Data and Record Retention Policy
Folk recognises the importance of effective file keeping records and data management to enable it to discharge its functions. This requires, amongst other things, a data and record retention policy.
To comply with the principles of the Data Protection Act, records containing personal data must be:
- stored appropriately having regard to the sensitivity and confidentiality of the material recorded
- retrievable and easily traced
- retained for only as long as necessary
- disposed of appropriately to ensure that copyrights are not breached and to prevent them falling into the hands of unauthorised personnel
Application Of The Data & Record Retention Policy
This policy applies equally to photographic, microform and electronic media that are used to store records as well as more traditional paper or card records. The period of retention only commences when the record is closed.
Storage Of Data & Records Statement
All data and records should be stored as securely as possible in order to avoid potential misuse or loss. All data and records will be stored in the most convenient and appropriate location having regard to the period of retention required and the frequency with which access will be made to the record.
Data and records which are active should be stored in the most appropriate place for their purpose. Data and records which are no longer active, due to their age or subject, should be stored in the most appropriate place for their purpose. The degree of security required for file storage will reflect the sensitivity and confidential nature of any material recorded. Any data file or record which contains personal data of any form can be considered as confidential in nature.
Data and records should not be kept for longer than is necessary. This principle finds statutory form in the Data Protection Act 1998, which requires that personal data processed for any purpose "shall not be kept for longer than is necessary for that purpose".
No data file or record should be retained for more than five years after it is closed unless a good reason for longer retention can be demonstrated. It is to be emphasised that the period of five years is a maximum period. It may well be appropriate having regard to the nature of the record to opt for a shorter period.
Reasons for longer retention will include the following:
- Statute requires retention for a longer period
- The record contains information relevant to legal action which has been started or is in contemplation
- Whenever there is a possibility of litigation, the records and information that are likely to be affected should not be amended or disposed of until the threat of litigation has been removed
- The record should be archived for historical or research purposes, e.g. the record relates to an important policy development or relates to an event of local or national purpose
- The records are maintained for the purpose of retrospective comparison
- The records relate to individuals or providers of services who are judged unsatisfactory. The individuals may include employees who have been the subject of serious disciplinary action
Reference should be made to Appendix A, which sets out retention periods which must be complied with for specified records.
Destruction And Disposal Statement
All information of a confidential or sensitive nature on paper, card, microfiche, or electronic media must be securely destroyed when it is no longer required.
This ensures compliance with the Data Protection Act 1998 and the duty of confidentiality we owe to our employees, clients and customers.
Destruction And Disposal Procedures
All information, in any format, destroyed from any location must have due regard to confidentiality of our employees, clients and customers.
- When records or data files are identified for disposal in the Policy are destroyed, a register of such records needs to be kept.
- The procedure for the destruction of Confidential or Sensitive Waste on paper, card or microfiche is as follows:
- All office quality white or coloured paper should be mechanically shredded if the content is in any way sensitive.
- If you dispose of waste by using the shredder, ensure that it is used safely in accordance with its operating instructions, and that waste is shredded in such a way that it cannot be put back together again, and made comprehensible
- All other paper can be disposed of in the boxes or bins provided in offices for environmentally-friendly disposal of white non-confidential and non-sensitive paper waste.
The procedure for the destruction of Confidential or Sensitive Waste on electronic media such as tape, disk, cassette/cartridge, hard drives, CD-Rom, DVD and ZIP drive is as follows:
- Media that are being destroyed because they are showing signs of damage or are obsolete should be physically destroyed by being cut into pieces or other ways prior to disposal
- Where disks, tapes, DVD or CD ROM are being used to supply data to third parties they should, at the very least, be reformatted before the files are saved on to it. The process of saving files to the disk may overwrite areas of the disk previously used, but this is no guarantee of preventing retrieval of previously stored files The most effective way to ensure that media are cleaned of all previous data is to use a utility package to perform a "secure wipe"
- Destruction of back-up copies of such data also needs to be dealt with