Data Retention, Destruction and Disposal Policy
Overview
As an organisation Opus Works has a responsibility to protect the integrity and confidentiality of personal data held by us with regard to our clients, employees and partners. Individual employees also have that obligation with regards to unauthorised disclosure of data whether it is oral, printed, hand-written or computer based.
Purpose
This policy has been written to provide the necessary information to Opus Works employees and contractors detailing their duties under the Data Protection Act 1998 and Record Retention procedures.
This policy has also been written to set out the standards expected by Opus Works employees and contractors in relation to processing of personal data and safeguarding individual’s rights.
The Data Protection Act 1998 has two core purposes:
- To regulate the use by those (knows as data controllers) who obtain, hold and process personal data on living individuals.
- To provide certain rights (for example, of accessing personal information) to those living individuals (known as data subjects) whose data is held.
Policy
Retention
Data and records should not be kept for longer than is necessary. This principle finds statutory form in the Data Protection Act 1998, which requires that personal data processed for any purpose “shall not be kept for longer than is necessary for that purpose”. See Data Protection Policy for more details.
Please see record retention schedule at the end of this Policy.
Destruction and Disposal
To ensure compliance with the Data Protection Act 1998, all information, in any format, must be destroyed after the retention period from any Opus Works location. All information, in any format held by Opus Works, must be destroyed in a way which does not breach the confidentiality of our employees, contractors and customers.
All office paperwork for destruction should be shredded. Other paper can be disposed of in the bins provided in offices as long as it contains no sensitive or identifiable information – if in any doubt then it must be shredded.
The procedure for the destruction of Confidential or Sensitive Waste on electronic media such as USB stick, SD card, hard drives, or other removable media is:
- Destruction is agreed by the Operations Manager, ISMS Committee or Director
- The media is held by the Office
- The Office will forward the device or media to a reputable supplier for secure destruction or secure erasing (if the media or device will be given to a charity or school)
Destruction of back-up copies of such data will also be dealt with in the same manner.
Record Retention Schedule
| Document | Retention Period | Extra Information / Source |
|---|---|---|
| Sickness / Sick Pay | 3 years | The Statutory Sick Pay (General) Regulations 1982 (SI 1982.894 as amended |
| Maternity Leave / Pay | 3 years after the relevant tax period | The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended |
| Wages / Salary | 6 years recommended after the relevant Tax year, 3 years minimum | Taxes Management Act 1970 |
| Applications Forms and Interview notes for unsuccessful candidates | 6 months to 1 year | Not statutory, in case of any discrimination challenge. |
| Personnel Files | 6 years after employment ceases | Not statutory |
| Training Records | 6 years after employment ceases | Not statutory |
| Medical Certificated | 4 years recommended | Not statutory |
| Disciplinary | 6 years after employment ceases | www.acas.org.uk |
| Redundancy | 6 years after employment ceases | Not statutory |
| Recruitment and eligibility to work in the UK | Throughout the period of working and at least 3 yrs after employment finishes. | Copies of all relevant documents should be retained. |
| Accounting documents | Minimum 3yrs, recommend 6 years | Section 221 of the companies Act 1985 as modified by the Companies Acts 1989 and 2006 |
| Tax Records | 6 years minimum | The Income Tax (Employments) Regulations 1993 (SI1993/744) as amended for example by The Income Tax (Employments) (Amendment No 6) Regulations 1996 (SI1996/2631) |
| Contracts | 6 years | Public service contract regulations 1993 Public supply contract regulations 1995 |
| Contracts under seal | 12 years | Public service contract regulations 1993 Public supply contract regulations 1995 |
| Employer’s Liability | The requirements to retain compulsory employers’ liability certificates for 40 years ceased on 1 October 2008 however it is advised to continue to keep this long in case of claims. | Tracing Code of Practice includes a commitment from insurers to keep employers’ liability records for 60 years |
| Hazards substances (Asbestos) | 40 years 30 years from the date the substance was received into the work place | Occupational safety and health act (OSHA), The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (Sls 1999/437 and 2002/2677) |
| Industrial Accidents | 12 years | Personal liability claims can only be made up to 12 years after the event. |
| Accident Books/Reports | 3 years | The Reporting of Injuries Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (Sl 1995/3163) as amended. |
| Maintenance of Premises | 3 years | Essential Standards of Quality & Safety (March 2010) |
| Maintenance of Equipment | 3 years | Essential Standards of Quality & Safety (March 2010) |
| Electrical Testing | 3 years | Essential Standards of Quality & Safety (March 2010) |
| Fire Safety | 3 years | Essential Standards of Quality & Safety (March 2010) |
| Water Safety | 3 years | Essential Standards of Quality & Safety (March 2010) |
Policy Compliance
Compliance Measurement
The ISMS Committee team verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exception to the policy must be approved by the ISMS Committee team in advance.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.