Data retention policy

Updated over a week ago

Coachello's policy

1. Purpose

The purpose of this policy is to ensure that records are managed consistently across all areas of Coachello business, that they are retained for sufficiently long to meet operational and business needs, and demonstrate compliance with legal, regulatory and audit requirements, and thereafter disposed of in an appropriate, legally compliant manner, irrespective of format.

Scope

The data retention & disposal policy is also used to ensure that Coachello SAS balances the requirement to not hold on to records unnecessarily, with the need to prevent the premature disposal of information we are required to keep. This policy refers to the Data Registry Schedule where details of all records are outlined along with the retention periods. The retention period is applied to records in whatever medium they are held (paper, electronic etc.).


The policy applies to anyone who has access to personal data as part of their relationship with Coachello Ltd.

2. Roles and Responsibilities

  • Information Asset Owners (IAO): IAOs ensure that all assets under their control are following retention schedule rules. They have ownership of the assets and are therefore responsible for ensuring adherence to the Retention and Disposal Schedule. IAOs are responsible for authorising the destruction of information when required.
  • Information Asset Managers (IAM): IAMs assist the IAOs in their role and are operationally responsible for the upkeep of information assets, including adherence to the Retention and Disposal Schedule.
  • Local Information Management Officer (LIMO): LIMO monitor compliance with the retention schedule, whilst encouraging and working with staff to ensure ongoing
    conformity. Alongside this, the LIMO reports to the IAM and IAO on compliance with the schedule within their team. They also need to implement any changes required to the schedule in accordance with ICO procedure and work to improve compliance with the schedule where needed.
  • Local Asset Administrator (LAA): LAA work with staff directly to ensure the retention schedule is adhered to, undertaking some work disposing of information and recording disposal where needed. The LIMO is likely to delegate instructions to the LAA to assist in improving compliance with the schedule.

3. Policy

3.1 Data Retention

  • The Retention Schedule which forms part of this policy (the Schedule) sets out the length
    of time that records should be retained and extends to all records identified in the
    Schedule, irrespective of the media on which they are created or held including:
    ∙ paper;
    ∙ digital files (including databases, Word documents, spreadsheets, webpages and
    e-mails);
    ∙ photographs and videotapes.
  • Retention periods are determined based upon the nature of the information held, not the
    medium in which it is maintained. For example, information which is held in a digital format should only be retained for the same period as it would be kept if it was in paper
    form. However, it is not necessary to retain both paper and digital versions of the same
    record, nor to retain duplicate copies of records. Retention arrangements for digital
    records should ensure that they will remain complete, unaltered and accessible
    throughout the retention period.
  • The value of information tends to decline over time, so the majority of records should only be retained for a limited period of time and eventually be destroyed. A recommended minimum retention period, derived from operational or requirements, is provided for each category of record in the Schedule and applies to all records within that category.
  • During their retention period, operational needs may require records to be held in different locations and on different media, but they should always be properly managed in accordance with this policy.
  • A small proportion of records which are considered to be of permanent historical
    significance will be preserved in Coachello archives. The Information Services
    Manager, working in consultation with the Chief Executive, is responsible for the
    selection of records for permanent preservation and the maintenance of the archives of Coachello and its predecessor entities.

3.2 Data Disposal

Records should be reviewed as soon as possible after the expiry of the retention period. It need not be a detailed or time consuming exercise but there must be a considered appraisal of the contents of the record.


A record should not be destroyed without verification that:

  • no work is outstanding in respect of that record and it is no longer required by any
    department within Coachello;
  • the record does not relate to any current or pending complaint, investigation,
    dispute or litigation;
  • the record is unaffected by any current or pending request made under the
    Freedom of Information Act or Data Protection Act.

A record must be made of all disposal decisions and destruction should be carried out in
a manner that preserves the confidentiality of the record. Confidential paper records
should be placed in confidential waste bins and digital records will need to be either
physically destroyed or erased to the current standard. Deletion of digital files is not
sufficient. All copies of a record, in whatever format, should be destroyed at the same
time.

3.3 Other Records

Many records have no significant operational or evidential value and are not subject to
retention under this policy but may be destroyed once they have served their primary
purpose. These include:
∙ requests for forms and brochures;
∙ meeting rooms reservation requests;
∙ compliment slips and similar items which accompany documents;
∙ superseded distribution or mailing lists;
∙ drafts of documents;
∙ working papers which are the basis of the content of other documents;
∙ notices of meetings and other events;
∙ invitations and notices of acceptance or apologies;
∙ magazines, marketing materials, catalogues, directories, etc.

This is not an exhaustive list but merely indicates the types of record which have no
significant operational or evidential value and may be destroyed once their effective use
has ended

4. Asset Decommission

4.1 Hardware

  • Remove all data storage media from equipment such as usb drive, ssd drive, memory card, magnetic disk and others.
  • Note down all serial numbers for equipment and magnetic disk
  • Mark asset decommission in IT asset management

4.2 Software

  • Remove all software installation from company asset
  • Mark asset decommission in asset management

4.3 Asset Disposal

  • All magnetic disk are zero out before recycling
  • All small data media such as usb drive and ssd drive are destroy local b shredding machine. Ensuring no data can be recovered.
  • Recycle equipment with recycling company

5. Appendix-A- Data Retention Schedule

Governance

Corporate business annual plans = 25 year

Risk registers = 3 year

Legal advice = 20 years

External correspondence = 3 years

Internal Audit = 3 years

Internal Audit Report = 3 years

Programmes, plans, strategies = 1 year after last date of the plan

Internal Records

User Data = 1 year- Based on applicable regulations

SAR request = 3 years

Audit Logs = 1-year

Information security records = 3 years

Other Records = 3 years- Based on applicable regulations

logo_coachello