Data retention policy.
Deeson Group Ltd and Deeson Publishing Ltd (Deeson) recognises and understands that the efficient management of its data and records is necessary to support its core business functions, to comply with its legal, statutory and regulatory obligations, to ensure the protection of personal information and to enable the effective management of the organisation.
Information held for longer than is necessary carries additional risk and cost and can breach data protection rules and principles. Deeson only ever retain records and information for legitimate business reasons and use and comply fully with the UK data protection laws and guidance.
The policy relates to all Deeson staff (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with Deeson in the UK or overseas) within the organisation and has been created to ensure that staff deal with the area that this policy relates to in accordance with legal, regulatory, contractual and business expectations and requirements.
General Data Protection Regulations (GDPR).
Deeson needs to collect personal information about the people we employ, work and deal with to effectively and compliantly carry out our everyday business functions and activities and to provide the products and services defined by our business type. This information can include (but is not limited to), name, address, email address, data of birth, IP address, identification number, private and confidential information, sensitive information and bank details.
In addition, we may occasionally be required to collect and use certain types of personal information to comply with the requirements of the law and/or regulations, however we are committed to collecting, processing, storing and destroying all information in accordance with the General Data Protection Regulation, UK data protection law and any other associated legal or regulatory body rules or codes of conduct that apply to our business and/or the information we process and store.
Deeson manage records efficiently and systematically, in a manner consistent with the GDPR requirements, ISO27001 and ISO9001.
It is our intention to ensure that all records and the information contained therein is:
- Accurate - records are always reviewed to ensure that they are a full and accurate representation of the transactions, activities or practices that they document
- Accessible - records are always made available and accessible when required (with additional security permissions for select staff where applicable to the document content)
- Complete - records have the content, context and structure required to allow the reconstruction of the activities, practices and transactions that they document
- Compliant - records always comply with any record keeping legal and regulatory requirements
- Monitored – staff, company and system compliance with this Data Retention Policy is regularly monitored to ensure that the objectives and principles are being complied with at all times and that all legal and regulatory requirements are being adhered to.
Retention Period Protocols.
All records retained during their specified periods are traceable and retrievable. All company and employee information is retained, stored and destroyed in line with legislative and regulatory guidelines.
For all data and records obtained, used and stored within Deeson, we:
- Carry out periodical reviews of the data retained, checking purpose, continued validity, accuracy and requirement to retain
- Establish periodical reviews of data retained
- Establish and verify retention periods for the data
- Where it is not possible to define a statutory or legal retention period, as per the GDPR requirement, Deeson will identify the criteria by which the period can be determined and provide this to the data subject on request and as part of our standard information disclosures and privacy notices
- Have processes in place to ensure that records pending audit, litigation or investigation are not destroyed or altered
- Transfer paper based records and data to an alternative media format in instances of long retention periods (with the lifespan of the media and the ability to migrate data where necessary always being considered)
All systems and records have designated owners throughout their lifecycle to ensure accountability and a tiered approach to data retention and destruction. Owners are assigned based on role, business area and level of access to data required. The designated owner is recorded on the Retention Register and is fully accessible to all employees. Data and records are never to be reviewed, removed, accessed or destroyed with the prior authorisation and knowledge of the designated owner.
Deeson utilise an Information Asset Register (IAR) to document and categorise the assets under our remit and carry out regular Information Audits to identify, review and document all flows of data within Deeson.
The Information Audit enables us to identify, categorise and record all personal information obtained, processed and shared by our company in our capacity as a controller and processor and has been compiled on a central register which includes:
- What personal data we hold
- Where it came from
- Who we share it with
- Legal basis for processing it
- What format(s) is it in
- Who is responsible for it?
- Retention periods
- Access level (i.e. full, partial, restricted etc)
Suspension of record disposal for litigation or claims.
If Deeson is served with any legal request for records or information, any employee becomes the subject of an audit or investigation or we are notified of the commencement of any litigation against our firm, we will suspend the disposal of any scheduled records until we are able to determine the requirement for any such records as part of a legal requirement.
Storage and access of records or data.
Documents are grouped together by category and then in clear date order when stored and/or archived. Documents are always retained in a secure location, with authorised personnel being the only ones to have access. Once the retention period has elapsed, the documents are either reviewed, archived or confidentially destroyed dependant on their purpose, classification and action type.
Expiration of retention period.
Once a record or data has reached its designated retention period date, the designated owner should refer to the retention register for the action to be taken. Not all data or records are expected to be deleted upon expiration; sometimes it is sufficient to anonymise the data in accordance with the GDPR requirements or to archive records for a further period.
Destruction & disposal of records & data.
All information of a confidential or sensitive nature on paper, card, microfiche or electronic media must be securely destroyed when it is no longer required. This ensures compliance with the Data Protection laws and the duty of confidentiality we owe to our employees, clients and customers.
Deeson is committed to the secure and safe disposal of any confidential waste and information assets in accordance with our contractual and legal obligations and that we do so in an ethical and compliant manner. We confirm that our approach and procedures comply with the laws and provisions made in the General Data Protection Regulation (GDPR) and that staff are trained and advised accordingly on the procedures and controls in place.
Due to the nature of our business, Deeson does not retain paper based personal information, but an onsite shredder will be made available onsite to dispose of any confidential paper materials. Any paper items with client, employee or personal data should be shredded and not left out.
Deeson uses numerous systems, computers and technology equipment in the running of our business. From time to time, such assets must be disposed of and due to the information processed and held of these whilst they are active, this disposal must be handled in an ethical and secure manner.
Only Deeson Directors can authorise the disposal of any IT equipment and they must accept and authorise such assets personally. Where possible, information is wiped from the equipment through use of software and formatting, however this can still leave imprints or personal information that is accessible and so we also comply with the secure disposal of all assets.
It is the explicit responsibility of the asset owner and the Deeson Directors to ensure that all relevant data has been sufficiently removed from the IT device and backed up before requesting disposal and/or prior to the scheduled pickup.
Compliance & monitoring.
Deeson are committed to ensuring the continued compliance with this policy and any associated legislation and undertake regular audits and monitoring of our records, their management, archiving and retention. Information asset owners are tasked with ensuring the continued compliance and review of records and data within their remit.
Heads of departments and information asset owners have overall responsibility for the management of records and data generated by their departments' activities, namely to ensure that the records created, received and controlled within the purview of their department, and the systems (electronic or otherwise) and procedures they adopt, are managed in a way which meets the aims of this policy.