Data retention policy

1. Introduction

  • Maintaining business records in a systematic and reliable manner is essential to comply with our legal and regulatory requirements, e.g. relating to data protection, tax and employment. It also reduces the costs and risks associated with retaining unnecessary information.
  • This record management policy has been developed to help us properly manage the records of geo. It sets out:
    • what records are
    • how records should be classified and stored
    • how long different classes of record should be retained
    • how records should be disposed of

2. Responsibility and application

  • The legal team is responsible for ensuring this policy is maintained.
  • This policy applies to everyone at geo and is for everyone to familiarise themselves with. It is our intent that we will retain electronic copies of records only unless hard copies are explicitly required.  In cases where we have an electronic record, any corresponding hard copy record may be disposed of according to the table below.
  • This policy does not form part of any employee’s contract of employment and we may supplement or amend this policy with additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.

3. What are records?

  • For the purposes of this policy, records are documents, communications and other materials that are written, recorded or otherwise machine readable. Records can exist in different formats including electronic, paper, book, facsimile, film, videotape, audiotape, and other formats available through existing and emerging technologies.
  • Voicemail, text or instant messages do not constitute records, except those that have been recorded and retained for business or regulatory purposes, e.g. emails or texts relating to HR issues.
  • There are two types of records: business records and short-term records.

4. Business records:

  • Business records are records created or received in the course of geo’s business that:
    1. document a business-related event or activity
    2. demonstrate a business transaction
    3. identify individuals who participated in a business activity
    4. support a business-related event, activity, or transaction, or
    5. are needed for other legal, business, or compliance reasons
  • Business records must be properly classified, stored, retained and disposed of in accordance with this policy.

5. Short-term records:

  • Short-term records are those with no enduring business or operational value, and which are not considered to be business records. These include:
    1. general company-wide, division-wide or departmental announcements, notices or updates
    2. unsolicited vendor bids and/or offers
    3. routine and general correspondence having only an immediate or short-term value, and
    4. personal files, emails or other documents.
  • As a general rule, short-term records should be retained for no longer than 30 days where possible. On occasion, it may be necessary to retain short-term records for longer than 30 days.  However, once the record is no longer needed, it should be destroyed promptly.
  • Back up processes are dealt with in our System Security Policy, this process is run by the IT Manager.
  • Short-term records, including any personal files, emails or other documents on company premises or systems, may become business records if they are relevant to a legal or business matter of geo.

6. Creation of records

The individual or department that authored, created or is the primary custodian of a record is responsible for ensuring it is retained and destroyed in accordance with this policy.

7. Classification of business records

It is not possible to list every possible type of record and say how it should be classified. Instead, you should consider the following questions and exercise your judgement.

Does the record include personal data? As a general guide this is data which identifies or can be used to identify an individual (the ‘data subject’).,This may be:,a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
Are we under an obligation to store, transmit, or delete the information in the record in a certain manner? This obligation could be imposed by a regulator or a contractual agreement with a supplier or customer, eg HMRC requiring us to retain tax records.
What is the commercial or competitive value of this information? Information that would be valuable to our competitors such as trade secrets, strategic plans, pricing information, or merger and acquisition activity must be classified as confidential.
What is the potential impact if the record is inadvertently disclosed, corrupted, lost or destroyed? Classify records as either restricted or confidential if inadvertent disclosure or loss etc would have an adverse impact on:
– an individual
– our reputation, competitive position, revenue or share value or
– any of our customers, agents, suppliers or other partners
Is the record in the public domain? Provided the record is in the public domain for legitimate reasons, eg not as a result of breach of confidence, the record should be classified as public.

8. Retention of business records

Business records must be retained as long as required by relevant laws and regulations and in accordance with our business needs.

9. Retention periods

  • Record types and retention sets out how long records will normally be held and when the record will be destroyed. We periodically review and update with additional record types.
  • Business records should not be disposed of or destroyed before the relevant retention period expires.
  • Business records should not, however, be kept longer than the relevant retention period unless the retention period for that particular record has been suspended
  • Where more than one retention period applies to a record, it should be retained in accordance with the longest retention period.
  • If a record type is not listed in the record retention schedule and is not a short-term record as mentioned above, contact the legal team for guidance.
  • The following are not subject to the record retention schedule:
    • IT system backups—these are designed for operational restoration purposes and are not to be used for the retention of business records.

10. Retention Format

Most business records can be retained exclusively in electronic form and hard copies do not usually need to be retained. The exceptions to this are:

Any Deeds relating to property. The deeds are proof of ownership of and/or may be required to deal with queries on title.
Share certificates A share certificate is prima facie evidence of ownership.
Documents registered with the HM Land Registry The original should not be destroyed until the registration is complete and confirmed.

For these types of record, we must retain the hard copy and the electronic version.

11. Storage of records

  • Business records must be stored on our premises or at a secure location or website approved by us to provide physical or electronic storage facilities.
  • When archiving paper records at an approved storage facility, the storage boxes must be clearly labelled as follows:
    • Record Type
    • Originating Department
    • Creation date such that the destruction can be scheduled

12. Removal of business records

You may remove business records from our premises only for legitimate business purposes; you must return those records when no longer needed off-site.

13. Destruction of business records

  • Business records must be destroyed at the end of the relevant retention period, unless the retention period has been suspended.
  • See Record types and Retention (below) for guidance on the method of destruction required for different classes of business record.
  • Periodically, you should determine whether you have records in your control that should be discarded or destroyed pursuant to this policy.
  • If you have questions or concerns about retaining any records beyond the scheduled retention periods, you should contact the legal team before disposing of the records in question.

14. Suspending the destruction date

  • If a claim, audit, investigation, subpoena or litigation has been asserted or filed by or against us, or is reasonably foreseeable, we have an obligation to retain:
    • all relevant records, including those that otherwise would be scheduled for destruction under the records retention schedule, and
    • records that otherwise could have been disposed of as short-term records
  • On learning of an actual or reasonably anticipated legal action, the legal team will notify relevant staff to suspend disposal and destruction of applicable records. This is known as ‘litigation hold’.
  • If you become aware of an actual or anticipated claim, audit, investigation, subpoena or litigation, you must immediately report the matter to the legal team or the director of regulatory affairs and discontinue any scheduled disposal pending confirmation of whether litigation hold is required.
  • You must carefully and diligently comply with any litigation hold notices. In particular, you must not alter, dispose of, discard or destroy any records that are subject to litigation hold. You must also continue to retain any and all such records until the legal team or the director of regulatory affairs issues a notice indicating that the litigation hold has been lifted and that the retention and disposal of such records should resume in accordance with our retention schedule.

15. Failure to comply

  • We take compliance with this policy very seriously. Failure to comply puts both staff and geoat risk. The importance of this policy means that failure to comply with any requirement may lead to disciplinary action, which may result in dismissal.
  • Staff with any questions or concerns about anything in this policy should not hesitate to contact the legal team or the director of regulatory affairs.

16. Record types and retention

By default all records/documents containing personal data and/or sensitive personal data that does not fall into any of the categories below.

All information that includes any data relating to a living individual. It includes names, addresses, opinions about individuals (and their opinions), and information about their behaviour or health etc. Even if you cannot identify an individual from the data, it will still be personal data if an individual could be identified when the data is put together with other information, e.g. IP addresses and other metadata could be personal data.

Retention should be no longer than necessary for the purpose for which it was obtained. This means that personal data should be destroyed or erased from Nelsons’ systems when it is no longer required.

Record Marking Retention Disposal Action (Hard Copy) Disposal Action (soft Copy)
All contracts (Customer, supplier, internal, logistical, office) Commercial in Confidence 6 years from the expiry date Secure destruction Deletion. Emails and attachments deleted.
HR Data (Unsuccessful Applicants Data including testing data) Staff in Confidence For no longer than 6 months after the post has been filled Secure destruction Deletion. Emails and attachments deleted.
HR Data (Employment Contracts; hours worked, payments;) Staff in Confidence 6 years from the date of termination Secure destruction Deletion. Emails and attachments deleted.
HR Records (Payroll; staff personal records; test results; PAYE; incidents;) Staff in Confidence 6 years from the date of termination of the employee to whom they relate; Secure destruction Deletion. Emails and attachments deleted.
Customer Support Records Personal in Confidence Retain indefinitely and for as long as required by law. Secure destruction Deletion. Emails and attachments deleted.
Customer complaints None Retain indefinitely unless otherwise required by GDPR Secure destruction Deletion. Emails and attachments deleted
Installation Records Commercial in Confidence For so long as the business needs to retain these for business purposes. Secure destruction Deletion. Emails and attachments deleted
Finance Finance in Confidence 7 years for financial reporting and tax records (backup and working files) Secure destruction Deletion. Emails and attachments deleted.
Company Records Dependent on information Indefinitely e.g. Company Secretarial records, statutory accounts, registration and incorporation documents Secure destruction Deletion. Emails and attachments deleted.
Management system documentation None, stored on Intranet Retain indefinitely N/A
Certificates of conformity None Retain indefinitely N/A
Email / Correspondence None Deletion. Emails and attachments deleted. N/A Retain indefinitely unless otherwise required by GDPR
CCTV (Video footage/images taken from CCTV cameras installed on geo premises) None 90 days from the date of being recorded N/A Deletion.
All other records – consult with legal Dependent on information Consult with legal.

Records shall be stored in such a way as to be retrievable and in an environment which minimizes risk of deterioration, damage or loss.

All soft copies of documents are backed up on a nightly basis. GEO maintains a “daily” and “monthly” backup cycle. Backups are stored in the cloud with a local copy also held on premise to aid in fast recovery.

Last reviewed: 29th November 2023