The 'Data Retention and Disposal Policy Part 1' describes how Netmatters Ltd. appropriately manages Data Retention and Disposal as part of the information lifecycle. In addition, this Policy prescribes particular retention rules that must conform to legislation and business needs.
An effective Retention and Disposal Policy ensures higher standards of;
• Compliance: Retaining certain information to meet legislative requirements
• Information Management: Disposal of any information no longer needed allows for easier management and subsequent retrieval.
• Fair Processing: A retention Policy demonstrates our commitment to processing personal information appropriately by only retaining what is needed and for a necessary period.
The Policy is based on the functions of Netmatters Ltd. and not the information we collect or create. By following a more functional approach, the Policy will not need to change when departments and document sets do.
In addition, by following a more functional approach, the Policy can focus on the information, not documents. This allows for a much shorter Policy and will reduce the editing required when documents change. The functional approach also simplifies retention for staff as only a few retention periods are available, meaning the Policy is easier to interpret.
1.1 This 'Part 1' document details the Policy requirements and has been drafted under The Information Commissioners Office (ICO) Guidelines and includes verbatim extracts from ICO publications licenced under the Open Government Licence v3.0.
1.2 Part 2 is the Schedule for the Data Retention and Disposal Policy and is a separate live document (Spreadsheet) to be used in conjunction with and under this 'Part 1' governance.
2. Legal Basis
No one piece of legislation explicitly requires a Retention and Disposal Policy. However, the following legislation does make stipulations concerning the retention of information:
2.1 Data Protection Act 2018 (DPA 2018)
2.2 The UK General Data Protection Regulation (the UK GDPR)
3. Roles and Responsibilities
3.1 All staff are responsible for complying with this Retention and Disposal Policy, which is monitored at various levels. The Operations Manager manages the Policy and coordinates with crucial roles within the company to ensure compliance whilst maintaining the Policy's accuracy. These roles are:
3.2 Information Data Owner (IDO): Introducing this role, IDO 'own' Information Data relevant to their respective roles. (i.e., The Head of HR would own HR-specific Data.) An IDO ensures that all Data users under their management follow retention Policy rules and ensure the Retention and Disposal Policy is followed.
3.3 Data Protection Compliance Manager (DPCM) The DPCM monitors the retention Policy's compliance whilst encouraging and collaborating with all staff to ensure ongoing conformity. Alongside this, the DPCM monitors the IDO in compliance with the Policy. They will also need to implement any changes required and work to improve compliance with the Policy where needed.
This is achieved by setting out prescriptive rules on how long information should be retained. These rules on retention are based on legislation and the needs of Netmatters Ltd. The Retention and Disposal Policy informs staff of how long information needs to be retained and when that time triggers the retention period.
The Information Lifecycle
The information lifecycle maps out various stages that information goes through, from creation/capture to eventual destruction or permanent transfer. Retention must be considered at each stage as the information's eventual disposal will play out throughout the lifecycle.
5.1 Creation/Receive: Information is created or received by Netmatters Ltd. for a specific reason. For some information, the retention period is triggered at this point.
5.2 Current: Current information is being used for its original purpose concerning why it was collected. The length of time the information is in a current state varies depending on what the information was collected for. Once the information is no longer current, most retention periods are triggered.
5.3 Dormant: Information is no longer in regular use and is retained for legislative or business needs. At this point, information is working through its retention period and eventual destruction.
5.4 Disposal and Permanent Transfer: Once the information has reached the end of its retention period, it is reviewed to see whether it is still required and, if not, destroyed. Some information is not reviewed as the work is routine and doesn't warrant reviewing as its original purpose has passed.
6. Applying Triggers
For a retention period to take effect, a trigger must be applied in the lifecycle of the information; this point varies depending on the information. The retention and disposal schedule stipulates all information triggers relevant to legislation or business need.
The Retention and Disposal Policy has set triggers representing the most used actions. These triggers must be complied with throughout the information's lifecycle.
6.1 Creation: Certain information, such as emails in staff mailboxes, triggers retention periods as soon as they are received or created.
6.2 End of Financial Year: This is a common trigger concerning financial records.
6.3 Tenancy Ended/Contract Closed: Once this happens, the information becomes dormant, and the retention period begins.
6.4 Last Action: This applies heavily to electronic Data and records management. Once a document has been saved, the retention period starts; once it is opened and saved, the trigger starts over. When the document stops being used, that last triggering will be the official start of the retention period.
6.5 Date Lead: This is for information that may be dormant but still needs to be retained for an unknown period, either at the time of creation or when the retention period starts from a particular date in the future.
6.6 Superseded: Certain information may need to be retained until a more up-to-date version is implemented.
Through everyday work, Netmatters Ltd. undertakes large volumes of information to meet desired outcomes. This information is used to inform decision-making and be provided as evidence of those decisions.
Not all the information created has any long-term value and does not require to be retained for the retention period. This may include emails that are also saved in later email chains, draft copies of later final versions and other work conducted which doesn't make up the final record.
Teams and departments will be required to use their judgement when deciding what information is required for the entire length of the retention period. However, this does not apply if the information is explicitly mentioned in the Retention and Disposal Policy.
According to the Retention policy, all Data/Information will be disposed of appropriately. Therefore, Netmatters Ltd. does not hold any information permanently.
Most casework and other electronic information will be auto-deleted once they have reached the end of the retention period. However, some information will need to be reviewed before disposal to ensure the information is no longer needed for what was initially obtained. If the information is deemed still necessary, an extension of two years is given until it is reviewed.
The responsibility to comply with the Retention and Disposal Policy applies to all staff and must always be conformed to. Retention should always be considered throughout the information lifecycle, and any new capture of information needs to consider the possible retention rules required.
The functional approach of the Retention and Disposal Policy covers all aspects of the work Netmatters Ltd undertakes. In addition, a functional approach is flexible, allowing for more straightforward Policy navigation.