Data Retention Policy

ABOUT THIS POLICY

  1. The corporate information, records and data of Hydra B Power Limited and our subsidiaries is important to how we conduct business and manage employees.
  2. There are legal and regulatory requireme nts for us to retain certain data, usually for a specified amount of time. We also retain data to help our business operate and to have information available when we need it. However, we do not need to retain all data indefinitely, and retaining data can expose us to risk as well as be a cost to our business.
  3. This Data Retention Policy explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal. 
  4. Failure to comply with this policy can expose us to fines and penalties, adverse publicity, difficulties in providing evidence when we need it and in running our business.
  5. This policy does not form part of any employee’s contract of employment and we may amend it at any time.

SCOPE OF POLICY

  1. This policy covers all data that we hold or have control over. This includes physical data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings and CCTV recordings. It applies to both personal data and non-personal data. In this policy we refer to this information and these records collectively as “data”.
  2. This policy covers data that is held by third parties on our behalf, for example cloud storage providers or offsite records storage. It also covers data that belongs to us but is held by employees on personal devices.
  3. This policy explains the differences between our formal or official records, disposable information, confidential information belonging to others, personal data and non-personal data. It also gives guidance on how we classify our data.
  4. This policy applies to all business units and functions of Hydra B Power Limited.

GUIDING PRINCIPLES

Through this policy, and our data retention practices, we aim to meet the following commitments:

  • We comply with legal and regulatory requirements to retain data.
  • We comply with our data protection obligations, in particular to keep personal data no longer than is necessary for the purposes for which it is processed (storage limitation principle).
  • We handle, store and dispose of data responsibly and securely.
  • We create and retain data where we need this to operate our business effectively, but we do not create or retain data without good business reason.
  • We allocate appropriate resources, roles and responsibilities to data retention.
  • We regularly remind employees of their data retention responsibilities.
  • We regularly monitor and audit compliance with this policy and update this policy when required.

ROLES AND RESPONSIBILITIES

  1. Responsibility of all employees. We aim to comply with the laws, rules, and regulations that govern our organisation and with recognised compliance good practices. All employees must comply with this policy, the Record Retention Schedule, any communications suspending data disposal and any specific instructions from the Legal Department. Failure to do so may subject us, our employees, and contractors to serious civil and/or criminal liability. An employee’s failure to comply with this policy may result in disciplinary sanctions, including suspension or termination. It is therefore the responsibility of everyone to understand and comply with this policy.
  2. The IT is responsible for identifying the data that we must or should retain, and determining, in collaboration with the Legal Department, the proper period of retention. It also arranges for the proper storage and retrieval of data, co-ordinating with outside vendors where appropriate. Additionally, the IT handles the destruction of records whose retention period has expired.
  3. We have designated IT Director. The IT Director is head of the Records Management and is responsible for:
  • Administering the data management programme.
  • Helping department heads implement the data management programme and related best practices.
  • Planning, developing, and prescribing data disposal policies, systems, standards, and procedures; and
  • Providing guidance, training, monitoring and updating in relation to this policy.
  1. Data Protection Officer. Our Data Protection Officer (DPO) is responsible for advising on and monitoring our compliance with data protection laws which regulate personal data. Our DPO works with our IT Director on the retention requirements for personal data and on monitoring compliance with this policy in relation to personal data.

TYPES OF DATA AND DATA CLASSIFICATIONS

  1. Formal or official records. Certain data is more important to us and is therefore listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the running of our business. Please see paragraph 6.1 below for more information on retention periods for this type of data. 
  2. Disposable information. Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record as defined by this policy and the Record Retention Schedule. Examples may include:
  • Duplicates of originals that have not been annotated.
  • Preliminary drafts of letters, memoranda, reports, worksheets, and informal notes that do not represent significant steps or decisions in the preparation of an official record.
  • Books, periodicals, manuals, training binders, and other printed materials obtained from sources outside of Hydra B Power Limited and retained primarily for reference purposes.
  • Spam and junk mail.

Please see paragraph 6.2 below for more information on how to determine retention periods for this type of data.

  1. Personal data. Both formal or official records and disposable information may contain personal data; that is, data that identifies living individuals. Data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). See paragraph 6.3 below for more information on this.
  2. Confidential information belonging to others. Any confidential information that an employee may have obtained from a source outside of Hydra B Power Limited, such as a previous employer, must not, so long as such information remains confidential, be disclosed to or used by us. Unsolicited confidential information submitted to us should be refused, returned to the sender where possible, and deleted, if received via the internet. 
  3. Data classifications. Some of our data is more confidential than other data. Our Data Protection Policy explains how we classify data and how each type of data should be marked and protected. When complying with this policy, it is also important that you follow our Data Protection Policy.

RETENTION PERIODS

  1. Formal or official records. Any data that is part of any of the categories listed in the Record Retention Schedule contained in the Annex to this policy, must be retained for the amount of time indicated in the Record Retention Schedule. A record must not be retained beyond the period indicated in the Record Retention Schedule, unless a valid business reason (or notice to preserve documents for contemplated litigation or other special situation) calls for its continued retention. If you are unsure whether to retain a certain record, contact the IT Director or the Legal Department.
  2. Disposable information. The Record Retention Schedule will not set out retention periods for disposable information. This type of data should only be retained as long as it is needed for business purposes. Once it no longer has any business purpose or value it should be securely disposed of. For guidance on how to make decisions on how long to retain disposable information, please see.
  3. Personal data. As explained above, data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). Where data is listed in the Record Retention Schedule, we have taken into account the principle of storage limitation and balanced this against our requirements to retain the data. Where data is disposable information, you must take into account the principle of storage limitation when deciding whether to retain this data. 
  4. What to do if data is not listed in the Record Retention Schedule. If data is not listed in the Record Retention Schedule, it is likely that it should be classed as disposable information. However, if you consider that there is an omission in the Record Retention Schedule, or if you are unsure, please contact the IT Director.

STORAGE, BACK-UP AND DISPOSAL OF DATA

  1. Storage. Our data must be stored in a safe, secure, and accessible manner. Any documents and financial files that are essential to our business operations during an emergency must be duplicated and/or backed up at least once per week and maintained off site. Please refer to our Business Continuity Plan.
  2. Destruction. Our IT Director is responsible for the continuing process of identifying the data that has met its required retention period and supervising its destruction. The destruction of confidential, financial, and employee-related hard copy data must be conducted by shredding if possible. Non-confidential data may be destroyed by recycling. The destruction of electronic data must be co-ordinated with the IT Department.
  3. The destruction of data must stop immediately upon notification from the Legal Department that preservation of documents for contemplated litigation is required (sometimes referred to as a litigation hold). This is because we may be involved in a legal claim or an official investigation (see next paragraph). Destruction may begin again once the Legal Department or IT Department lifts the requirement for preservation.

SPECIAL CIRCUMSTANCES

  1. Preservation of documents for contemplated litigation and other special situations. We require all employees to comply fully with our Record Retention Schedule and procedures as provided in this policy. All employees should note the following general exception to any stated destruction schedule: If you believe, or the Legal Department or IT Department informs you, that certain records are relevant to current litigation or contemplated litigation (that is, a dispute that could result in litigation), government investigation, audit, or other event, you must preserve and not delete, dispose, destroy, or change those records, including emails and other electronic documents, until the Legal Department IT Department determines those records are no longer needed. Preserving documents includes suspending any requirements in the Record Retention Schedule and preserving the integrity of the electronic files or other format in which the records are kept.   
  2. If you believe this exception may apply, or have any questions regarding whether it may apply, please contact the Legal Department or IT Department.
  3. In addition, you may be asked to suspend any routine data disposal procedures in connection with certain other types of events, such as our merger with another organisation or the replacement of our information technology systems.

WHERE TO GO FOR ADVICE AND QUESTIONS

  1. Questions about the policy. Any questions about retention periods relevant to your department should be raised with your department or DPO or IT Director. Any questions about this policy should be referred to Richard Solomon (07771547547; Richard.solomon@wrightbus.com), who is in charge of administering, enforcing, and updating this policy.

BREACH REPORTING AND AUDIT 

  1. Reporting policy breaches. We are committed to enforcing this policy as it applies to all forms of data. The effectiveness of our efforts, however, depend largely on employees. If you feel that you or someone else may have breached this policy, you should report the incident immediately to your supervisor. If you are not comfortable bringing the matter up with your immediate supervisor, or do not believe the supervisor has dealt with the matter properly, you should raise the matter with the IT Director or Legal Department. If employees do not report inappropriate conduct, we may not become aware of a possible breach of this policy and may not be able to take appropriate corrective action.
  2. No one will be subject to and we do not allow, any form of discipline, reprisal, intimidation, or retaliation for reporting incidents of inappropriate conduct of any kind, pursuing any record destruction claim, or co-operating in related investigations.
  3. Audits. Our General Counsel IT Director will periodically review this policy and its procedures (including where appropriate by taking outside legal or auditor advice to ensure we are in compliance with relevant new or amended laws, regulations or guidance. Additionally, we will regularly monitor compliance with this policy, including by carrying out audits.

OTHER RELEVANT POLICIES

  1. This policy supplements and should be read in conjunction with our other policies and procedures in force from time to time, including without limitation our:
  • IT and communications systems policy.
  • IT acceptable use policy.
  • Data protection policy.
  • Confidentiality policy.
  • Data classification policy.
  • Business continuity policy.
  • And other IT, security and data related policies, which are available from the It Department.

DEFINITIONS

Data: all data that we hold or have control over and therefore to which this policy applies. This includes physical data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings and CCTV recordings. It applies to both personal data and non-personal data. In this policy we refer to this information and these records collectively as “data”.

Data Protection Officer: our Data Protection Officer who is responsible for advising on and monitoring compliance with data protection laws.

Data Retention Policy: this policy, which explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal.

Disposable information: disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record as defined by this policy and the Record Retention Schedule.

Formal or official record: certain data is more important to us and is therefore listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the running of our business. We refer to this as formal or official records or data.

Non-personal data: data which does not identify living individuals, either because it is not about living individuals (for example financial records) or because it has been fully anonymised.

Personal data: any information identifying a living individual or information relating to a living individual that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. This includes special categories of personal data such as health data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour. 

 Records Management Department: the department responsible for identifying the data that we must or should retain, and determining, in collaboration with the Legal Department IT Department the proper period of retention. It also arranges for the proper storage and retrieval of data, co-ordinating with outside vendors where appropriate and handles the destruction of some records whose retention period has expired.

Records Management Officer: the IT Director is head of the Records Management Department and is responsible for administering the data management programme, helping department heads implement it and related best practices, planning, developing, and prescribing data disposal policies, systems, standards, and procedures and providing guidance, training, monitoring and updating in relation to this policy.

Record Retention Schedule: the schedule attached to this policy which sets out retention periods for our formal or official records. 

Storage limitation principle: data protection laws require us to retain personal data for no longer than is necessary for the purposes for which it is processed. This is referred to in the UK GDPR as the principle of storage limitation.

RECORD RETENTION SCHEDULE

Hydra B Power Limited establishes retention or destruction schedules or procedures for specific categories of data. This is done to ensure legal compliance (for example with our data protection obligations) and accomplish other objectives, such as protecting intellectual property and controlling costs. 

Employees should comply with the retention periods listed in the record retention schedule below, in accordance with the Hydra B Power Limited Data Retention Policy. 

If you hold data not listed below, please refer to the Hydra B Power Limited Data Retention Policy .If you still consider your data should be listed, if you become aware of any changes that may affect the periods listed below or if you have any other questions about this record retention schedule, please contact Richard Solomon.

COMPANY AND CORPORATE RECORDS

TYPE OF DATA

RETENTION PERIOD

REASON

COMMENTS

Accounting records.

-3 years from the date they were made (private company)

-6 years from the date they were made (public company)

Section 388(4) Companies Act 2006 (CA 2006)

Tax requirements or other legislation may require longer.

Register of members.

Entries for former members can be removed 10 years after the date they ceased to be members.

Section 121, CA 2006

Register of directors.

Indefinite

Usual practice

Section 162 of the CA 2006 requires the register to be kept but legislation is not explicit about retention periods. General practice is to retain details of current and former directors, together with date of ceasing to be a director.

Register of directors’ residential addresses.

Remove addresses of former directors after 10 years.

Best practice

Section 165 of the CA 2006 requires the register to be kept but there is no statutory retention period or indication whether addresses of former directors should be removed. Company will need to consider anything that has been told to directors and what is appropriate.

Minutes of internal directors’ meetings.

10 years from the date of the meeting

Section 248, CA 2006

Statutory minimum period (no period applies to meetings held before 1 October 2007, but best practice is to apply a consistent standard).

Members resolutions passed other than at general meetings; minutes of general meetings, details of decisions provided by a sole director.

10 years from date of resolution, decision or meeting

Sections 355 and s358, CA 2006

Minimum period; can be extended if appropriate.

Health and safety inspections, property management and asset records.

6 years

Health and Safety at Work Act 1974 and Limitation Act 1980, Limitation (NI) Order 1989

Historical records and archives about the company e.g., former directors, chairpersons, employees of note etc.

Indefinite

Usual practice

Balance data minimisation principle against the need to retain this information for historical purposes in the legitimate interests of the organisation.

HR AND HEALTH AND SAFETY

TYPE OF DATA

RETENTION PERIOD

REASON

COMMENTS

Accident books, accident records/reports

3 years from the last entry (or until a younger person involved in the accident has reached 21 years old

The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR) (SI 1995/3163) as amended, and Limitation Act 1980 and Limitation (NI) order 1989. Special rules apply concerning hazardous chemicals or substances

Coronavirus Furlough Records

6 years

Statutory Retention Period 6 years for furlough records including amounts claimed, claim period per employee, reference number and calculations. See Coronavirus Job Retention Scheme

First Aid Training

6 years after employment

Health and Safety (First Aid) Regulations 1981

Fire Warden Training

6 years after employment

Fire Precautions (Workplace) Regulations 1997

Health and Safety Representatives and Employees’ training

5 years after employment

Health and Safety (Consultation) Regulations 1996 and Health and Safety Information for Employees Regulations 1989

Income tax and NI returns, income tax records and correspondence with HMRC

3 years after end of financial year 

Not less than 3 years after the end of the relevant financial year. The Income Tax Regulations 1933 (SI 1993/744) as amended.

Medical records and details of biological tests under the Control of Lead at Work Regulations

40 years from the date of the last entry

The Control of Lead at Work Regulations 1998 (SI 1988/543) as amended by the Control of Lead at Work Regulations 2022 (SI 2022/2676)

Medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH)

40 years from the date of the last entry

The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677).

Medical records under the Control of Asbestos at Work Regulations:

40 years from the date of the last entry (medical records); 4 years from the date of issue (medical examination certificates).

The Control of Asbestos at Work Regulations in 2002, 2006 and 2012  (SI 2002/ 2675) (SI 2006/2739) and  (SI 2012/632).

Medical records under the Ionising Radiations Regulations 1999

Until the person reaches 75 years of age, but in any event for at least 50 years.

The Ionising Radiations Regulations 1999 (SI 1999/3232).

National minimum wage records

3 years after the end of the pay reference period following the one that the records cover.

National Minimum Wage Act 1998.

Payroll wage/salary records (also overtime, bonuses, expenses)

Statutory retention period: 6 years from the end of the tax year to which they relate.

Taxes Management Act 1970

Records of tests and examinations of control systems and protective equipment under the Control of Substances Hazardous to Health Regulations (COSHH)

5 years from the date on which the tests were carried out.

The Control of Substances Hazardous to Health Regulations 1999 and 2002 (COSHH) (SIs 1999/437 and 2002/2677).

Retirement Benefits Schemes

6 years from the end of the scheme year in which the event took place.

The Retirement Benefits Schemes (Information Powers) Regulations 1995 (SI 1995/3103)

Statutory Maternity Pay records including Mat B1s (also shared parental, paternity and adoption pay records)

3 years after the end of the tax year in which the maternity period ends.

The Statutory Maternity Pay (General) Regulations 1986 (SI 1986/1960) as amended, Maternity & Parental Leave Regulations 1999.

Subject access request

1 year following completion of the request

Data Protection Act 2018.

VAT deferral (COVID-19)

Statutory retention period: 6 years.

HMRC VAT deferral guidance.

Whistleblowing documents

6 months following the outcome (if a substantiated investigation). If unsubstantiated, personal data should be removed immediately

Public Interest Disclosure Act 1998 and recommended IAPP practice.

Working time records including overtime, annual holiday, time off for dependents, etc

2 years from date on which they were made.

The Working Time Regulations 1998 (SI 1998/1833).

Flexible working requests

Recommended period: 18 months following any appeal. This is because a further request cannot be made for 12 months following a request plus allowing for a 6-month tribunal limitation period on top.

Parental leave

Recommended period: 18 years from the birth of the child.

Personnel files and training records (including disciplinary and working time records)

Recommended period: 6 years after employment ceases but may be unreasonable to refer to expired warnings after two years have elapsed.

Recruitment application forms and interview notes (for unsuccessful candidates)

Recommended period: 6 months to a year. Because of the time limits in the Equality Act, relating to advertising of vacancies and job applications should be at least 6 months. A year may be more advisable as the time limits for bringing claims can be extended. Successful job applicants’ documents will transfer to the personnel file.

Redundancy details, calculations of payments, refunds, notification to the Secretary of State

Recommended period: 6 years from the date of redundancy.

References

Recommended period: At least one year after the reference is given to meet the limitation period for defamation claims.

Right to work in the UK checks

Recommended period: Home Office recommended practice is 2 years after employment ends.

Senior executives’ records (senior management team or equivalents)

Recommended period: Some records may need permanent retention such as documents from the company’s incorporation, shareholdings, resolutions, memorandum and articles, annual returns, register of directors’ interests, share documents, accounts, liability policies, pension scheme documents etc most of which should be retained permanently. Retain personal records, performance appraisals, employment contracts etc for 6 years after the employee has left to reflect the main limitation period.

Statutory Sick Pay (SSP) records, calculations, certificates, self-certificates, occupational health reports. Also COVID-19-related SSP records such as the dates off sick.

Recommended period: The Statutory Sick Pay (Maintenance of Records) (Revocation) Regulations 2014 (SI 2014/55) abolished the former obligation to keep these records. Although there is no longer a specific statutory retention period, employers must keep sickness records to best suit their business needs. Six months after the end of the period of sick leave is sensible in case of a disability discrimination claim. For personal injury claims, the limitation is 3 years. If there’s a contractual claim for breach of an employment contract then keep records for 6 years after the employment ceases. Employers should keep a record of SSP paid due to COVID-19 as HMRC may request records.

The Statutory Sick Pay (Maintenance of Records) (Revocation) Regulations 2014 (SI 2014/55)

Termination of employment, for example early retirement, severance or death in service

Recommended period: At least 6 years although the ICO’s retention schedule suggests until employee reaches age 100.

Terms and conditions including offers, written particulars, and variations

Recommended period: Review 6 years after employment ceases or the terms are superseded.

Timecards

Recommended period: 2 years after audit.

Trade union agreements

Recommended period: 10 years after ceasing to be effective.

PENSIONS RECORDS

TYPE OF DATA

RETENTION PERIOD

REASON

COMMENTS

Name and address of scheme or provider of the automatic enrolment scheme used to comply with the employer’s duties. 

6 years

Employers’ Duties (Registration and Compliance) Regulations 2010 (SI 2010/5) (Employers’ Duties Regulations 2010) (regulations 5, 6 and 8).

Minimum statutory period.

Employer pension scheme reference.

6 years

Employers’ Duties Regulations 2010 (regulations 5, 6 and 8).

Minimum statutory period.

Evidence scheme complies with auto-enrolment statutory quality tests. 

6 years

Employers’ Duties Regulations 2010 (regulations 5, 6 and 8).

Minimum statutory period.

Name, NI number, date of birth and automatic enrolment date of all jobholders auto enrolled (and corresponding details for non-eligible jobholders and entitled workers who have opted in or joined).

6 years

Employers’ Duties Regulations 2010 (regulations 5, 6 and 8).

Minimum statutory period.

Evidence of jobholders’ earnings and contributions.

6 years

Employers’ Duties Regulations 2010 (regulations 5, 6 and 8).

Minimum statutory period.

Contributions payable by employer in respect of jobholders and dates on which employer contributions were paid to scheme.

6 years

Employers’ Duties Regulations 2010 (regulations 5, 6 and 8).

Minimum statutory period.

If auto-enrolment postponement period used, records of workers who were given notice of postponement including full name, NI number and date postponement notice was given.

6 years

Employers’ Duties Regulations 2010 (regulations 5, 6 and 8).

Minimum statutory period.

Auto-enrolment opt-in notices, joining notices and opt-out notices (original format).

6 years (4 years for opt-out notices)

Employers’ Duties Regulations 2010 (regulations 5, 6 and 8).

Minimum statutory period.

Opt-in notices, joining notices and opt-out notices must be kept in the original format, although copies of the original format or electronically stored versions are acceptable (Pensions Regulator, Detailed Guidance Note 9, Keeping records, paragraph 8). 

If employer is (or was) sponsoring employer of an occupational pension scheme, any document relating to monies received by or owing to the scheme, investments or assets held by the scheme, payments made by the scheme, contracts to purchase a lifetime annuity in respect of scheme member and documents relating to the administration of the scheme. 

For the tax year to which they relate and the following 6 years

Registered Pension Schemes (Provision of Information) Regulations 2006 (SI 2006/567) (regulation 18). 

Minimum statutory period.

Information relating to applications for ill health early retirement benefits, including medical reports.

While entitlement continues and for period of 15 years after benefits stop being paid.

Limitation period

Employers may also need to keep data relating to employees’ job descriptions to assist with any ill-health application.

Death benefit nomination and revocation forms.

While entitlement continues and for period of 15 years after the death of member and their beneficiaries. 

Limitation period

Longer may be required for public sector employees e.g., the National Archives suggests 100 years from date of birth.

FACILITIES AND SECURITY RECORDS

TYPE OF DATA

RETENTION PERIOD

REASON

COMMENTS

CCTV recordings.

90 days for routine recordings

As long as necessary for any investigations or claims that arise.

Best practice

No set period in law but as these can contain personal data, should be kept for no longer than is necessary for the purpose.

Relevant authorities must comply with the Surveillance Camera Code of Practice.

Visitor logs.

6 months

Best practice

No set period in law but as these can contain personal data, should be kept for no longer than is necessary for the purpose.

Property management and asset records.

6 years or 12 years depending on whether the agreement is executed as a simple contract or a deed respectively

Limitation period

If agreement has been executed as a simple contract, actions are time barred 6 years from the date of breach of contract (section 5, Limitation Act 1980). If the agreement is executed as a deed, actions are time barred 12 years from the accrual of the cause of action (section 8, Limitation Act 1980). Sections differ in Limitation (NI) Order 1989

Building contracts.

12 years from practical completion when executed as a deed

Limitation period

An organisation may wish to break this down into sub-categories of agreement, for example, professional appointment, building contract, collateral warranty, third-party rights, development agreement and novation or assignment documents.

An organisation may also wish to list related documents such as insurance and finance, for example, bonds and parent company guarantees.

In addition, consideration should be given to other records relating to the building works, such as correspondence, which may be required in the event of a dispute. 

Leases.

6 or 12 years depending on the issue

Limitation period

Lease is usually executed as a deed, actions under leases are time barred 12 years from the accrual of the cause of action Limitation (NI) Order 1989 and Limitation Act 1980-UK).

Health and safety files for building works .

6 years from completion

Limitation period

Organisations may wish to retain for longer to assist with future works and maintenance. 

IT RECORDS

TYPE OF DATA

RETENTION PERIOD

REASON

COMMENTS

General information about internally developed IT infrastructure, software and systems for internal use.

 5 years from decommissioning of system

Business need

No statutory period so organisation can balance need to retain these records against data minimisation principle.

General information about externally developed IT infrastructure, software and systems for internal or external use.

 7 years from decommissioning of system

Contractual obligation

Limitation period

See also Procurement section

General information about internally developed IT infrastructure, software and systems for external use.

 7 years from decommissioning of system

Contractual obligation

Limitation period

Where IT infrastructure, software or systems are used externally (for example, by customers) then this information may be relevant to claims and disputes.

Systems monitoring, (for example, to detect and prevent failures vulnerabilities and external threats).

Current year plus 1 year

Consider whether records can be fully anonymised after this period (or no personal data collected in first place) where there is a need to keep these logs for longer or indefinitely

Business need

Contractual obligation

Limitation period

No statutory period so organisation can balance need to retain these records against data minimisation principle.

It may be advisable for an organisation to keep monitoring logs for as long as possible as malware or malicious code may go undetected in a system for a long period of time. 

Where IT infrastructure, software or systems are used externally (for example, by customers), monitoring logs might also be relevant to claims and disputes.

Business continuity and information security plans.

3 years from when the plan is superseded.

Consider whether record can be fully anonymised after this period (or no personal data collected in first place) where there is a contractual or legal obligation to keep these plans for a longer period.

Business need

Legal or contractual obligation

Limitation period

No statutory period so organisation can balance need to retain these records against data minimisation principle.

However, consider whether organisation is subject to any legal or contractual obligations in respect of business continuity which might necessitate a longer retention period, for example, under the NIS Regs.

Where IT infrastructure, software or systems are used externally (for example, by customers), business continuity plans might also be relevant to claims and disputes.

Technical support and help-desk requests.

3 years from end of system

Consider whether record can be fully anonymised after this period (or no personal data collected in first place) where there is a need to keep these requests for a longer period (for example, 7 years to align with limitation periods)

Business need.

Contractual obligation.

Limitation period.

No statutory period so organisation can balance need to retain these records against data minimisation principle.

Consider whether support services are provided to external customers, in which case contractual obligations and limitation periods may be relevant.

Technical information relating to external customer user accounts.

1 year from account closure.

Consider whether record can be fully anonymised after this period (or no personal data collected in first place) where there is a need to keep these plans for a longer period.

Business need

Contractual obligation

Limitation period

No statutory period so organisation can balance need to retain these records against data minimisation principle.

Consider whether contractual obligations and limitation periods may be relevant.

Contracts and agreements (software licences, support agreements, hardware agreements etc.).

7 years from expiry of the agreement

Limitation period

See also Procurement section.

System backups.

3 months

Business need

May be different depending on the system.

SALES, MARKETING AND CUSTOMER RECORDS

TYPE OF DATA

RETENTION PERIOD

REASON

COMMENTS

Bought in mailing lists and associated contracts.

1 year for mailing lists. 

6 years from expiry or termination for contracts (12 years for contracts executed as a deed).

Best practice for mailing lists

Limitation period for contracts

Consult ICO guidance on bought-in lists; ICO Direct Marketing Code recommends that organisations should not rely on indirect consent given more than 6 months ago.

Marketing database records (e.g., lead generation, meeting feedback, contact data etc.).

2 years from last contact

Business need

Depends on the nature of the business.

Customer relations database records (e.g. call centre records, queries, meeting feedback, account history etc.).

6 years from last contact

Business needs and limitation period.

Order fulfilment records.

6 years from completion

Limitation period and accounting requirement.

Opt-out/suppression lists.

Indefinite

Business and compliance need.

Only sufficient information to enable the opt out should be retained.

Evidence of consent to marketing (including electronic marketing).

While consent valid

6 years from date consent withdrawn or ceases to be valid

Business need

Limitation period

Consent can be withdrawn at any time and may not necessarily remain valid indefinitely although how long it remains valid will depend on the context.

Market research, marketing campaigns

2 years from completion

Business need

DMA suggests two years from last campaign.

Press releases

5 years from publication

Business need

Customer complaints handling

6 years from settlement or closure

Business need and limitation period

Website analytics reports from cookies and other similar technology

2 years

Business need

This refers to the output from information obtained via cookies. No firm period recommended by the ICO.

Cookies themselves may be set for different periods depending on the function of the cookie. 

PROCUREMENT RECORDS

TYPE OF DATA

RETENTION PERIOD

REASON

COMMENTS

Unsuccessful tenders

2 years

Business need

Businesses that have a large number of tenders may prefer to only retain for 1 year but will depend on the nature of the business.

Successful tenders

Contract period plus 6 years (12 years for contracts executed as a deed).

Limitation period

Contractual documents 

Contract period plus 6 years (12 years for contracts executed as a deed).

Limitation period

LEGAL RECORDS

TYPE OF DATA

RETENTION PERIOD

REASON

COMMENTS

Legal advice and opinions (non-litigation).

6 years after life of the service or matter the advice relates to

Business need

Legal advice and other records relating to specific litigation or claim.

6 years from settlement or withdrawal of claim

Limitation period

Data subject rights requests

6 years from closure of request

Limitation period

Previous versions of policies, including IT policy, privacy policy, retention policy etc.

6 years form being superseded

Business needs and limitation period in the event of a related claim

Monitoring and investigation requests

6 years from closure of investigation

Limitation period

Insurance claims

3 years after settlement

Limitation period

NI Compliant Equality Legislation

TYPE OF DATA

RETENTION PERIOD

REASON

COMMENTS

Legal advice and opinions (non-litigation).

6 years after life of the service or matter the advice relates to

Business need

Legal advice and other records relating to specific litigation or claim.

6 years from settlement or withdrawal of claim

Limitation period

Data subject rights requests

6 years from closure of request

Limitation period

Previous versions of policies, including IT policy, privacy policy, retention policy etc.

6 years form being superseded

Business need and limitation period in the event of a related claim

Article 55 complete report every 3 years and must be kept for a further 3 years 

3 years 

Fair Employment Legislation