1. Purpose
The purpose of this policy is to ensure that records are managed consistently across all areas of Coachello business, that they are retained for sufficiently long to meet operational and business needs, and demonstrate compliance with legal, regulatory and audit requirements, and thereafter disposed of in an appropriate, legally compliant manner, irrespective of format.
Scope
The data retention & disposal policy is also used to ensure that Coachello SAS balances the requirement to not hold on to records unnecessarily, with the need to prevent the premature disposal of information we are required to keep. This policy refers to the Data Registry Schedule where details of all records are outlined along with the retention periods. The retention period is applied to records in whatever medium they are held (paper, electronic etc.).
The policy applies to anyone who has access to personal data as part of their relationship with Coachello Ltd.
2. Roles and Responsibilities
- Information Asset Owners (IAO): IAOs ensure that all assets under their control are following retention schedule rules. They have ownership of the assets and are therefore responsible for ensuring adherence to the Retention and Disposal Schedule. IAOs are responsible for authorising the destruction of information when required.
- Information Asset Managers (IAM): IAMs assist the IAOs in their role and are operationally responsible for the upkeep of information assets, including adherence to the Retention and Disposal Schedule.
- Local Information Management Officer (LIMO): LIMO monitor compliance with the retention schedule, whilst encouraging and working with staff to ensure ongoing
conformity. Alongside this, the LIMO reports to the IAM and IAO on compliance with the schedule within their team. They also need to implement any changes required to the schedule in accordance with ICO procedure and work to improve compliance with the schedule where needed. - Local Asset Administrator (LAA): LAA work with staff directly to ensure the retention schedule is adhered to, undertaking some work disposing of information and recording disposal where needed. The LIMO is likely to delegate instructions to the LAA to assist in improving compliance with the schedule.
3. Policy
3.1 Data Retention
- The Retention Schedule which forms part of this policy (the Schedule) sets out the length
of time that records should be retained and extends to all records identified in the
Schedule, irrespective of the media on which they are created or held including:
∙ paper;
∙ digital files (including databases, Word documents, spreadsheets, webpages and
e-mails);
∙ photographs and videotapes. - Retention periods are determined based upon the nature of the information held, not the
medium in which it is maintained. For example, information which is held in a digital format should only be retained for the same period as it would be kept if it was in paper
form. However, it is not necessary to retain both paper and digital versions of the same
record, nor to retain duplicate copies of records. Retention arrangements for digital
records should ensure that they will remain complete, unaltered and accessible
throughout the retention period. - The value of information tends to decline over time, so the majority of records should only be retained for a limited period of time and eventually be destroyed. A recommended minimum retention period, derived from operational or requirements, is provided for each category of record in the Schedule and applies to all records within that category.
- During their retention period, operational needs may require records to be held in different locations and on different media, but they should always be properly managed in accordance with this policy.
- A small proportion of records which are considered to be of permanent historical
significance will be preserved in Coachello archives. The Information Services
Manager, working in consultation with the Chief Executive, is responsible for the
selection of records for permanent preservation and the maintenance of the archives of Coachello and its predecessor entities.
3.2 Data Disposal
Records should be reviewed as soon as possible after the expiry of the retention period. It need not be a detailed or time consuming exercise but there must be a considered appraisal of the contents of the record.
A record should not be destroyed without verification that:
- no work is outstanding in respect of that record and it is no longer required by any
department within Coachello; - the record does not relate to any current or pending complaint, investigation,
dispute or litigation; - the record is unaffected by any current or pending request made under the
Freedom of Information Act or Data Protection Act.
A record must be made of all disposal decisions and destruction should be carried out in
a manner that preserves the confidentiality of the record. Confidential paper records
should be placed in confidential waste bins and digital records will need to be either
physically destroyed or erased to the current standard. Deletion of digital files is not
sufficient. All copies of a record, in whatever format, should be destroyed at the same
time.
3.3 Other Records
Many records have no significant operational or evidential value and are not subject to
retention under this policy but may be destroyed once they have served their primary
purpose. These include:
∙ requests for forms and brochures;
∙ meeting rooms reservation requests;
∙ compliment slips and similar items which accompany documents;
∙ superseded distribution or mailing lists;
∙ drafts of documents;
∙ working papers which are the basis of the content of other documents;
∙ notices of meetings and other events;
∙ invitations and notices of acceptance or apologies;
∙ magazines, marketing materials, catalogues, directories, etc.
This is not an exhaustive list but merely indicates the types of record which have no
significant operational or evidential value and may be destroyed once their effective use
has ended
4. Asset Decommission
4.1 Hardware
- Remove all data storage media from equipment such as usb drive, ssd drive, memory card, magnetic disk and others.
- Note down all serial numbers for equipment and magnetic disk
- Mark asset decommission in IT asset management
4.2 Software
- Remove all software installation from company asset
- Mark asset decommission in asset management
4.3 Asset Disposal
- All magnetic disk are zero out before recycling
- All small data media such as usb drive and ssd drive are destroy local b shredding machine. Ensuring no data can be recovered.
- Recycle equipment with recycling company
5. Appendix-A- Data Retention Schedule
Governance
Corporate business annual plans = 25 year
Risk registers = 3 year
Legal advice = 20 years
External correspondence = 3 years
Internal Audit = 3 years
Internal Audit Report = 3 years
Programmes, plans, strategies = 1 year after last date of the plan
Internal Records
User Data = 1 year- Based on applicable regulations
SAR request = 3 years
Audit Logs = 1-year
Information security records = 3 years
Other Records = 3 years- Based on applicable regulations