eric-whitehead
01538 755 761
Introduction
Data will be properly retained to enable us to meet our business needs, our and our clients’ legal requirements, to evidence events or agreements in the event of allegations or disputes and to ensure that any records of historic value are preserved.
The untimely destruction of records could affect:
- the conduct of business;
- the ability of the firm to defend or instigate legal actions;
- the firm’s ability to comply with statutory obligations; and/or
- our reputation.
Conversely, the permanent retention of records is undesirable and, in certain circumstances, unlawful. Therefore, disposal is necessary to free up storage space, reduce administrative burden, and to ensure that we do not unlawfully retain records for longer than is necessary—particularly those containing personal data.
This policy supports us in demonstrating accountability through the proper retention of data and by demonstrating that disposal decisions are taken with proper authority and in accordance with due process.
Purpose
The purpose of this policy is to provide guidance and to set out the length of time that data should be retained and the processes to review the records as to any further retention or for disposing of records at the end of the retention period. The policy helps to ensure that we operate in compliance with the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR).
The policy covers all data held by us irrespective of the media on which they are created or held, including but not limited to:
- paper;
- electronic files; and
- photographs, scanned images, CCTV footage.
The policy covers all types of data that we create or hold which may include but are not limited to:
- Employee data;
- Client data;
- Data from external parties;
- Contracts and invoices;
- Registers;
- Legal advice;
- File notes;
- Financial accounts;
Scope
This policy applies to us all, including managers, consultants, and any third parties that this policy has been communicated to.
Responsibility
Timothy Halliday is the firms Data Protection Manager and he is responsible for this policy and for monitoring our compliance with it.
All employees are responsible for ensuring compliance with this policy.
Policy statement
We will ensure that information is not kept longer than is necessary and will retain the minimum amount of information that we require to carry out its statutory functions and the provision of services.
Disposal of hard copy confidential documents
Confidential waste documents should be made available for collection by use of the confidential waste bins and sacks which are located around the offices in order that they can be destroyed. It is essential that any documents which are to be disposed of and contain confidential or personal data are disposed of in an appropriate secure way in order to avoid breaches of confidence or the DPA.
Disposal of documents other than those containing confidential or personal data may be disposed of in the normal waste, recycled, deleted (in the case of electronic documents), etc.
Records of disposal are retained by Nicola Robinson Finance Director.
Disposal of hard copy confidential documents and remote working
In general, those adopting a remote/hybrid working arrangement, should not print any documents containing confidential information when working out of the office, however if this is absolutely necessary, you must ensure that the documents are stored securely and return all confidential waste to the office to be disposed of properly in a confidential waste bin.
Review of Information Asset Register
The Data Protection Manager will conduct a review of the information asset register on a regular and periodic (at least annually) basis to determine whether any retention periods have expired. Once the retention period has expired, the data must be reviewed and action agreed upon.
Actions to take are:
- the destruction of the data; or
- the retention of the data for a further period; or,
- alternative disposal of the data.
The disposal action decision must be reached having regard to:
- on-going business and accountability needs (including audit);
- current applicable legislation;
- whether the data has any long-term historical or research value;
- best practices in the industry;
- costs associated with continued storage versus costs of destruction; and
- the legal, political, and reputational risks associated with keeping, destroying or losing control over the data.
Decisions must not be made with the intent of denying access or destroying evidence.
Destruction
No destruction of data should take place without checking that:
- the data is no longer required by any part of the firm;
- no work is outstanding by any part of the firm;
- no litigation or investigation is current or pending which affects the data; and
- the data is not relevant to any current or pending Freedom of Information or data subject access requests.
Destruction of paper records
Destruction should be carried out in a way that preserves the confidentiality of the data. Non-confidential data can be placed in ordinary rubbish bins or recycling bins. Confidential data and records which contain personal data, must be placed in confidential waste bins or shredded and placed in paper rubbish sacks for collection by an approved disposal firm. All copies, including security copies, preservation copies and backup copies, should be destroyed at the same time and in the same manner. If using a third-party you will need to gain a certificate of destruction.
Destruction of electronic records
All electronic data will need to be either physically destroyed or wiped. This needs to be done to a reasonable extent to ensure the data has been destroyed. If using a third-party you will need to gain a certificate of destruction.
Further retention
The data may be retained for a further period if there is specific legislation that requires it to be held for a further period.
| Client Information | |
| Information | Retention Period |
| Client Case/Matter Files | 6 years after the last activity on the file (typically payment of bill, closure and archive). If the firm has acted for a person under 18, the file should be kept for 6 years after the client has turned 18.
Please see the File and Case Management Procedures Manual for a list of matter and document types with longer retention periods. |
| Client Complaints | 6 years (with client file) |
| Client File Audit Record | 6 years after the last activity on the file (typically payment of bill, closure and archive). If the firm has acted for a person under 18, the file should be kept for 6 years after the client has turned 18. |
| Client identification and verification documents | 6 years (legal minimum retention period is 5 years from the end of the client relationship). |
| Staff Information | |
| Information | Retention Period |
| Application forms/interview notes for unsuccessful candidates | 12 months from the date of the application or interview (the latter if the application proceeds to this stage). |
| Offer letters and acceptance | 6 years |
| Disciplinary, working time and training | 6 years after employment ceases |
| Redundancy details | 6 years from date of redundancy |
| Documents proving the right to work in the UK | Two years after employment ceases |
| Health and safety consultations | 15 years |
| Information on senior executives | 15 years |
| PAYE Records | 4 years |
| Workplace accidents | 3 years after date of last entry. There are specific rules on recording incidents involving hazardous substances. |
| Payroll | 3 years after the end of the tax year they relate to |
| Statutory maternity, adoption and paternity pay | 3 years after the end of the tax year they relate to |
| Statutory sick pay | 3 years after the end of the tax year they relate to |
| Working time arrangements | 2 years from date on which they were made |
| Corporate Information | |
| Information | Retention Period |
| Partners Meeting Agendas, Reports and Minutes | Permanently for historical purposes |
| Constitutional documents, Resolutions and Special Resolutions | Permanently |
| Business Plans | 3 years |
| Financial Information | |
| Information | Retention Period |
| Books of account, reconciliations, bills, bank statements and passbooks | 6 years |
| Paid cheques, digital images of paid cheques and other authorities for the withdrawal of money from a client account | 2 years |
| Other vouchers and internal expenditure authorisation documents relating directly to entries to the client account books | 2 years |
Further information
This document should be read in conjunction with the File and Case Management Procedures Manual, Data Protection Policy and Information Management and Security Policy.
Review of this policy
This policy will be reviewed at least annually by Timothy Halliday (Data Protection Manager)
May 2024
