Data Retention Policy
- Purpose
- The purpose of this Policy is to detail procedures for the retention and disposal of information and personal data. This Policy refers to both hard and soft copy documents, unless specifically stated otherwise.
- Scope
- This Policy covers all data collected by and stored on the Company owned or leased systems and media, regardless of location. It applies to both data collected and held electronically (including photographs, video and audio recordings) and data that is collected and held as hard copy or paper files.
- The need to retain certain information may be mandated by federal or local law, federal regulations and legitimate business purposes, as well as the EU General Data Protection Regulation (GDPR).
- Reasons for Data Retention
- The Company retains only that data that is necessary to effectively conduct its program activities, fulfil its mission and comply with applicable laws and regulations. Reasons for data retention include:
- Providing an ongoing service to the data subject (e.g. sending a newsletter, publication or ongoing program update to an individual, ongoing training or participation in the Company’s programs, processing of employee payroll and other benefits).
- Compliance with applicable laws and regulations associated with financial and programmatic reporting by the Company to its funding agencies and other donors.
- Compliance with applicable labour, tax and immigration laws.
- Other regulatory requirements.
- Security incident or other investigation.
- Intellectual property preservation.
- Review
- Each department processing personal data must go through its ‘closed records’ at least every 6 months to determine whether the records should be destroyed, retained for a further period or transferred to an archive for permanent preservation.
- Retention Period for Paper Records
- Records should only be kept for as long as they are needed to meet the operational needs of the business, and to fulfil legal and regulatory requirements.
- If any (or more) below applies then you must determine the length the records should be kept for, otherwise the records must be destroyed in line with this Policy.
|
Is it necessary as a source of information for operations at GEI Solutions LTD? |
Is it necessary as evidence of business activities and decisions? |
Is it necessary because of legal or regulatory retention requirements? |
- Destruction of Records
- No destruction of a record should take place without assurance that:
- The record is no longer required by any part of the business;
- No work is outstanding by any part of the business;
- No litigation or investigation is current or pending which affects the record;
- There are no current to pending Subject Access Requests which affect the record.
Records should be destroyed in the following ways:
|
Non-sensitive information |
Information/records that are clearly in the ‘public domain’ can be placed in a normal recycling rubbish bin |
|
Confidential information |
Must be cross cut shredded and placed in paper rubbish sacks for collection by an approved disposal firm. |
|
Electronic devices containing information (must be overseen by the Head of IT) |
Option 1 – ‘Factory’ system restore Option 2 – destroy all information using specialised software programs. GEI Solutions LTD may work with approved contractors to recycle redundant Equipment must be kept in a secure location until collected. Managers of each department must ensure locally stored confidential information is removed as appropriate before a device is reassigned |
- Audit Trail
- There is no requirement to document the disposal of records which have been listed on the records retention schedule.
- If records are disposed of earlier or kept for longer than listed on the records retention schedule, then they must be recorded for audit purposes.
- This will provide an audit trail for any inspections conducted by the Information Commissioner Office and will aid in addressing Subject Access Request, where we no longer hold the material.
