Pine Consulting Group

Data Retention Policy

1. Purpose

The purpose of this policy is to detail procedures for the retention and disposal of information and personal data. This policy refers to both hard and soft copy documents, unless specifically stated otherwise.

2. Scope

This policy covers all data collected by and stored on the Company owned or leased systems and media, regardless of location. It applies to both data collected and held electronically (including photographs, video and audio recordings) and data that is collected and held as hard copy or paper files. The need to retain certain information may be mandated by federal or local law, federal regulations and legitimate business purposes, as well as the EU General Data Protection Regulation (GDPR).

3. Reasons for Data Retention

The Company retains only that data that is necessary to effectively conduct its program activities, fulfil its mission and comply with applicable laws and regulations. Reasons for data retention include:

a. Providing an ongoing service to the data subject (e.g. sending a newsletter, publication or ongoing program update to an individual, ongoing training or participation in the Company’s programs, processing of employee payroll and other benefits).
b. Compliance with applicable laws and regulations associated with financial and programmatic reporting by the Company to its funding agencies and other donors.
c. Compliance with applicable labour, tax and immigration laws.
d. Other regulatory requirements.
e. Security incident or other investigation.
f. Intellectual property preservation.
g. Litigation.

4. Review

Each department processing personal data must go through its ‘closed records’ at least every 6 months to determine whether the records should be destroyed, retained for a further period or transferred to an archive for permanent preservation.

5. Retention period for paper records

a. Records should only be kept for as long as they are needed to meet the operational needs of the business, and to fulfil legal and regulatory requirements.
b. If any (or more) below applies then you must determine the length the records should be kept for, otherwise the records must be destroyed in line with this policy.

Is it necessary as a source of information for operations at Pine Consulting Group Limited? Is it necessary as evidence of business activities and decisions? Is it necessary because of legal or regulatory retention requirements?

6. Destruction of records

No destruction of a record should take place without assurance that:

  • The record is no longer required by any part of the business;
  • No work is outstanding by any part of the business;
  • No litigation or investigation is current or pending which affects the record;
  • There are no current to pending Subject Access Requests which affect the record.

Records should be destroyed in the following ways:

Non-sensitive information Information/records that are clearly in the ‘public domain’ can be placed in a normal recycling rubbish bin
Confidential information Must be cross cut shredded and placed in paper rubbish sacks for collection by an approved disposal firm.
Electronic devices containing information (must be overseen by the Head of IT) Option 1 – ‘Factory’ system restore

Option 2 – destroy all information using specialised software programs.

Pine Consulting Group Limited may work with approved contractors to recycle redundant IT equipment and must securely sanitise all hard drives. A certificate confirming the complete destruction of records must be provided by the contractors.

Equipment must be kept in a secure location until collected.

Managers of each department must ensure locally stored confidential information is removed as appropriate before a device is reassigned to another person in their team.

7. Audit trail

a. There is no requirement to document the disposal of records which have been listed on the records retention schedule.
b. If records are disposed of earlier or kept for longer than listed on the records retention schedule, then they must be recorded for audit purposes.
c. This will provide an audit trail for any inspections conducted by the Information Commissioner Office and will aid in addressing Subject Access Request, where we no longer hold the material.

 
Disposal Schedule
(Should you become aware of any records missing from the schedule, please notify the Company so that they may be added at the next opportunity).
Heading Description Retention Period Comments
Payroll Employee pay records for the period of employment plus six 6 years after the employee leaves the organisation  
Salary records for the period of employment plus six 6 years after the employee leaves the organisation  
Copy of payroll sheets for the period of employment plus six 6 years after the employee leaves the organisation  
Employee Files Paper and hardcopy employee files for the period of employment plus six 6 years after the employee leaves the organisation Limitations Act 1980
Income Tax Records and Wages Income Tax and NI returns, Income tax records and correspondence with the Inland Revenue At least 3 years after the end of the financial year to which they relate. The Income Tax (Employments) Regulations 1993
Wages/salary records (including overtime, bonuses, expenses) for the period of employment plus six 6 years after the employee leaves the organisation Taxes Management Act 1970
National minimum wage records 3 years after the end of the pay reference period following the one that the records cover National Minimum Wage Act 1998
Pensions and Retirement Autoenrollment member and scheme details for the period of employment plus six 6 years after the employee leaves the organisation Autoenrollment regulations
Sickness records Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence 3 years after the end of the tax year in which the maternity period ends The Statutory Maternity Pay (General) Regulations 1986
Statutory Sick Pay records, calculations, certificates, self- certificates 3 years after the end of the tax year to which they relate The Statutory Sick Pay (General) Regulations 1982
Employee Files – General Exceptions Records relating to working time 2 years from the date on which they were made The Working Time Regulations 1998
Accident books, accident records/report 3 years after the date of the last entry The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995.
 

WHERE TO GO FOR ADVICE AND QUESTIONS

Questions, comments, complaints and requests regarding this policy are welcomed and should be addressed to our office address, Oak House, Reeds Crescent, Watford, England, WD24 4QP or to our Data Protection Officer at dpo@pineconsultinggroup.co.uk.

In addition, please do not hesitate to contact us if you suspect any privacy or security breaches.

OTHER RELEVANT POLICIES

This policy supplements and should be read in conjunction with our other policies and procedures in force from time to time, including without limitation our:

  • Data Protection Policy;
  • Privacy Policy;
  • IT and Communications Systems Policy and any other IT, security and data related policies, which are available on the Portal; and
  • Code of Professional & Ethical Conduct.

Data Retention Policy

 

  1. Purpose

The purpose of this policy is to detail procedures for the retention and disposal of information and personal data. This policy refers to both hard and soft copy documents, unless specifically stated otherwise.

  1. Scope

This policy covers all data collected by and stored on the Company owned or leased systems and media, regardless of location. It applies to both data collected and held electronically (including photographs, video and audio recordings) and data that is collected and held as hard copy or paper files. The need to retain certain information may be mandated by federal or local law, federal regulations and legitimate business purposes, as well as the EU General Data Protection Regulation (GDPR).

  1. Reasons for Data Retention

The Company retains only that data that is necessary to effectively conduct its program activities, fulfil its mission and comply with applicable laws and regulations. Reasons for data retention include:

  1. Providing an ongoing service to the data subject (e.g. sending a newsletter, publication or ongoing program update to an individual, ongoing training or participation in the Company’s programs, processing of employee payroll and other benefits);
  2. Compliance with applicable laws and regulations associated with financial and programmatic reporting by the Company to its funding agencies and other donors;
  3. Compliance with applicable labour, tax and immigration laws;
  4. Other regulatory requirements;
  5. Security incident or other investigation;
  6. Intellectual property preservation;
  7. Litigation.
  1. Review

Each department processing personal data must go through its ‘closed records’ at least every 6 months to determine whether the records should be destroyed, retained for a further period or transferred to an archive for permanent preservation.

  1. Retention period for paper records
  1. Records should only be kept for as long as they are needed to meet the operational needs of the business, and to fulfil legal and regulatory requirements.
  1. If any (or more) below applies then you must determine the length the records should be kept for, otherwise the records must be destroyed in line with this policy.

Is it necessary as a source of information for operations at (company’s name)?

 

Is it necessary as evidence of business activities and decisions?

 

Is it necessary because of legal or regulatory retention requirements?

   
  1. Destruction of records

No destruction of a record should take place without assurance that:

  • The record is no longer required by any part of the business;
  • No work is outstanding by any part of the business;
  • No litigation or investigation is current or pending which affects the record;
  • There are no current to pending Subject Access Requests which affect the record.

Records should be destroyed in the following ways:

Non-sensitive information

Information/records that are clearly in the ‘public domain’ can be placed in a normal recycling rubbish bin.

Confidential information

Must be cross cut shredded and placed in paper rubbish sacks for collection by an approved disposal firm.

Electronic devices containing information (must be overseen by the Head of IT)

Option 1 – ‘Factory’ system restore

Option 2 – destroy all information using

specialised software programs.

Pine Consulting Group may work with approved contractors to recycle redundant
IT equipment and must securely sanitise all hard drives. A certificate confirming the complete destruction of records must be provided by
the contractors.

Equipment must be kept in a secure location until collected.

Managers of each department must ensure locally stored confidential information is removed as appropriate before a device is reassigned
to another person in their team.

  1. Audit trail

1. There is no requirement to document the disposal of records which have been listed on the records retention schedule.

2. If records are disposed of earlier or kept for longer than listed on the records retention schedule, then they must be recorded for audit purposes.

3. This will provide an audit trail for any inspections conducted by the Information Commissioner Office and will aid in addressing Subject Access Request, where we no longer hold the material.

Disposal Schedule

(Should you become aware of any records missing from the schedule, please notify the Company so that they may be added at the next opportunity).

Heading

Description

Retention Period

Comments

Payroll

Employee pay records

for the period of employment plus six 6 years after the employee leaves the organisation

 

Salary records

for the period of employment plus six 6 years after the employee leaves the organisation

 

Copy of payroll sheets

for the period of employment plus six 6 years after the employee leaves the organisation

 

Employee Files

Paper and hardcopy employee files

for the period of employment plus six 6 years after the employee leaves the organisation

Limitations Act 1980

Income Tax Records and Wages

Income Tax and NI returns, Income tax records and correspondence with the Inland Revenue

At least 3 years after the end of the financial year to which they relate

The Income Tax (Employments) Regulations 1993

Income Tax Records and Wages

Wages/salary records (including overtime, bonuses, expenses)

for the period of employment plus six 6 years after the employee leaves the organisation

Taxes Management Act 1970

National minimum wage records

3 years after the end of the pay reference period following the one that the records cover

National Minimum Wage Act 1998

Pensions and Retirement

Autoenrollment member and scheme details

for the period of employment plus six 6 years after the employee leaves the organisation

Autoenrollment regulations

Sickness records

Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence

3 years after the end of the tax year in which the maternity period ends

The Statutory Maternity Pay (General) Regulations1986

Statutory Sick Pay records, calculations, certificates, self- certificates

3 years after the end of the tax year to which they relate

The Statutory Sick Pay (General) Regulations 1982

Employee Files – General Exceptions

Records relating to working time

2 years from the date on which they were made

The Working Time Regulations 1998

Accident books, accident records/report

3 years after the date of the last entry

The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995

 

WHERE TO GO FOR ADVICE AND QUESTIONS

Questions, comments, complaints and requests regarding this policy are welcomed and should be addressed to our office address at Oak House, Reeds Crescent, Watford, WD24 4QP or to our Data Protection Officer at info@pineconsultinggroup.co.uk.

In addition, please do not hesitate to contact us if you suspect any privacy or security breaches.

 

OTHER RELEVANT POLICIES

This policy supplements and should be read in conjunction with our other policies and procedures in force from time to time, including without limitation our:

  • Data Protection Policy;
  • Privacy Policy;
  • IT and Communications Systems Policy and any other IT, security and data related policies, which are available on the Portal; and
  • Code of Professional & Ethical Conduct.