording (each location has a different storage facility). EA Office: Up to 7 months. Server Room 2: Up to 1 month. Cash Office: 6 months
Retention justification - Monitoring & Security
Application requirement/ device - Images captured by the system are recorded and stored within a secure server room, the Enforcement Manager’s Office and the Cash Office. Monitors are sited within the secure server room and the Enforcement Manager’s office. Web-based access is also available for restricted staff.
Disposal method: Automatic - overwrite footage once the retention time is reached.

Record type - Complaints
Contact -
SB
Retention period - 6 + 1 years from the completion of the case. (But archived after 2 years) as Case enquiry
Retention justification - Analyse any trends
Application requirement/ device - Details of complaints (which include debtors’ names and employees’ names, as well as council names) are stored on the Intranet, as well as Central Files.
Disposal method: Manual - following annual review

Record type - Compliments
Contact -
SB
Retention period - Indefinitely
Retention justification - Marketing, although data is anonymised
Application requirement/ device - Access to Central Files
Disposal method: Manual - following annual review

Record type - Data Breach Records
Contact -
SB
Retention period - 6 + 1 years
Retention justification - Retained in case required by ICO or other appropriate authority
Application requirement/ device - Central Files
Disposal method: Manual - following annual review

Record type - Document Change Notices
Contact -
DM
Retention period - 6 + 1 years
Retention justification - Quality Assurance
Application requirement/ device - Central Files
Disposal method: Manual - following annual review

Record type - Emails
Contact -
IWL
Retention period - 6 + 1 years
Retention justification - to satisfy customer complaints
Application requirement/ device - Access to Microsoft Outlook
Disposal method: Deletion from account (automatic). Also managed manually by each account holder

Record type - Enforcement Agent Employment Portal
Contact -
JOB
Retention period - 1 week
Retention justification - Workflow is deleted weekly and automatically overwrites with new route details.
Application requirement/ device - Log-in from internal network, PDA or externally via website portal.
Disposal method: Automatic deletion

Record type - Main Case Information
Contact -
JM
Retention period - 2 + 5 years
Retention justification - 2 years after completion. After this, the cases will then be archived for a further 5 years with restricted access - for legal obligations to HMRC and reason of dispute resolution, complaints, and defence of legal claims. Restricted access to Operational Managers (including Directors), Audit staff, IT Development & Support staff) only
Application requirement/ device - Case enquiry
Disposal method: Automatic archiving and deletion

Record type - Minutes of meetings
Contact -
DM
Retention period - Indefinitely
Retention justification - They are a record of when we introduced changes to our processes and why
Application requirement/ device - Access to Central Files
Disposal method: Manual - following annual review

Record type - New Client Initiation Form / Amendment Forms/ New Client Amendment checklists (ECS Contact)
Contact - SB
Retention period - 6 + 1 years (after end of relationship with the client)
Retention justification - Staff and Clients’ names to show who agreed what with whom – can be needed for many years after we’ve ceased working for a client. Ideally, we’d like to keep indefinitely in case of later disputes with councils we may have fallen out with and defence of possible claims.
Application requirement/ device - Access to Central Files
Disposal method - Manual - following annual review

Record Type: Non-compliance reports
Contact: DM
Retention Period: Indefinitely
Retention Justification: Personal Information may be redacted where necessary
Application Requirement/Device: Access to Central Files
Disposal Method: Manual - following annual review

Record Type: Purchases
Contact:
MLB
Retention Period: Indefinitely
Retention Justification: Used for business purposes
Application Requirement/Device: Stored in Central Files
Disposal Method: Manual - following annual review

Record Type: Safeguarding Reports
Contact:
JOB
Retention Period: 2 years
Retention Justification: Public interest - to help protect vulnerable adults/children
Application Requirement/Device: Stored in Central Files
Disposal Method: Manual delete, following review

Record Type: Sales & Marketing database
Contact:
AL
Retention Period: Indefinitely
Retention Justification: Marketing data is stored indefinitely unless the data subject opts out
Application Requirement/Device: Accessed via the Intranet
Disposal Method: Manual delete, following review

Record Type: Staff Rotas
Contact: Dept. Managers
Retention Period: 2 years
Retention Justification: Used for business purposes
Application Requirement/Device: Stored in Central Files
Disposal Method: Manual delete, following review.

Record Type: Staff DSE Forms
Contact:
DM
Retention Period: 6 + 1 years
Retention Justification: Used for business purposes
Application Requirement/Device: Stored in Central Files
Disposal Method: Manual delete, following review.

Record Type: Staff Training Records (Skills Matrix)
Contact:
Dept. Managers
Retention Period: 1 year following end of employment
Retention Justification: Used for business purposes
Application Requirement/Device: Stored in Central Files
Disposal Method: Manual delete, following review.

Record Type: Suggestion Forms (Environment)
Contact:
DM
Retention Period: 6 + 1 years
Retention Justification: Used for business purposes
Application Requirement/Device: Access to Central Files
Disposal Method: Manual - following annual review

Record Type: Telematics
Contact:
JOB
Retention Period: 2 years
Retention Justification: Monitoring and providing support and used for insurance purpose
Application Requirement/Device: Greenroad Server in Ireland
Disposal Method: Data is deleted by Greenroad

Record Type: Telephone Recordings
Contact:
JM
Retention Period: 1 year
Retention Justification: Monitoring the performance of employees. Ensure compliance with applicable laws and to be able to respond adequately and fairly in the event that complaints are made.
Application Requirement/Device: Mitel MX One phone system records name and extension number and updates Active Directory. Some of these are recorded and stored in central files. Subject Access Requests for Telephone recordings are also stored in OneDrive for secure sharing.
Disposal Method: Automatic deletion

Pay Roll

Record Type: Accounting Records
Contact:
MLB
Retention Period: 6 + 1 years
Retention Justification: Section 221 of the Companies Act 1985 as modified by the Companies Acts 1989 and 2006
Application Requirement/Device: Access to Central Files
Disposal Method: Deleted manually following annual

Record Type: Expense Accounts
Contact:
MLB
Retention Period: 6 + 1 years following year end
Retention Justification: Companies Act 1985, section 222 as modified by the Companies Act 1989 and Companies Act 2006
Application Requirement/Device: Access to Central Files
Disposal Method: Deleted manually following annual

Record Type: Inland Revenue/HMRC approvals
Contact:
MLB
Retention Period: Permanently
Retention Justification: Recommended practice (CIPD)
Application Requirement/Device: Access to Central Files
Disposal Method: Deleted manually following annual

Record Type: Audit reports
Contact:
MLB
Retention Period: 6 + 1 years
Retention Justification: HMRC Requirements
Application Requirement/Device: Access to Central Files
Disposal Method: Manual - following annual review

Record Type: Staff Data: (Main file, including Qualifications, Professional Insurance)
Contact:
MLB
Retention Period: 6 years after staff leaves the organisation
Retention Justification: For ‘reasons of employment contract’
Application Requirement/Device: Access to Sage (Snowdrop)
Disposal Method: Deleted manually following annual review

Record Type: Staff Data: Right to work checks
Contact:
MLB
Retention Period: Two years after employment
Retention Justification: Recommended practice (Home Office)
Application Requirement/Device: Staff File
Disposal Method: Deleted manually following annual review

Record Type: Staff Data: Grievance documents
Contact:
MLB
Retention Period: 6 months following end of employment
Retention Justification: Limitation incl. EC for ‘last straw’ constructive dismissal and discrimination claims etc
Application Requirement/Device: Staff File
Disposal Method: Deleted manually following annual review

Record Type: Staff Data: References issued for employment
Contact:
MLB
Retention Period: 1 year
Retention Justification: Defamation Act 1996 1 - year limitation (in respect of any shared comments)
Application Requirement/Device: Staff File
Disposal Method: Deleted manually following annual review

Record Type: Staff Data: Redundancy – documentation
Contact:
MLB
Retention Period: 6 years following end of redundancy
Retention Justification: Limitation Act 1980
Application Requirement/Device: Staff File
Disposal Method: Deleted manually following annual review

Record Type: Staff Data: References issued for employment
Contact:
MLB
Retention Period: 1 year
Retention Justification: Defamation Act 1996 1-year limitation (in respect of any shared comments)
Application Requirement/Device: Staff File
Disposal Method: Deleted manually following annual review

Record Type: Staff Data: References and correspondence that may produce legal affects (mortgage, loan, etc)
Contact: MLB
Retention Period: 3 years following issue
Retention Justification: Limitation Act 1980 – limitation for negligence when immediately aware
Application Requirement/Device: Staff File
Disposal Method: Deleted manually following annual review

Record Type: Staff Data: Wage/salary records (also overtime, bonuses, expenses)
Contact:
MLB
Retention Period: 6 years
Retention Justification: Taxes Management Act 1970.
Application Requirement/Device: Staff File
Disposal Method: Deleted manually following annual review

Record Type: Staff Data: Pension records
Contact:
MLB
Retention Period: 12 years after benefit ceases. Avoid access unless required
Retention Justification: Recommended practice (CIPD)
Application Requirement/Device: Staff File
Disposal Method: Deleted manually following annual review

Record Type: Staff Data: Statutory Adoption, Paternity and Maternity Pay records, calculations, matching certificates and leave
Contact:
MLB
Retention Period: 3 years after the end of the tax year
Retention Justification: Maternity & Parental Leave Regulations 1999
Application Requirement/Device: Staff File
Disposal Method: Deleted manually following annual review

Record Type: Staff Data: Sickness and injury records (work related) (other than those listed under ‘Health and Safety’)
Contact:
MLB
Retention Period: 15 years
Retention Justification: 3 years for personal injury claim, 15 years for negligence (in respect of latent damage) Limitation Act 1980
Application Requirement/Device: Staff File
Disposal Method: Deleted manually following annual review

Record Type: Unsuccessful Candidate Data: Application forms and interview notes
Contact:
MLB
Retention Period: 6 – 12 months
Retention Justification: Defamation Act 1996 1 year limitation (in respect of any shared comments)
Application Requirement/Device: Access to Sage (Snowdrop)
Disposal Method: Automatic deletion

Record Type: Staff Data: Next of Kin Details
Contact:
MLB
Retention Period: 3 months following end of employment
Retention Justification: Vital interest
Application Requirement/Device: Access to Sage (Snowdrop)
Disposal Method: Automatic deletion from snowdrop (6m). Manually following annual review for detailing in staff file.

Health & Safety

Record Type: Accident books, records and reports
Contact:
MLB
Retention Period: 15 years
Retention Justification: 3 years from last entry (or until person is 21 years old) The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and max. 15 years for negligence (in respect of latent damage) Limitation Act 1980
Application Requirement/Device: Locked Cabinet in F&P
Disposal Method: Deleted manually following annual review

Record Type: First aid training
Contact:
MLB
Retention Period: 6 years after employment
Retention Justification: Health and Safety (First-Aid) Regulations 1981
Application Requirement/Device: Certificates on wall and copy filed in F&P
Disposal Method: Deleted manually following annual review

Record Type: H&S representatives training
Contact:
MLB
Retention Period: 5 years after employment
Retention Justification: Health & Safety (Consultation with employees) Regulations 1996
Application Requirement/Device: Certificates on wall and copy filed in F&P
Disposal Method: Deleted manually following annual review

Record Type: H&S training - employees
Contact:
MLB
Retention Period: 5 years after employment
Retention Justification: H&S Information for Employees Regulations 1989
Application Requirement/Device: Certificates on wall and copy filed in F&P
Disposal Method: Deleted manually following annual review

Record Type: Health records made in connection with health surveillance (according to HSE)
Contact:
MLB
Retention Period: 40 years
Retention Justification: Recommended practice (HSE) The Control of Substances Hazardous to Health Regulations 1999 and 2002
Application Requirement/Device: There is database on the Intranet that first aiders / managers have access to employees (both past and present) medical conditions.
Disposal Method: Deleted manually following annual review

Record Type: Risk assessments
Contact:
DM
Retention Period: Indefinite (dependent on the type)
Retention Justification: Recommended practice (CIPD)
Application Requirement/Device: Staff file. Also the Health & Safety Risk Assessments are also stored in Central Files, on the Company Intranet and some of them on the Enforcement Agent’s Portal.
Disposal Method: N/A

Andy Rose – Chief Executive Officer

Bristow & Sutor
Last Review Date: 4th June 2019

BSPOL 12 Retention Policy Rev 01 04.06.19