Information Retention & Destruction Policy

Information Retention & Destruction Policy

 

Anglo Office Group Limited recognises the importance of effective file keeping, records and data management to enable it to discharge its functions. This requires, amongst other things, a data and record retention policy. The term ’record’ applies equally to photographic, microform and electronic media that are used to store records as well as more traditional paper or card records. The period of retention only commences when the record is closed.

The procedure applies to all users of Anglo Office Group’s computer systems, including any contractor, agency, casual staff (including those on work experience) and external service providers’ staff.

Any departure from this procedure may lead to disciplinary action being taken in accordance with the published staff disciplinary process.

 

Storage of Data and Records

All staff have a responsibility to consider both safety and security when storing and disposing of personal information in the course of their work. Consideration should also be given to the nature of the personal information involved – for example, how sensitive it is – and the format in which it is held.

Data and records should, wherever possible, be stored electronically on the companies “A” drive. However, alternative formats of storage (e.g. CD or paper) may be more appropriate in certain circumstances – for example, where electronic housekeeping has been undertaken or there are legal requirements to retain a ’wet’ signature on a document. Either our Commercial or CSR Director can provide further advice and guidance in this respect.

All data and records must be stored as securely as possible in order to avoid potential misuse or loss. All data and records will be stored wherever possible on the companies server in the “A” drive, having regard to the period of retention required and the frequency with which access will be made to the record. The degree of security required for file storage will reflect the sensitivity and confidential nature of any material recorded and due regard to security must also be given to archived filing. Any Information that requires protective marking will be included as part of our IMS (Integrated Management System) and be covered by the Control of Documented information contained within it.

 

Relationship with The Data Protection Act

Data and records should not be kept for longer than is necessary. This principle finds statutory form in the Data Protection Act 1998, which requires that personal data processed for any purpose “shall not be kept for longer than is necessary for that purpose”.

To comply with the principles of the Data Protection Act, records containing personal data must be:

However, this policy does not just cover personal data and will be applied to all records retained by Anglo Office Group and the same protocols will be applied.

Reference should be made to Information Retention and Disposal Archive Periods also contained within our IMS, which sets out retention periods which must be complied with for specified records.

 

Record Retention Schedule

The record retention schedule (Appendix A) documents the minimum length of time that Anglo Office Group’s records should be retained to comply with legal, regulatory and operational requirements. This includes compliance with the Data Protection Act 1998 and the Freedom of Information Act 2000.

The retention schedule is also used to ensure that Anglo Office Group Ltd balances the requirement to not hold on to records unnecessarily with the need to prevent the premature disposal of information we are required to keep. Retention periods outlined in the schedule are applied to records in whatever medium they are held (paper, electronic etc).

Compliance obligations have been formally considered when identifying interested parties, risks and opportunities and the company’s environmental aspects and impacts. This is contained within our IMS (Integrated Management System) under Risks, Opportunities & Environmental Aspects in the Risks & Opportunities Register.

 

Using The Schedule

The schedule identifies the relevant functions of Anglo Office Group Ltd and the categories of records they hold. Each section is listed in the documents on the right hand side of this page. The Schedule describes:

Retention periods are independent of format and therefore can be applied to any medium, whether paper or electronic. Retention periods in this document are defined as the ‘minimum’, which mean that files may be retained for a longer period should they be required but must not be disposed of before the identified time.

 

Long- Term Storage of Paper Records

Although Anglo Office Group Ltd aims to keep paper records to a minimum, the retention schedule may identify paper based records that are required to be retained for several years, even though they are no longer referenced on a regular basis. These records need to be stored in a safe environment, and due regard must be given when storing archived paper based records onsite since this takes up valuable storage space. If required, such archiving material may be sent to an appropriate off-site storage facility.

 

Destruction and Disposal of Records

All information of a confidential or sensitive nature on paper, card, microfiche or electronic media must be securely destroyed when it is no longer required. This ensures compliance with the Data Protection Act 1998 and the duty of confidentiality we owe to our employees, clients and customers.

All information, in any format, destroyed from any location must have due regard to confidentiality of our employees, clients and customers. When records or data files are identified for disposal in the policy are destroyed, details must be provided to either the Commercial or CSR Director in order to maintain an effective and up to date a register of destroyed records.

The destruction of Anglo Office Group records must only be undertaken in accordance with the published guidelines. If there is any doubt about the need for authorisation in a specific case, individuals should consult with either the Commercial or CSR Director.

 

Safe and Secure Disposal of Records

When records are disposed of, on-site or off, it is important to use methods which do not allow future use or reconstruction.

 

Electronic Records

Special care must be taken with electronic records, which can be reconstructed from deleted information. Similarly, erasing or reformatting computer disks or personal computers with hard drives which once contained personal information is not enough. The deletion of electronic records must be organised in conjunction with the Commercial Director, who will ensure the removal of all data from the medium so that it cannot be reconstructed.

Deletion should ultimately mean the complete destruction of the electronic record. This implies rendering data non-recoverable even when using forensic data recovery techniques. In practice, deleting an instance of an electronic record in most technical environments merely removes an operating system or application link to the object and it is not actually removed when the same storage medium space has been reused several times over.

The Data Protection Act requires that information that is no longer required should cease to be processed. The Information Commissioner has held that this means that reasonable steps should be taken to ensure the information is not retrievable by normal methods, including restoring using backup facilities. Additionally, it is important to ensure that external IT providers and any of their supply partners do not frustrate the proper implementation of Anglo Office Group Ltd’s official disposal schedules by their own back-up routines.

In view of the technical issues involved in deleting electronic records, the Commercial Director shall be responsible for administering the removal of electronic records, including back-up mechanisms and providing an appropriate disposal record to the company’s Directors.

 

Paper Records

Paper records containing confidential and/or personal information must be cross-cut shredded no larger than 6mm and confidentially disposed of. Under no circumstances should confidential and/or personal information be disposed of with other rubbish or general records. Bulk shredding and confidential disposal can be arranged through via Business Services.

 

Disposal Schedule

A disposal schedule is a list indicating what records have been destroyed, when, by whom and using what method of destruction. Records which have been archived should also be documented in order to facilitate effective retrieval. The disposal record applies to both paper and electronic (computer and video) records and must not, in itself, contain personal information. The disposal record must refer to the record type rather than the contents of the record. For example, “2016 complaints” would be acceptable, “complaints: John Smith” would not. Anglo Office Group Ltd’s disposal record-keeping is administered by the CSR Director and all staff archiving and/or destroying data must advise either the Commercial or CSR Director in advance.

 

Content of the Disposal Schedule

The disposal schedule should contain all the following elements:

 

Monitoring and Revision of Disposal Schedules

It is the responsibility of the CSR Director to monitor and review the disposal schedule (Appendix A) regularly (usually annually), to ensure that:

Where amendments to the disposal schedule have been approved, the CSR Director will update Appendix A and advise staff as soon as possible.

 

Supporting and Legislative and Regulatory Obligations

 

Freedom of Information Act 2000 (FoIA)

Disposal schedules are a very important part of accounting for the legitimate absence of information under FoIA. For example, demonstrating to requesters, the Information Commissioner or the Information Tribunal that disposal decisions have been made and implemented following due process will defend legitimate public sector records management activity from undue criticism under the FoIA regime. In particular, it should serve as a defence against a charge under s.77 that a record has been destroyed with the intention of preventing disclosure in response to a request.

Documentation of disposal activity at the policy, schedule and folder (very occasionally record) level will be particularly important to account for records that cannot be confirmed as present in response to a request, a complaint to the Information Commissioner or an appeal to the Information Tribunal.

 

Data Protection Act 1998

The Data Protection Act 1998 reinforces the imperative to dispose of information in a timely, orderly manner and not to retain personal information without good reason. In general, this implies a presumption that once the legitimate business use for the information has expired, or continuing to retain it has become disproportionate to the processing, then processing should cease. This means that the personal data should be disposed of, unless a further approved purpose of processing applies.

 

Reviewed and approved by Gary Naphtali, Managing Director on 14 May 2018