Data Retention
-
1. Introduction
CSnotepad is committed to complying with the law and regulations in all our business activities, including applicable Data Protection Laws.
We are committed to using all appropriate technical and organisational measures to ensure the protection of both customer and employee personal data.
This policy, and the associated policies, set out the expected behaviours of our employees, contractors and third parties in relation to the retention, storage destruction of all data held within the business (including personal data). This policy should be read in conjunction with our Data Protection policy.
-
2. Scope
Maintaining business data in a systematic and reliable manner is essential to comply with our legal and regulatory requirements. It also reduces the costs and risks associated with retaining unnecessary information.
A vital part of our Data Protection Policy and practice is that personal data is retained for the appropriate period of time, neither too long nor too short. It is paramount that the retention period allows us to meet our legal and regulatory requirements but that the rights of data subjects are also protected.
This policy has been developed to help employees properly manage Personal Data in a consistent manner which sets out:
- How long personal data should be retained
- How records should be disposed of
Unless otherwise stipulated, the policy refers to both hard copy and electronic documents. This document should be read in conjunction with our Data Protection Policy.
-
3. Definitions
Personal Data
|
Any information (including opinions and intentions) which relates to an identified or identifiable natural person.
|
Identifiable natural person
|
Anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, and identification number, number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
|
Data Controller
|
A natural or legal person, Public Authority, Agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
|
Data Subject
|
The identified or identifiable natural person to which the data refers.
|
Process,
processed,
processing
|
Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means. Operations performed may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
|
Data Protection
|
The process of safeguarding Personal Data from unauthorised or unlawful disclosure, access, alteration, Processing, transfer or destruction.
|
Data Protection Authority
|
An independent Public Authority responsible for monitoring the application of the relevant Data Protection regulations – in the UK this is the ICO.
|
Data Processors
|
A natural or legal Person, Public Authority, Agency or other body which Processes Personal Data on behalf of a Data Controller.
|
Consent
|
Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
|
Special Categories of Data
|
Personal Data pertaining to or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life and sexual orientation, genetic data or biometric data.
|
Third Country
|
Any country not recognised as having an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.
|
Profiling
|
Any form of automated processing of Personal Data where Personal Data is used to evaluate specific or general characteristics relating to an identifiable natural person. In particular to analyse or predict certain aspects concerning that natural person’s performance at work economic situations, health, personal preferences, interests, reliability behaviour, location or movement.
|
Personal Data Breach
|
A breach of security leading to the accidental or unlawful; destruction, loss, alteration, unauthorised disclosure of, of access to, Personal Data transmitted, stored or otherwise Processed.
|
Encryption
|
The process of converting information or data into code, to prevent unauthorised access.
|
Pseudonymisation
|
Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) without a key that allows the data to be re-identified.
|
Anonymisation
|
Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) by any means or by any person.
|
GDPR
|
The General Data Protection Regulation
|
-
4. Roles and Responsibilities
All employees, including contractors and third parties who process data on our behalf are responsible for complying with the requirements of this policy.
The Data Protection Officer (DPO) is responsible for maintaining the policy. Our DPO is Rob Donald and can be contacted via email at info@csnotepad.co.uk or by post to Data Protection Officer, CSnotepad, Gemini House, 136-140 Old Shoreham Road, Brighton, BN3 7BD.
All Department Heads are responsible for ensuring that documented procedures are in place to comply with the requirements of this policy.
It is the responsibility of all employees to ensure that they have read the most up to date version of this policy.
-
5. Policy
Information/records (hard copy and electronic) will be retained for at least the period specified in our Data Retention Guidelines (see Appendix 1).
All information must be reviewed before destruction to determine if there are special factors that mean destruction should be delayed, for example, potential litigation, complaints or on-going cases.
Hard copy and electronically held records, documents and information must be deleted at the end of the retention period or when requested in accordance with the appropriate Data Protection legislation.
Each department should periodically review and determine whether they have records in their control which should be destroyed pursuant to this policy.
5.1 Suspending the destruction date
If a claim, audit, investigation, subpoena, or litigation has been asserted or filed by or against CSnotepad, or is reasonably foreseeable, we have an obligation to retain all relevant records, including those that otherwise would be scheduled for destruction under the records retention schedule.
5.2 How long should we keep our data?
Data should be kept for as long as it is needed to meet the terms of our agreement with our customers and any applicable legal requirements. Our Data Retention Guidelines have been agreed following as assessment of our data and the requirements of all our Regulators, together with our obligations under Data Protection Laws.
5.3 Methods of Destruction
All data, whether hard copy or electronic should be destroyed in a secure manner, preserving the confidentiality of all personal data.
All hard copy data must be disposed of in the confidential waste bins which are located in every area of the business. Under no circumstances should confidential or personal data be put into normal waste bins.
Our IT department will ensure that all electronic data is securely destroyed in a way which cannot be restored. They will also be responsible for ensure that any electronic equipment is securely wiped, and where appropriate securely disposed of, when it is no longer required by the business.
5.4 Sharing of Information
Unnecessary duplicate information should be destroyed. Where information has been regularly shared between business areas care should be taken to ensure that all copies of the data are destroyed in line with the Data Retention Guidelines.
-
6. Training
All employees will have their responsibilities under this policy outlined to them as part of their induction training.
All employees will complete an annual refresher of this training.
CSnotepad will provide further training and guidance if there are any updates made to this policy and/or the associated policies and procedures.
-
7. Monitoring Compliance
As a minimum the following will be monitored to ensure compliance with this policy:
- An annual Data Protection Compliance Audit which will, at the minimum assess:
- Compliance with policy in relation to the protection of personal data, including;
- Correct storage of personal data
- Deletion of personal data in accordance with the schedule
Key business stakeholders will devise a plan with a schedule for correcting any identified deficiencies within a defined and reasonable time frame.
Any major deficiencies identified will be reported to and monitored by the DPO.
-
8. Review
This policy is owned by the DPO and will be reviewed at least annually. Any changes applied to the policy will be tracked and, where appropriate refresher training/updates will be cascaded to all appropriate individuals
Schedule 1 - Data Retention Guidelines
Client Personal Data
Where CSnotepad acts as the Data Controller all data will be protected, retained and deleted in accordance with our agreed contractual agreements as well as in line with Data Protection legislation.
Where CSnotepad acts as the Data Processor all data will be protected and treated in accordance with contractual agreements with the Data Controller as well as in line with Data Protection legislation.
As referenced within our Data Protection Policy and our Privacy Notice; personal and sensitive data will only be retained whilst it’s required to deliver a service (based on contractual agreement) or until such time we are instructed to delete it, whichever is the soonest.
Where data is processed solely for marketing purposes, any information we use for this purpose will be kept until you notify us that you no longer wish to receive this information, or until the data is deleted in accordance with our Marketing guidelines (further information on this can be obtained from our DPO either by email
info@csnotepad.co.uk or by post to Data Protection Officer, CSnotepad, Gemini House, 136-140 Old Shoreham Road, Brighton, BN3 7BD.
As part of ensuring we are providing the right services to you we may use your data to pursue our legitimate interests in a way which would reasonably be expected as part of running our business and supplying services, this will be done in a way that does not materially impact your rights, freedom or interests.
Central business records
Where CSnotepad acts as the Data Controller all data will be protected, retained and deleted in accordance with our agreed contractual agreements as well as in line with Data Protection legislation.
Where CSnotepad acts as the Data Processor all data will be protected and treated in accordance with contractual agreements with the Data Controller as well as in line with Data Protection legislation.
For Accounting and Financial Records, we will retain for 6 years, unless contractual agreements specify differently.
For Complaints records we will retain for 1 year following the resolution of the complaint.
For records relating to legal cases or claims notified to the business, retention periods will be agreed on a case by case basis, in accordance with Data Protection legislation (see 5.1 above).
HR records
CSnotepad will retain all personal data using current Chartered Institute of Personal and Development Guidelines (CIPD) as a benchmark.
We will keep all records for the following sensitive personal data types for 3 years after the year it relates to:
- Income Tax
- National Insurance
- HMRC correspondence
- Statutory Sick Pay
- Statutory Maternity pay
- Parental leave records
We will keep all records for the following sensitive personal data types for 6 years after the year it relates to:
Retirement benefits schemes events (for example a change in minimum contribution levels)
- Redundancy records
- Pension records
Application forms and interview notes captured as part of the application process will be kept for 3 months for any unsuccessful applicant, after which any personal sensitive data will be securely removed.
If further information is required this can be obtained from our DPO either by email
info@csnotepad.co.uk or by post to Data Protection Officer, CSnotepad, Gemini House, 136-140 Old Shoreham Road, Brighton, BN3 7BD.
Cookies
csnotepad.co.uk puts small files (known as 'cookies') onto your computer to collect information about how you browse the site.
Cookies are used to:
- measure how you use the website so it can be updated and improved based on your needs
- to re-advertise our services to you
Find out more about
how to manage cookies.
How cookies are used on csnotepad.co.uk
Measuring website usage (Google Analytics)
We use Google Analytics software to collect information about how you use csnotepad.co.uk. We do this to help make sure the site is meeting the needs of its users and to help us make improvements.
Google Analytics stores information about:
- the pages you visit on csnotepad.co.uk
- how long you spend on each csnotepad.co.uk page
- how you got to the site
- what you click on while you’re visiting the site
We don't collect or store your personal information (for example your name or address) so this information can't be used to
identify who you are.
We don't allow Google to use or share our analytics data.
Google Analytics sets the following cookies:
Universal Analytics |
Name |
Purpose |
Expires |
_ga |
This helps us count how many people visit csnotepad.co.uk by tracking if you've visited before |
2 years |
_gid |
This helps us count how many people visit csnotepad.co.uk by tracking if you've visited before |
24 hours |
_gat |
Used to manage the rate at which page view requests are made |
10 minutes |
|
Google Analytics |
Name |
Purpose |
Expires |
_utma |
Like _ga, this lets us know if you've visited before, so we can count how many of our visitors are new
to csnotepad.co.uk or to a certain page |
2 years |
_utmb |
This works with _utmc to calculate the average length of time you spend on csnotepad.co.uk |
30 minutes |
_utmc |
This works with _utmb to calculate when you close your browser |
When you close your browser |
_utmz |
This tells us how you reached csnotepad.co.uk (for example from another website or a search engine) |
6 months |
|
csnotepad.co.uk events |
Name |
Purpose |
Expires |
analytics_next_page_call |
This lets us know the next page you visit on csnotepad.co.uk, so we can
make journeys better |
When you close your
browser |
Csnotepad.co.uk_contact_referrer |
This lets us know the last page you visited before using the contact
csnotepad.co.uk form |
1 day |
You can
opt out of Google Analytics cookies.
YouTube videos
We use YouTube to provide videos on some pages of the site. YouTube sets cookies when you visit one of these pages:
https://www.youtube.com/watch?v=-zUASCey0VE
https://www.youtube.com/watch?v=OBcLA5YKJeY
https://www.youtube.com/watch?v=qf71vx3PsVU
https://www.youtube.com/watch?v=SrSo9fXcS-E