Data Retention Policy
UKStartups.co (“we”, “our”, “us”) shall only keep information it holds for as long is necessary. The retention periods can differ based on the type of data processed, the purpose of processing or other factors.
This Data Retention Policy (“Policy”) covers all company data stored on company-owned, company-leased, and otherwise company-provided systems and media, regardless of location. Note that the need to retain certain information can be mandated by local, industry regulations and will comply with General Data Protection Regulation (“GDPR”), the Data Protection Act 2016. Where this Policy differs from applicable regulations, the applicable regulations will take precedence.
As a general rule, we retain all information only for as long as specified in this Policy and, in general, no longer than five years plus the current year.
Current plus five-year rule
As a general rule, we shall not hold personal data for more than five years after which it ceases to be current, unless there is a specific reason for doing so (see ‘Exceptions to the five-year rule’ below for the specific categories requiring different retention periods). The definition of ‘current’ will vary according to the personal data: for example, it will mean until a customer has found office space or until a member of staff has ceased being employed by UKStartups.co where it relates to staff.
It should be remembered that the ‘current plus five years’ rule is a maximum period for retention. If there is no need to keep the personal data that long, then it should be disposed of securely before the five-year time-limit. This may be the case in respect of a CV application for a job with us.
Exceptions to the five-year rule
Some data must be retained in order to protect UKStartups’ interests, preserve evidence, and generally conform to good business practices. Some reasons for data retention include:
- Regulatory requirements;
- Litigation
- Security incident investigation
UKStartups may also keep the e-mail addresses and telephone numbers of data subjects who unsubscribe to marketing communications to ensure that there is a record on file noting that the individual is not directly marketed too.
Please see the attached Data Retention Schedule (“Schedule”) for guidance on determining the length of time for which personal data within certain categories should be retained.
Data destruction
Data destruction is a critical component of a data retention policy. Data destruction ensures that the company will use data efficiently thereby making data management and data retrieval more cost effective.
When the retention timeframe expires, UKStartups will actively destroy the data covered by this Policy. If an employee of UKStartups feels that certain data should not be destroyed, he or she should identify the data to his or her supervisor so that an exception to the Policy can be considered. Since this decision has long-term legal implications, exceptions will be approved only by a member or members of UKStartups’s management team.
UKStartups specifically directs employees not to destroy data in violation of this Policy. Destroying data that an employee may feel is harmful to himself or herself is strictly forbidden or destroying data in an attempt to cover up a violation of law or company policy.
Records can be destroyed in the following ways:
Non-sensitive information – can be placed in a normal rubbish bin/recycling.
Confidential information – cross cut shredded and pulped or burnt
Electronic equipment containing information – destroyed using killdisc and for individual folders, they will be permanently deleted from the system.
Destruction of electronic records should render them non-recoverable even using forensic data recovery techniques.
Sharing of information
Duplicate records should be destroyed. Where information has been regularly shared between business areas, only the original records should be retained. Care should be taken that seemingly duplicate records have not been annotated.
Where we share information with other bodies, we will seek to ensure that they have adequate procedures for records to ensure that the information is managed in accordance with the relevant legislation and regulatory guidance.
Audit trail
You do not need to document the disposal of records which have been listed on the Schedule. Any documents which are disposed of earlier or kept for longer than listed in the Schedule will need to be recorded for audit purposes.
This will provide an audit trail for any inspections conducted by the Information Commissioner, where we no longer hold the material.
Monitoring
Responsibility for monitoring this Policy rests with a Chief Monitoring Officer (CMO). This Policy shall be reviewed annually.
Data Retention Schedule
As a general rule, we retain all information only for as long as specified in this Policy and, in general, no longer than five years plus the current year.
Current plus five-year rule
As a general rule, we shall not hold personal data for more than five years after which it ceases to be current, unless there is a specific reason for doing so (see ‘Exceptions to the five-year rule’ below for the specific categories requiring different retention periods). The definition of ‘current’ will vary according to the personal data: for example, it will mean until a customer has found office space or until a member of staff has ceased being employed by UKStartups.co where it relates to staff.
It should be remembered that the ‘current plus five years’ rule is a maximum period for retention. If there is no need to keep the personal data that long, then it should be disposed of securely before the five-year time-limit. This may be the case in respect of a CV application for a job with us.
Exceptions to the five-year rule
Some data must be retained in order to protect UKStartups’ interests, preserve evidence, and generally conform to good business practices. Some reasons for data retention include:
- Regulatory requirements;
- Litigation
- Security incident investigation
UKStartups may also keep the e-mail addresses and telephone numbers of data subjects who unsubscribe to marketing communications to ensure that there is a record on file noting that the individual is not directly marketed too.
Please see the attached Data Retention Schedule (“Schedule”) for guidance on determining the length of time for which personal data within certain categories should be retained.
Data destruction
Data destruction is a critical component of a data retention policy. Data destruction ensures that the company will use data efficiently thereby making data management and data retrieval more cost effective.
When the retention timeframe expires, UKStartups will actively destroy the data covered by this Policy. If an employee of UKStartups feels that certain data should not be destroyed, he or she should identify the data to his or her supervisor so that an exception to the Policy can be considered. Since this decision has long-term legal implications, exceptions will be approved only by a member or members of UKStartups’s management team.
UKStartups specifically directs employees not to destroy data in violation of this Policy. Destroying data that an employee may feel is harmful to himself or herself is strictly forbidden or destroying data in an attempt to cover up a violation of law or company policy.
Records can be destroyed in the following ways:
Non-sensitive information – can be placed in a normal rubbish bin/recycling.
Confidential information – cross cut shredded and pulped or burnt
Electronic equipment containing information – destroyed using killdisc and for individual folders, they will be permanently deleted from the system.
Destruction of electronic records should render them non-recoverable even using forensic data recovery techniques.
Sharing of information
Duplicate records should be destroyed. Where information has been regularly shared between business areas, only the original records should be retained. Care should be taken that seemingly duplicate records have not been annotated.
Where we share information with other bodies, we will seek to ensure that they have adequate procedures for records to ensure that the information is managed in accordance with the relevant legislation and regulatory guidance.
Audit trail
You do not need to document the disposal of records which have been listed on the Schedule. Any documents which are disposed of earlier or kept for longer than listed in the Schedule will need to be recorded for audit purposes.
This will provide an audit trail for any inspections conducted by the Information Commissioner, where we no longer hold the material.
Monitoring
Responsibility for monitoring this Policy rests with a Chief Monitoring Officer (CMO). This Policy shall be reviewed annually.
Data Retention Schedule
.
Category
Financial records
Personal data relating to customers
Personal data relating to employees
Tax records
Corporation records
Recruitment details
Complaints
Contractual arrangements
Data protection requests
Insurance
Examples
Payroll data
Purchase Ledger, Sales Ledger
Customer contact details
Customer notes
Staff details
References
Disciplinary records
Tax documentation
Annual Report and Accounts
Board Minutes
Quarterly Reports
CV
Interview notes
Correspondence with complainants
Service level agreements
Legal contracts
Correspondence regarding DP requests
Insurance Policies
Employers Liability Claims
Retention Period
Current tax year plus five years
Personal data will be held for as long as the individual is a customer of the company plus 6 years.
General employee data will be held for the duration of employment and then for 6 years after the data of termination. Employee contracts will be held for 6 years after the date of termination.
Current financial year plus 6 years
Current financial year plus 5 years
Details relating to unsuccessful applicants will be held for 6 months after interview and shall then be destroyed
Current year of complaint plus six years
Life of contract plus six years
Current year of request plus six years
In general, insurance policies should be kept for the length of the policy plus 6 years. Employers Liability Claims should be kept permanently.