Data retention policy
The purpose of this policy is to detail the procedures for the retention and disposal of data to ensure that we carry this out consistently and that we fully document any actions taken. Unless otherwise specified the retention and disposal policy refers to both hard and soft copy documents.
We will review our records for consent every two years in order to determine whether they should be continue to be stored, retained for a further period, transferred to an archive or destroyed. This will include:
3. Background information
a. A professional negligence claim can be brought for up to 6 years from the date of the alleged error. To defend such a claim, records which would need to be kept include case notes (including letters/emails) and staff/volunteer records (eg training and supervision).
b. Statute of limitations on financial claims is (usually) 6 years. Financial claims could include claims against a client by a creditor or against Sunnybank by an ex employee.
c. Unsuccessful candidates can bring a discrimination claim up to 3 months but a Tribunal could be beyond that period.
We will assess our records to:
Determine their value as a source of information about the charity, its operations, relationships and environment
Assess their importance as evidence of charitable activities and decisions
Establish whether there are any legal or regulatory retention requirements (including: Public Records Act 1958, Data Protection Act 1998, the Freedom of Information Act 2000, the Limitation Act 1980, the General Data Protection Regulation 2018).
4. HR Records
Where records are of a previous member of staff they will be retained on file as follows
5. Time duration for data retention
Data will be destroy after an agreed period – where the useful life of a series or collection of records can be easily predetermined.
6. Methods of data disposal
a. Non-sensitive information – can be placed in a normal rubbish bin
b. Confidential information – cross cut shredded and pulped or burnt
c. Electronic equipment containing information - destroyed using …….. and for individual folders, they will be permanently deleted from the system. Destruction of electronic records should render them non-recoverable even using forensic data recovery techniques.
All duplicate records should be destroyed. Where information has been regularly shared between business areas, only the original records should be retained in accordance with the guidelines in section 2 above. Care should be taken that seemingly duplicate records have not been annotated.
Where we share information with other bodies, we will ensure that they have adequate procedures for records to ensure that the information is managed in accordance with the guidelines above and fulfil relevant legislation and regulatory guidance.
Where relevant to do so we will carry out a data privacy impact assessment and update our privacy notices to reflect data sharing.