Purpose
The purpose of this data retention policy is to ensure that all data, including electronic and physical, is retained for a specific period based on business and regulatory requirements. This policy aims to protect the confidentiality, integrity and availability of the data.
Scope
This policy covers all data collected by and stored on the Company owned or leased systems and media, regardless of location. It applies to both data collected and held electronically and data that is collected and held as hard copy or paper files. The need to retain certain information may be mandated by legal and regulatory requirements, legitimate business purposes and UK-GDPR.
Reasons for Data Retention
- Legal and Regulatory Requirements: Data may need to be retained to comply with various laws and regulations, such as tax laws, employment laws, health and safety laws, and financial regulations.
- Litigation and Legal Claims: Data may need to be retained in case of litigation or legal claims.
- Business Needs: Data may need to be retained for various business needs, such as record-keeping, auditing, or historical data analysis.
- Intellectual Property: Data may need to be retained to protect intellectual property rights.
- Contractual Obligations: Data may need to be retained to comply with contractual obligations, such as confidentiality or non-disclosure agreements.
- Historical or Archival Purposes: Data may need to be retained for historical or archival purposes, such as preserving important documents or records.
- Health and Safety: Data may need to be retained for health and safety reasons, such as tracking workplace accidents or incidents.
Review and Update
This policy shall be reviewed and updated annually or as required by changes in business needs, regulatory requirements, or best practices. The review shall include an assessment of the effectiveness of this policy in achieving its objectives.
Destruction of records
No destruction should take place without assurance that:
- The data is no longer required by the business
- No payment is outstanding
- No litigation or investigation is current or pending which affects the data
- There are no Subject Access Requests which affect the data
Data Destruction Methods
Physical destruction: This method involves physically destroying the media on which the data is stored, such as cross-shredding paper documents, degaussing magnetic storage media or physically damaging hard drives or other electronic storage devices.
Overwriting: Overwriting involves writing new data over the existing data to make it unreadable. The number of times the data is overwritten can vary depending on the sensitivity of the data and the risk of it being recovered.
Cryptographic erasure: Cryptographic erasure involves using encryption to render the data unreadable. This method is commonly used for electronic data that is stored on disks or other storage devices.
Degaussing: Degaussing involves the use of a magnetic field to erase data from magnetic storage media such as hard drives, floppy disks, or tapes. This method is commonly used for electronic data.
When using any of the above methods, Bitz ‘n’ PC’z Ltd shall verify that the data has been destroyed securely and irreversibly.
Disposal Schedules:
6 years from the end of the last company financial year they relate to
Includes:
- records about the company itself
- financial and accounting records
- directors, shareholders and company secretaries
- the results of any shareholder votes and resolutions
- promises for the company to repay loans at a specific date in the future (‘debentures’) and who they must be paid back to
- promises the company makes for payments if something goes wrong and it’s the company’s fault (‘indemnities’)
- transactions when someone buys shares in the company
- loans or mortgages secured against the company’s assets
- Register of ‘people with significant control’
- all money received and spent by the company, including grants and payments from coronavirus (COVID-19) support schemes
- details of assets owned by the company
- debts the company owes or is owed
- stock the company owns at the end of the financial year
- the stocktakings you used to work out the stock figure
- all goods bought and sold
- who you bought and sold them to and from (unless you run a retail business)
- all money spent by the company, for example receipts, petty cash books, orders and delivery notes
- all money received by the company, for example invoices, contracts, sales books and till rolls
- any other relevant documents, for example bank statements and correspondence
Until no longer needed or requested to be deleted. (As we’re mainly B2B, customer data will be retained for 6 years after the end of the contract).
Customers can request deletion via our Withdrawal of Consent process.
2 years from the date on which they were made
Includes:
- Records relating to working time
- Accident books, accident records/report
Applicable Laws:
- The Working Time Regulations 1998
- The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995.
For the period of employment plus six 6 years after the employee leaves the business.
Applicable Laws:
- Limitations Act 1980
For the period of employment plus six 6 years after the employee leaves the business.
Applicable Laws:
- Limitations Act 1980
- The Income Tax (Employments) Regulations 1993
- Taxes Management Act 1970
- National Minimum Wage Act 1998
For the period of employment plus six 6 years after the employee leaves the business.
Applicable Laws:
- Autoenrollment regulations
3 years after the end of the tax year to which they relate.
Includes:
- Statutory Maternity Pay records, calculations, certificates or other medical evidence;
- Statutory Sick Pay records, calculations, certificates, self- certificates
Applicable Laws:
- The Statutory Maternity Pay (General) Regulations 1986
- The Statutory Sick Pay (General) Regulations 1982