Data Retention Policy

Purpose

The purpose of this data retention policy is to ensure that all data, including electronic and physical, is retained for a specific period based on business and regulatory requirements. This policy aims to protect the confidentiality, integrity and availability of the data.

Scope

This policy covers all data collected by and stored on the Company owned or leased systems and media, regardless of location. It applies to both data collected and held electronically and data that is collected and held as hard copy or paper files.  The need to retain certain information may be mandated by legal and regulatory requirements, legitimate business purposes and UK-GDPR.

Reasons for Data Retention

1. Legal and Regulatory Requirements: Data may need to be retained to comply with various laws and regulations, such as tax laws, employment laws, health and safety laws, and financial regulations.
2. Litigation and Legal Claims: Data may need to be retained in case of litigation or legal claims.
3. Business Needs: Data may need to be retained for various business needs, such as record-keeping, auditing, or historical data analysis.
4. Intellectual Property: Data may need to be retained to protect intellectual property rights.
5. Contractual Obligations: Data may need to be retained to comply with contractual obligations, such as confidentiality or non-disclosure agreements.
6. Historical or Archival Purposes: Data may need to be retained for historical or archival purposes, such as preserving important documents or records.
7. Health and Safety: Data may need to be retained for health and safety reasons, such as tracking workplace accidents or incidents.

Review and Update

This policy shall be reviewed and updated annually or as required by changes in business needs, regulatory requirements, or best practices. The review shall include an assessment of the effectiveness of this policy in achieving its objectives.

Destruction of records

No destruction should take place without assurance that:

• The data is no longer required by the business
• No payment is outstanding
• No litigation or investigation is current or pending which affects the data
• There are no Subject Access Requests which affect the data

Data Destruction Methods

Physical destruction: This method involves physically destroying the media on which the data is stored, such as cross-shredding paper documents, degaussing magnetic storage media or physically damaging hard drives or other electronic storage devices.

Overwriting: Overwriting involves writing new data over the existing data to make it unreadable. The number of times the data is overwritten can vary depending on the sensitivity of the data and the risk of it being recovered.

Cryptographic erasure: Cryptographic erasure involves using encryption to render the data unreadable. This method is commonly used for electronic data that is stored on disks or other storage devices.

Degaussing: Degaussing involves the use of a magnetic field to erase data from magnetic storage media such as hard drives, floppy disks, or tapes. This method is commonly used for electronic data.

When using any of the above methods, Bitz ‘n’ PC’z Ltd shall verify that the data has been destroyed securely and irreversibly.

Disposal Schedules: