Page 1 of 27 V 0.5 Data Retention and Deletion Policy Ref No: ORG020 Please contact HR if you require the document in large print, Braille or another language or alternative format. Issue Date: 3 rd Feb 2021 Review date : 2022 Publication/Distribution • Publication on the shared drive • Cascade through relevant line management Target Audience: • All employees and Volunteers Related documents • ORG08 Data Protection Policy Name Stephen Conway Signature Position Chief Executive Date 3 rd February 2021
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1 of 27 V 0.5
Data Retention and Deletion Policy Ref No: ORG020
Please contact HR if you require the document in large print, Braille or another language or alternative format.
Issue Date: 3rd Feb 2021 Review date : 2022
Publication/Distribution
• Publication on the shared drive
• Cascade through relevant line management
Target Audience:
• All employees and Volunteers
Related documents
• ORG08 Data Protection Policy
Name Stephen Conway
Signature
Position Chief Executive
Date 3rd February 2021
Page 2 of 27 V 0.5
Document Version Control
Date Version Status Author Details of Change
April 18 0.1 Draft Clare
Watson Draft new policy
June 18 0.2 Live SMG Review
December 2018
0.3 Draft Clare
Watson Additional items added
Feb 2020 0.4 Live Clare
Watson Member and volunteer retention
changes
Feb 2021 0.5 Live Clare
Watson Retention changes and responsibilities
1 Purpose
Page 3 of 27 V 0.5
The purpose of this policy is to detail the procedures for the retention and disposal of information to ensure that the Deafblind UK Group carry out consistently and fully document any actions taken. Unless other wise stated retention and disposal refers to both electronic and paper documents. 2. How long should we keep our records? Under the UK General Data Protection Regulation records should only be kept for as long as necessary for the purpose of which it was collected. The primary actors that inform decisions on retention are:
1. Business Need 2. Legislative and regulatory requirements 3. National Archive requirements/legislation
3. Disposal Schedule 3.1 This section sets out approved document retention periods in order that the DBUK Group may meet its statutory and legal responsibilities and comply with the General Data Protection Regulation and other legal obligations. 3.2 Retention Documentation may be retained for a longer period of time than stated in this document, but explicit reasons for doing so must be recorded. 3.3 Formats Paper (e.g. files, forms, folders) or electronic (e.g. word processed documents, databases, spreadsheets, web, scanned images). Records held electronically must not remain accessible once deleted. 3.4 Storage and Disposal Records on disposal schedules will fall into three main categories.
1. Destroy after the agreed period. Where the useful life of records can be easily predetermined
2. Automatically select for permanent preservation. Where certain groups of records can be readily defined as worthy of permanent retention
3. Review 3.5 Destruction
• Information containing personal data must be placed in a secure shredding bin or put through the supplied shredder
• Electronic equipment containing information should be destroyed using killdisc for individual folders. Alternatively, a certificate should be obtained from an approved provider stating that killdisc had been used
• Destruction of electronic records should render them non-recoverable
• Permanent Disposal: Before undertaking permanent disposal of data approval should be obtained by a Head of Service or above.
Page 4 of 27 V 0.5
4 Sharing of information 4.1 Duplicate records should be destroyed. Where information is regularly shared between departments only the original record should be retained. 4.2 Where information is shared outside of the Deafblind UK Group we will ensure that adequate procedures are in place to ensure information is managed inline with the UK General Data Protection Regulation and other regulatory guidance. 5 Refreshing Details It is essential that we have a process in place to refresh that data and consent we hold to ensure that the information is accurate and up to date.
Record Type Refresh Period
Method Where recorded
Members and Carers
3 years Ongoing as part of all interactions Raisers Edge
Employees 2 years Personal details refresh form/email to self update on Capita
Capita
Volunteers 2 years As part of yearly survey Raisers Edge
Donors and Event participants
2 Years Ongoing as part of all interactions Raisers Edge
Customers
2 Years Part of annual support plan review S/Drive
Trusts 2 Years Ongoing as part of all interactions Raisers Edge
Professionals
2 Years Ongoing as part of all interactions Raisers Edge
Organisations 2 Years Ongoing as part of all interactions Raisers Edge
6 Audit Trail 6.1 You are required to document the disposal of records that are either shredded or deleted either within or outside the deletion periods in the schedule below. 6.2 This will provide an audit trail for any inspections carried out by the ICO 6.3 Please see relevant process within your department 7 Monitoring Responsibility for monitoring the disposal of documents rests with the Executive Management Team . 8 Disposal Schedule
7 years Director of Finance and Deputy Chief Executive and Head of Finance
Sage Payroll 6 years Director of Finance and Deputy Chief Executive and Head of Finance
Expenses Volunteer 6 years Director of Finance and Deputy Chief Executive and Head
Page 23 of 27 V 0.5
of Finance
Employee 6 years Director of Finance and Deputy Chief Executive and Head of Finance
Suppliers Records on SAP 6 years after last invoice
date
Director of Finance and Deputy Chief Executive and Head of Finance
Suppliers Invoices 6 years (Paper)
Director of Finance and Deputy Chief Executive and Head of Finance
Banking Bank Statements 6 years (Paper)
Director of Finance and Deputy Chief Executive and Head of Finance
Legacy Legacy paperwork 6 Years from receipt of
funds
Director of Finance and Deputy Chief Executive and Head of Finance
Budgeting Budget Management Records
6 Years Director of Finance and Deputy Chief Executive and Head of Finance
Insurance Insurance Claims 3 Years Director of Finance and Deputy Chief Executive and Head of Finance
Page 24 of 27 V 0.5
Insurance Policies Permanent Director of Finance and Deputy Chief Executive and Head of Finance
Department Training
Heading Data / Document Type Required Retention
Comments Responsibility
Training Training booking forms 2 Years Director of Operations
Research Projects Research data
Anonymised research data
3 years after project
comepletyed
Direct`or of Operations
Webinars and eLearning
Enrolment registration on LMS
6 months Director of Operations
Department Information Technology
Heading Data / Document Type Required Retention
Comments Responsibility
Raisers Edge Downloads
Exports 1 Month after export
All excel sheets with member and volunteer data
to be deleted
Director of Operations/ Director
of Fundraising
Downloads Download Folder 1 Month To be emptied each month and content of recycle bin
deleted
EMT
Department folders To be reviewed quartley
EMT
Scans Scans Folder To be deleted
Page 25 of 27 V 0.5
once moved/attached to relevant
folder or record
EMT
Mail boxes Emails 3 Years Containing Personal Details EMT
Email Attachments 3 Years Containing Personal Details EMT
Office 365
Achieved Emails 6 Months All achieved emails automatically deleted every
6 months
Director of Finance and Deputy Chief
Executive
Department SharePoint Files & Folders
1 Month All Data no longer required on SharePoint in each
department to be deleted
Director of Finance and Deputy Chief
Executive
Personal SharePoint Files & Folders
1 Month Personal Data on Personal SharePoint Storage to be
deleted – 1TB Limit
Director of Finance and Deputy Chief
Executive
Microsoft Office Teams (Internal communication)
6 Months All Microsoft Teams Chat histories containing to be deleted every 6 months
Director of Finance and Deputy Chief
Executive
Anti Virus Log messages 3 Months Director of Finance and Deputy Chief
Executive
Page 26 of 27 V 0.5
Active user profiles
Inactive Accounts: Emails, SharePoint Files & Folders, Teams Communication &
Accounts
1 Year
6 Months after left
Staff & Volunteer members that have left DBUK, All
Emails, SharePoint Personal Storage, Teams and
Account data to be deleted after 6 Months of leave date.
Director of Finance and Deputy Chief
Executive
Ticket System Resolved Tickets 6 Months All resolved & closed tickets in the last 6 Months to be
deleted
Director of Finance and Deputy Chief
Executive
Users Details 3 Months All Staff that raised a ticket that are no longer with
DBUK – Details from the system to be deleted
Director of Finance and Deputy Chief
Executive
Appendix 1 Definitions ‘Personal Data’ Meaning any information relating to an identifiable living person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, email, location data, National Insurance Number, IP Address
Page 27 of 27 V 0.5
‘Special categories of personal data’ The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual. race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.