Clicky

Electronic Data Retention Policy

Introduction
This Retention (“Policy”) applies to System People Ltd.
This Policy covers all electronic records.
For the purpose of this Policy, the terms ‘document’ and ‘records’ refer to electronic formats. In certain circumstances it will be necessary to retain specific records in order to fulfil statutory or regulatory requirements and to meet operational needs. Any retention of specific records should be retained under the retention period specified in Retention of Records Schedule 1 and Retention of Digital Records Schedule 2.

Scope
System People is bound by various obligations with regard to how electronic data is retained. These obligations include the period of retention for Documentation and when and how this Documentation is disposed. Article 5 of GDPR provides “personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”. The purpose of this Policy is to ensure that necessary records, documents and electronic data of System People are adequately protected, archived and disposed of at the correct retention period, and to provide all staff with clear instructions regarding the appropriate retention and disposal of Documentation.

  • Legal Obligation
  • General Data Protection Regulation (GDPR)
  • Data Protection Act 1998 (DPA)
  • Freedom of Information Act 2000 (FOI)
  • Limitation Act 1980
  • Companies Act 2006
  • The Waste Electric and Electronic Equipment Regulations 2013

Retention Procedure
All decisions relating to the retention and disposal of Documents should be taken in accordance with this Policy, in particular;

Schedule 1 – Retention of Digital Records – Provides the required retention periods for all digital Documents.

In circumstances where a retention period of a specific document has expired, a review should always be carried out prior to a decision being made to dispose of the record

Retention of Encrypted Data
Any information retained under this Policy that is in an encrypted format, consideration must be taken for the secure storage of any encryption keys. Encryption keys must be retained as long as the data that the keys decrypt is retained.

Retention of Digital Data
All email files are retained in Outlook for 5 years. Client information is stored in sharepoint retained for 5 years.
The process for accessing stored electronic data is through a unique log-in, only possessed by System People employee

Archiving and Retention of Documentation
Archiving is defined as the process by which inactive data, in any format is securely stored for long periods of time in accordance with a retention schedule.
Archived data is kept securely in a separate drive on the server which is only accessible by password allocated to named staff.

Disposal of Records
Any record containing confidential information must either be disposed by using dedicated shredding software.
Disposal of data that does not contain confidential information may be disposed of by normal deletion.
Records of disposal should be maintained by each department and should detail as a minimum the document or information disposed of, the date of disposal.

Disposal of Electrical Hardware
IT equipment and devices that have the ability and capability to store personal data include:

  • PCs
  • Laptops
  • Mobile Phones
  • Multi-Functional Devices E.g. Printer, Scanner
  • Servers
  • USB Memory Stick/External Hard Drive

IT equipment disposal must be managed so that local machine hardrives are deleted by dedicated shredding software.
All computer equipment, recycling or refurbishing must be disposed of in accordance with the Waste Electric and Electronic Equipment Regulations 2013.

Document Owner
The Managing Director is the owner of this Document and is responsible for ensuring that this Policy is reviewed in line with the review requirements of GDPR

 

To see a signed copy of the policy including the Retention of Digital Records Schedule:

Data Retention Policy