Data Retention Policy

  1. POLICY STATEMENT

There are various legal requirements as set out by law, within the GDPR Regulations and professional guidelines about keeping certain kinds of records – such as information needed for income tax and audit purposes, or information on aspects of health and safety.

The GDPR does not set out any specific minimum or maximum periods for retaining personal data. Instead, it says that by law Hyman Capital Group will have to ensure that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

In practice, it means that the company will need to:

  • Review the length of time personal data is kept;
  • Consider the purpose or purposes the information is held for in deciding whether (and for how long) to retain it;
  • Securely delete information that is no longer needed for this purpose or these purposes; and
  • Update, archive or securely delete information if it goes out of date.

Any data held centrally using OneDrive. This is encrypted and password protected and certain information is held on a need to know basis. This means that only required members of the Company have access to the data.

  1. SCOPE

Data shall be retained in accordance with the periods detailed in this policy.

The periods in this policy relating to finance records are taken from a number of sources which include Buzzacott’s Insights document on “Retention of Accounting Records” and CIPD’s guidance on HR records retention. These periods are both the minimum and maximum periods for which data needs to be held before deletion or shredding.

Where a retention period is not specified, personal information will only be retained for the longer of:

  • As long as required for its purpose
  • As required by law

Manual files relating to previous staff, clients and associates shall have all non-essential information removed and securely destroyed prior to being archived.

The Company will require all data processors to formally agree that personal data will not be retained for longer than the purpose for which they are processing it.

This policy covers the following areas:

  • Method for deletion
  • Accounts & Finance records
  • Payroll records
  • Employee/Personnel records
  • Pension records
  • Buildings records
  • Insurance records
  • Governance records
  • Associate records
  • Client records
  1. METHOD FOR DELETION
    • Paper, CD and DVD files will be shredded. The materials will be shredded offsite by a third party provider who will give confirmation of the secure disposal.
    • Every 3 months staff will participate in a review of paper, CD & DVD media and destroy all files that are not required, as defined above. These reviews will take place in February, May, August and November.
    • All Database (Infusionsoft, Freeagent, E-mail and files held on the server) records will be marked for deletion and permanently deleted on review. The record should not be archived. The Company should liaise with its external IT providers (currently Systems IT) to obtain evidence of how they deal with any off site back-ups to ensure that all old versions are deleted.
    • Each organisational Director is responsible for liaising with their respective teams to ensure that the data is deleted in accordance with this policy.
  2. ACCOUNTS & FINANCE RECORDS
Document Retention period Reason for retention period
Record of payments made (For suppliers — can be reprinted from Freeagent, For associate expenses — would need to refer to actual claim, For payments — hard copies of payment documentation are kept) Six years after the end of the financial year in which the transaction was made. Companies Act
Purchase ledger (Ledger records on Feeagent and all hard copy and electronic purchase invoices, staff and associate expenses Six years after the end of the financial year in which the transaction was made. Companies Act
Invoices raised to generate income (Paper/Electronic copies) Six years after the end of the financial year in which the transaction was made. Companies Act
Petty cash records (Copies of vouchers and receipts received in support of expenditure) Six years after the end of the financial year in which the transaction was made. Companies Act and HMRC
Invoice- capital item (with a significant value and where the Company is registered for VAT) Ten years Companies Act and HMRC
Bank paying in counterfoils Six years after the end of the financial year in which the transaction was made. Companies Act
Bank statements (Access to on-line statements is available for the last 12 months, hard copy statements are received from Barclays and Santander) Six years after the end of the financial year in which the transaction was made. Companies Act
Remittance advices (In support of income received from clients) Six years after the end of the financial year in which the transaction was made. Companies Act
Correspondence re: income (Letters/e-mails etc.) Six years after the end of the financial year in which the transaction was made. Companies Act
Bank reconciliations (hard/electronic copies of same information) Six years after the end of the financial year in which the transaction was made. Companies Act
Income summary (electronic version of the bank statement reconciling Freeagent to the bank accounts) Six years after the end of the financial year in which the transaction was made. Companies Act

5.PAYROLL RECORDS

Document Retention period Reason for retention period
Income tax records re. employees leaving, i.e. P45 Three years plus the current year The Income Tax (Emloyments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No 6) Regulations 1996 (SI 1996/2631)
Notice to employer of tax code (P6) Three years plus the current year The Income Tax (Emloyments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No 6) Regulations 1996 (SI 1996/2631)
Annual return of employees and directors expenses and benefits (P11D) Three years plus the current year The Income Tax (Emloyments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No 6) Regulations 1996 (SI 1996/2631)
Certificate of pay and tax deducted (P60) Three years plus the current year The Income Tax (Emloyments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No 6) Regulations 1996 (SI 1996/2631)
Notice of tax code change Three years plus the current year The Income Tax (Emloyments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No 6) Regulations 1996 (SI 1996/2631)
Annual return of taxable pay and tax deducted Three years plus the current year The Income Tax (Emloyments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No 6) Regulations 1996 (SI 1996/2631)
Records of pension deductions (including superannuation) Six years plus the current years Pensions Act
Payroll and payroll control account Six years after the end of the financial year in which the transaction was made. Companies Act
  1. EMPLOYEE / PERSONNEL RECORDS
Document Retention Period Reason for retention period
Accident books, accident records/reports Three years after last entry or end of investigation if later The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and Limitation Act 1980. Special rules apply concerning incidents involving hazardous substances.
Details of medical schemes Permanently Commercial
Organisation charts Permanently Commercial
Personnel files and training records Six years after employment ceases. Records for key senior executives should be kept permanently for historical purposes Limitations Act 1980
Wages and salary records Six years plus the current year Taxes Management Act
Expense accounts/records Six years plus the current year Taxes Management Act
Overtime records/Authorisation Six years plus the current year Taxes Management Act
Redundancy details, calculations of payment, refunds, notifications to the Secretary of State Six years after employment has ceased Data Protection Act
Life Assurance expression of wish form Six years after employment ceases or death Data Protection Act
Application forms and interview notes (for unsuccessful candidates) Six months to a year Disability Discriminations Act 1995 and Race Relations Act 1976 recommend six months. One year limitation for defamation actions under Limitations Act
Statutory Maternity Pay records, calculations, certificates or other medical evidence Three years after the end of the tax year in which the maternity period ends The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended
Statutory Sick Pay records, calculations, certificates, self certificates Three years after the end of each tax year for Statutory Sick Pay purposes The Statutory Sick Pay (Maintenance of Records) (Revocation) Regulations 2014 (SI 2014/55) abolished the former obligation on employers to keep these records. Although there is no longer a specific statutory retention period, employers still have to keep sickness records to best suit their business needs. It is advisable to keep records for at least 3 months after the end of the period of sick leave in case of a disability discrimination claim. However if there were to be a contractual claim for breach of an employment contract it may be safer to keep records for 6 years after the employment ceases.
Records relating to working time Two years from date on which they were made The Working Time Regulations 1998 (SI 1998/1833)
Records relating to children and young adults Until the child/young adult reaches the age of 21 Limitation Act 1980
National minimum wage records Three years after the end of the pay reference period following the one that the records cover National Minimum Wage Act 1998
  1. PENSION RECORDS
Document Retention period Reason for retention period
Details re. current pensioners Ten years after benefit ceases Commercial
Pension scheme- next of kin/expression of wish forms Six years after date of death Data Protection Act
All trust deeds and rules Permanently Companies Act, Commercial, Pensions Act
Trustees’ minutes books Permanently Companies Act, Commercial, Pensions Act
Annual accounts Permanently Companies Act, Commercial, Pensions Act
Contribution records Permanently Companies Act, Commercial, Pensions Act
  1. BUILDINGS RECORDS
Document Retention period Reason for retention period
Deeds of title Permanently or until property disposed of. A copy of title deeds should be kept for six years after disposal Data Protection Act
Leases Fifteen years after expiry Limitations Act 1960
Final plans, designs and drawings of buildings, pIanning consents, building certifications, collateral warranties, records of historical interest and final health and safety file Permanently or until six years after property disposed of Data Protection Act
Asbestos Register and Asbestos Disposal Certificates Permanently. Property holders required to examine the premises for asbestos or possible asbestos materials, record the location of those materials and assess the risk. These assessments are to be recorded and provided to anyone who may disturb the asbestos. The Control of Asbestos at Work Regulations 2002 (SI 2002/ 2675). Also see the Control of Asbestos Regulations 2006 (SI 2006/2739) and the Control of Asbestos Regulations 2012 (SI 2012/632)
Records of major refurbishments, warranties, planning consents, design documents, final health and safety file Thirteen years for actions against contractors etc. Data Protection Act
  1. INSURANCE RECORDS
Document Retention Period Reason for retention period
Policies Three years after lapse Data Protection Act
Claims correspondence Three years after settlement Data Protection Act
Employer’s Liability Insurance certificate Forty years Employers’ Liability (Compulsory Insurance) Regulations 1998
Accident reports and relevant correspondence Three years after settlement Data Protection Act
  1. GOVERNANCE RECORDS
Document Retention Period Reason for retention period
Board of Directors minutes of meetings and decisions Permanently Data Protection Act
Annual accounts and annual review Permanently Data Protection Act
Major agreements of historical significance Permanently Data Protection Act
Health and safety records Three years for general records. Permanently for records relating to hazardous substances. Personal injury actions mist generally be commenced within three years of injury. However industrial injuries not capable of detection within that period (e.g. asbestos) the time period may be substantially extended.
Fixed assets register Permanently Companies Act, Commercial
Contract with customers, suppliers or agents, licensing agreements, rental/hire purchase  agreements, indemnities and guarantees and other agreements or contracts Six years after expiry or termination of the contract. If the contract is executed as a deed, the limitation period is twelve years Limitations Act 1980

Six years is generally the time limit within which proceedings founded on contract may be bought. Actions for latent damages may be bought up to fifteen years after the damage occurs

  1. ASSOCIATE RECORDS
Document Retention period Reason for retention period
Where appropriate the associate records should be retained in line with permanent staff See section Employee/Personnel records
  1. ADVISORY RECORDS
Document Retention period Reason for retention period
Personal details such as name, address, age, gender One year after last communication Data Protection Act
Details of illness One year after last communication Data Protection Act
Details of advice One year after last communication Data Protection Act
  1. REFERENCES

https://ico.org.uk/media/for-organisations/documents/l475/deleting personal data.pdf