Data Retention Policy | Moneypenny

Data Retention

1. Introduction

Moneypenny is committed to complying with the law and regulations in all our business activities, including applicable Data Protection Laws.

We are committed to using all appropriate technical and organisational measures to ensure the protection of both customer and employee personal data.

This policy, and the associated policies, set out the expected behaviours of our employees, contractors and third parties in relation to the retention, storage destruction of all data held within the business (including personal data). This policy should be read in conjunction with our Data Protection policy.

2. Scope

Maintaining business data in a systematic and reliable manner is essential to comply with our legal and regulatory requirements. It also reduces the costs and risks associated with retaining unnecessary information.

A vital part of our Data Protection Policy and practice is that personal data is retained for the appropriate period of time, neither too long nor too short. It is paramount that the retention period allows us to meet our legal and regulatory requirements but that the rights of data subjects are also protected.

This policy has been developed to help employees properly manage Personal Data in a consistent manner which sets out:

Unless otherwise stipulated, the policy refers to both hard copy and electronic documents. This document should be read in conjunction with our Data Protection Policy.

3. Definitions

Personal Data

Any information (including opinions and intentions) which relates to an identified or identifiable natural person.

Identifiable natural person

Anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, and identification number, number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data Controller

A natural or legal person, Public Authority, Agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Data Subject

The identified or identifiable natural person to which the data refers.

Process, processed, processing

Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means. Operations performed may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Protection

The process of safeguarding Personal Data from unauthorised or unlawful disclosure, access, alteration, Processing, transfer or destruction.

Data Protection Authority

An independent Public Authority responsible for monitoring the application of the relevant Data Protection regulations – in the UK this is the ICO.

Data Processors

A natural or legal Person, Public Authority, Agency or other body which Processes Personal Data on behalf of a Data Controller.

Consent

Any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.

Special Categories of Data

Personal Data pertaining to or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life and sexual orientation, genetic data or biometric data.

Third Country

Any country not recognised as having an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.

Profiling

Any form of automated processing of Personal Data where Personal Data is used to evaluate specific or general characteristics relating to an identifiable natural person. In particular to analyse or predict certain aspects concerning that natural person's performance at work economic situations, health, personal preferences, interests, reliability behaviour, location or movement.

Personal Data Breach

A breach of security leading to the accidental or unlawful; destruction, loss, alteration, unauthorised disclosure of, of access to, Personal Data transmitted, stored or otherwise Processed.

Encryption

The process of converting information or data into code, to prevent unauthorised access.

Pseudonymisation

Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) without a key that allows the data to be re-identified.

Anonymisation

Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) by any means or by any person.

GDPR

The General Data Protection Regulation

4. Roles and Responsibilities

All employees, including contractors and third parties who process data on our behalf are responsible for complying with the requirements of this policy.

The Data Protection Officer (DPO) is responsible for maintaining the policy. Our DPO can be contacted via email at [email protected], or by post to Data Protection Officer, Moneypenny, Western Gateway, Wrexham, LL13 7ZB.

All Department Heads are responsible for ensuring that documented procedures are in place to comply with the requirements of this policy.

It is the responsibility of all employees to ensure that they have read the most up to date version of this policy. 

5. Policy

Information/records (hard copy and electronic) will be retained for at least the period specified in our Data Retention Guidelines (see Appendix 1).

All information must be reviewed before destruction to determine if there are special factors that mean destruction should be delayed, for example, potential litigation, complaints or on-going cases.

Hard copy and electronically held records, documents and information must be deleted at the end of the retention period or when requested in accordance with the appropriate Data Protection legislation.

Each department should periodically review and determine whether they have records in their control which should be destroyed pursuant to this policy.

5.1 Suspending the destruction date

If a claim, audit, investigation, subpoena, or litigation has been asserted or filed by or against Moneypenny, or is reasonably foreseeable, we have an obligation to retain all relevant records, including those that otherwise would be scheduled for destruction under the records retention schedule.

5.2 How long should we keep our data?

Data should be kept for as long as it is needed to meet the terms of our agreement with our customers and any applicable legal requirements. Our Data Retention Guidelines have been agreed following as assessment of our data and the requirements of all our Regulators, together with our obligations under Data Protection Laws.

5.3 Methods of Destruction

All data, whether hard copy or electronic should be destroyed in a secure manner, preserving the confidentiality of all personal data.

All hard copy data must be disposed of in the confidential waste bins which are located in every area of the business. Under no circumstances should confidential or personal data be put into normal waste bins. We will maintain records of the secure destruction of all waste which is put into the confidential waste.

Our IT department will ensure that all electronic data is securely destroyed in a way which cannot be restored. They will also be responsible for ensure that any electronic equipment is securely wiped, and where appropriate securely disposed of, when it is no longer required by the business.

5.4 Sharing of Information

Unnecessary duplicate information should be destroyed. Where information has been regularly shared between business areas care should be taken to ensure that all copies of the data are destroyed in line with the Data Retention Guidelines.

6. Training

All employees will have their responsibilities under this policy outlined to them as part of their induction training.

All employees will complete an annual refresher of this training.

Moneypenny will provide further training and guidance if there are any updates made to this policy and/or the associated policies and procedures.

7. Monitoring Compliance

As a minimum the following will be monitored to ensure compliance with this policy:

Key business stakeholders will devise a plan with a schedule for correcting any identified deficiencies within a defined and reasonable time frame.

Any major deficiencies identified will be reported to and monitored by the DPO.

8. Review

This policy is owned by the DPO and will be reviewed at least annually. Any changes applied to the policy will be tracked and, where appropriate refresher training/updates will be cascaded to all appropriate individuals

9. Related Documents

Schedule 1 - Data Retention Guidelines Client Personal Data

Where Moneypenny acts as the Data Controller all data will be protected, retained and deleted in accordance with our agreed contractual agreements as well as in line with Data Protection legislation.

Where Moneypenny acts as the Data Processor all data will be protected and treated in accordance with contractual agreements with the Data Controller as well as in line with Data Protection legislation.

As referenced within our Data Protection Policy and our Privacy Notice; personal and sensitive data will only be retained whilst it's required to deliver a service (based on contractual agreement) or until such time we are instructed to delete it, whichever is the soonest.

Where data is processed solely for marketing purposes, any information we use for this purpose will be kept until you notify us that you no longer wish to receive this information, or until the data is deleted in accordance with our Marketing guidelines (further information on this can be obtained from our DPO either by email [email protected] or by post to Data Protection Officer, Moneypenny, Western Gateway, Wrexham, LL13 7ZB) whichever is earliest.

As part of ensuring we are providing the right services to you we may use your data to pursue our legitimate interests in a way which would reasonably be expected as part of running our business and supplying services, this will be done in a way that does not materially impact your rights, freedom or interests.

Central business records

Where Moneypenny acts as the Data Controller all data will be protected, retained and deleted in accordance with our agreed contractual agreements as well as in line with Data Protection legislation.

Where Moneypenny acts as the Data Processor all data will be protected and treated in accordance with contractual agreements with the Data Controller as well as in line with Data Protection legislation.

For Accounting and Financial Records, we will retain for 6 years, unless contractual agreements specify differently.

For Complaints records we will retain for 1 year following the resolution of the complaint.

For records relating to legal cases or claims notified to the business, retention periods will be agreed on a case by case basis, in accordance with Data Protection legislation (see 5.1 above).

HR records

Moneypenny will retain all personal data using current Chartered Institute of Personal and Development Guidelines (CIPD) as a benchmark.

We will keep all records for the following sensitive personal data types for 3 years after the year it relates to:

We will keep all records for the following sensitive personal data types for 6 years after the year it relates to:

If further information is required this can be obtained from our DPO either by email [email protected] or by post to Data Protection Officer, Moneypenny, Western Gateway, Wrexham, LL13 7ZB.