Data Retention

1. 1. Introduction
   
   CSnotepad is committed to complying with the law and regulations in all our business activities, including applicable Data Protection Laws.
   
   We are committed to using all appropriate technical and organisational measures to ensure the protection of both customer and employee personal data.
   
   This policy, and the associated policies, set out the expected behaviours of our employees, contractors and third parties in relation to the retention, storage destruction of all data held within the business (including personal data). This policy should be read in conjunction with our Data Protection policy.
   
   
2. 2. Scope
   
   Maintaining business data in a systematic and reliable manner is essential to comply with our legal and regulatory requirements. It also reduces the costs and risks associated with retaining unnecessary information.
   
   A vital part of our Data Protection Policy and practice is that personal data is retained for the appropriate period of time, neither too long nor too short. It is paramount that the retention period allows us to meet our legal and regulatory requirements but that the rights of data subjects are also protected.
   
   This policy has been developed to help employees properly manage Personal Data in a consistent manner which sets out:
   
   
   • How long personal data should be retained
   • How records should be disposed of
   
   Unless otherwise stipulated, the policy refers to both hard copy and electronic documents. This document should be read in conjunction with our Data Protection Policy.
   
   
3. 3. Definitions

   Personal Data	Any information (including opinions and intentions) which relates to an identified or identifiable natural person.
   Identifiable natural person	Anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, and identification number, number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
   Data Controller	A natural or legal person, Public Authority, Agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
   Data Subject	The identified or identifiable natural person to which the data refers.
   Process, processed, processing	Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means. Operations performed may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
   Data Protection	The process of safeguarding Personal Data from unauthorised or unlawful disclosure, access, alteration, Processing, transfer or destruction.
   Data Protection Authority	An independent Public Authority responsible for monitoring the application of the relevant Data Protection regulations – in the UK this is the ICO.
   Data Processors	A natural or legal Person, Public Authority, Agency or other body which Processes Personal Data on behalf of a Data Controller.
   Consent	Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
   Special Categories of Data	Personal Data pertaining to or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life and sexual orientation, genetic data or biometric data.
   Third Country	Any country not recognised as having an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.
   Profiling	Any form of automated processing of Personal Data where Personal Data is used to evaluate specific or general characteristics relating to an identifiable natural person. In particular to analyse or predict certain aspects concerning that natural person’s performance at work economic situations, health, personal preferences, interests, reliability behaviour, location or movement.
   Personal Data Breach	A breach of security leading to the accidental or unlawful; destruction, loss, alteration, unauthorised disclosure of, of access to, Personal Data transmitted, stored or otherwise Processed.
   Encryption	The process of converting information or data into code, to prevent unauthorised access.
   Pseudonymisation	Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) without a key that allows the data to be re-identified.
   Anonymisation	Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly) by any means or by any person.
   GDPR	The General Data Protection Regulation

4. 4. Roles and Responsibilities
   
   All employees, including contractors and third parties who process data on our behalf are responsible for complying with the requirements of this policy.
   
   The Data Protection Officer (DPO) is responsible for maintaining the policy. Our DPO is Rob Donald and can be contacted via email at info@csnotepad.co.uk or by post to Data Protection Officer, CSnotepad, Gemini House, 136-140 Old Shoreham Road, Brighton, BN3 7BD.
   
   All Department Heads are responsible for ensuring that documented procedures are in place to comply with the requirements of this policy.
   
   It is the responsibility of all employees to ensure that they have read the most up to date version of this policy.
   
   
5. 5. Policy
   
   Information/records (hard copy and electronic) will be retained for at least the period specified in our Data Retention Guidelines (see Appendix 1).
   
   All information must be reviewed before destruction to determine if there are special factors that mean destruction should be delayed, for example, potential litigation, complaints or on-going cases.
   
   Hard copy and electronically held records, documents and information must be deleted at the end of the retention period or when requested in accordance with the appropriate Data Protection legislation.
   
   Each department should periodically review and determine whether they have records in their control which should be destroyed pursuant to this policy.
   
   5.1 Suspending the destruction date
   
   If a claim, audit, investigation, subpoena, or litigation has been asserted or filed by or against CSnotepad, or is reasonably foreseeable, we have an obligation to retain all relevant records, including those that otherwise would be scheduled for destruction under the records retention schedule.
   
   5.2 How long should we keep our data?
   
   Data should be kept for as long as it is needed to meet the terms of our agreement with our customers and any applicable legal requirements. Our Data Retention Guidelines have been agreed following as assessment of our data and the requirements of all our Regulators, together with our obligations under Data Protection Laws.
   
   5.3 Methods of Destruction
   
   All data, whether hard copy or electronic should be destroyed in a secure manner, preserving the confidentiality of all personal data.
   
   All hard copy data must be disposed of in the confidential waste bins which are located in every area of the business. Under no circumstances should confidential or personal data be put into normal waste bins.
   
   Our IT department will ensure that all electronic data is securely destroyed in a way which cannot be restored. They will also be responsible for ensure that any electronic equipment is securely wiped, and where appropriate securely disposed of, when it is no longer required by the business.
   
   5.4 Sharing of Information
   
   Unnecessary duplicate information should be destroyed. Where information has been regularly shared between business areas care should be taken to ensure that all copies of the data are destroyed in line with the Data Retention Guidelines.
   
   
6. 6. Training
   
   All employees will have their responsibilities under this policy outlined to them as part of their induction training.
   
   All employees will complete an annual refresher of this training.
   
   CSnotepad will provide further training and guidance if there are any updates made to this policy and/or the associated policies and procedures.
   
   
7. 7. Monitoring Compliance
   
   As a minimum the following will be monitored to ensure compliance with this policy:
   
   
   • An annual Data Protection Compliance Audit which will, at the minimum assess:
   • Compliance with policy in relation to the protection of personal data, including;
   • Correct storage of personal data
   • Deletion of personal data in accordance with the schedule
   
   Key business stakeholders will devise a plan with a schedule for correcting any identified deficiencies within a defined and reasonable time frame.
   
   Any major deficiencies identified will be reported to and monitored by the DPO.
   
   
8. 8. Review
   
   This policy is owned by the DPO and will be reviewed at least annually. Any changes applied to the policy will be tracked and, where appropriate refresher training/updates will be cascaded to all appropriate individuals
   
   

Schedule 1 - Data Retention Guidelines

Client Personal Data

Where CSnotepad acts as the Data Controller all data will be protected, retained and deleted in accordance with our agreed contractual agreements as well as in line with Data Protection legislation.

Where CSnotepad acts as the Data Processor all data will be protected and treated in accordance with contractual agreements with the Data Controller as well as in line with Data Protection legislation.

As referenced within our Data Protection Policy and our Privacy Notice; personal and sensitive data will only be retained whilst it’s required to deliver a service (based on contractual agreement) or until such time we are instructed to delete it, whichever is the soonest.

Where data is processed solely for marketing purposes, any information we use for this purpose will be kept until you notify us that you no longer wish to receive this information, or until the data is deleted in accordance with our Marketing guidelines (further information on this can be obtained from our DPO either by email info@csnotepad.co.uk or by post to Data Protection Officer, CSnotepad, Gemini House, 136-140 Old Shoreham Road, Brighton, BN3 7BD.

As part of ensuring we are providing the right services to you we may use your data to pursue our legitimate interests in a way which would reasonably be expected as part of running our business and supplying services, this will be done in a way that does not materially impact your rights, freedom or interests.

Central business records

Where CSnotepad acts as the Data Controller all data will be protected, retained and deleted in accordance with our agreed contractual agreements as well as in line with Data Protection legislation.

Where CSnotepad acts as the Data Processor all data will be protected and treated in accordance with contractual agreements with the Data Controller as well as in line with Data Protection legislation.

For Accounting and Financial Records, we will retain for 6 years, unless contractual agreements specify differently.

For Complaints records we will retain for 1 year following the resolution of the complaint.

For records relating to legal cases or claims notified to the business, retention periods will be agreed on a case by case basis, in accordance with Data Protection legislation (see 5.1 above).

HR records

CSnotepad will retain all personal data using current Chartered Institute of Personal and Development Guidelines (CIPD) as a benchmark.

We will keep all records for the following sensitive personal data types for 3 years after the year it relates to:

• Income Tax
• National Insurance
• HMRC correspondence
• Statutory Sick Pay
• Statutory Maternity pay
• Parental leave records

We will keep all records for the following sensitive personal data types for 6 years after the year it relates to:

• Salary details

Retirement benefits schemes events (for example a change in minimum contribution levels)

• Redundancy records
• Pension records

Application forms and interview notes captured as part of the application process will be kept for 3 months for any unsuccessful applicant, after which any personal sensitive data will be securely removed.

If further information is required this can be obtained from our DPO either by email info@csnotepad.co.uk or by post to Data Protection Officer, CSnotepad, Gemini House, 136-140 Old Shoreham Road, Brighton, BN3 7BD.

Cookies

csnotepad.co.uk puts small files (known as 'cookies') onto your computer to collect information about how you browse the site.

Cookies are used to:

• measure how you use the website so it can be updated and improved based on your needs
• to re-advertise our services to you

Find out more about how to manage cookies.

How cookies are used on csnotepad.co.uk

Measuring website usage (Google Analytics)

We use Google Analytics software to collect information about how you use csnotepad.co.uk. We do this to help make sure the site is meeting the needs of its users and to help us make improvements.

Google Analytics stores information about:

• the pages you visit on csnotepad.co.uk
• how long you spend on each csnotepad.co.uk page
• how you got to the site
• what you click on while you’re visiting the site

We don't collect or store your personal information (for example your name or address) so this information can't be used to identify who you are.

We don't allow Google to use or share our analytics data.

Google Analytics sets the following cookies:

Universal Analytics
Name	Purpose	Expires
_ga	This helps us count how many people visit csnotepad.co.uk by tracking if you've visited before	2 years
_gid	This helps us count how many people visit csnotepad.co.uk by tracking if you've visited before	24 hours
_gat	Used to manage the rate at which page view requests are made	10 minutes
Google Analytics
Name	Purpose	Expires
_utma	Like _ga, this lets us know if you've visited before, so we can count how many of our visitors are new to csnotepad.co.uk or to a certain page	2 years
_utmb	This works with _utmc to calculate the average length of time you spend on csnotepad.co.uk	30 minutes
_utmc	This works with _utmb to calculate when you close your browser	When you close your browser
_utmz	This tells us how you reached csnotepad.co.uk (for example from another website or a search engine)	6 months
csnotepad.co.uk events
Name	Purpose	Expires
analytics_next_page_call	This lets us know the next page you visit on csnotepad.co.uk, so we can make journeys better	When you close your browser
Csnotepad.co.uk_contact_referrer	This lets us know the last page you visited before using the contact csnotepad.co.uk form	1 day

You can opt out of Google Analytics cookies.

YouTube videos

We use YouTube to provide videos on some pages of the site. YouTube sets cookies when you visit one of these pages:

https://www.youtube.com/watch?v=-zUASCey0VE

https://www.youtube.com/watch?v=OBcLA5YKJeY

https://www.youtube.com/watch?v=qf71vx3PsVU

https://www.youtube.com/watch?v=SrSo9fXcS-E