|Does the record include personal data?||As a general guide this is data which identifies or can be used to identify an individual (the ‘data subject’).,This may be:,a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.|
|Are we under an obligation to store, transmit, or delete the information in the record in a certain manner?||This obligation could be imposed by a regulator or a contractual agreement with a supplier or customer, eg HMRC requiring us to retain tax records.|
|What is the commercial or competitive value of this information?||Information that would be valuable to our competitors such as trade secrets, strategic plans, pricing information, or merger and acquisition activity must be classified as confidential.|
|What is the potential impact if the record is inadvertently disclosed, corrupted, lost or destroyed?||Classify records as either restricted or confidential if inadvertent disclosure or loss etc would have an adverse impact on:
– an individual
– our reputation, competitive position, revenue or share value or
– any of our customers, agents, suppliers or other partners
|Is the record in the public domain?||Provided the record is in the public domain for legitimate reasons, eg not as a result of breach of confidence, the record should be classified as public.|
Most business records can be retained exclusively in electronic form and hard copies do not usually need to be retained. The exceptions to this are:
|Any Deeds relating to property.||The deeds are proof of ownership of and/or may be required to deal with queries on title.|
|Share certificates||A share certificate is prima facie evidence of ownership.|
|Documents registered with the HM Land Registry||The original should not be destroyed until the registration is complete and confirmed.|
For these types of record, we must retain the hard copy and the electronic version.
By default all records/documents containing personal data and/or sensitive personal data that does not fall into any of the categories below.
All information that includes any data relating to a living individual. It includes names, addresses, opinions about individuals (and their opinions), and information about their behaviour or health etc. Even if you cannot identify an individual from the data, it will still be personal data if an individual could be identified when the data is put together with other information, e.g. IP addresses and other metadata could be personal data.
Retention should be no longer than necessary for the purpose for which it was obtained. This means that personal data should be destroyed or erased from Nelsons’ systems when it is no longer required.
|Record||Marking||Retention||Disposal Action (Hard Copy)||Disposal Action (soft Copy)|
|All contracts (Customer, supplier, internal, logistical, office)||Commercial in Confidence||6 years from the expiry date||Secure destruction||Deletion. Emails and attachments deleted.|
|HR Data (Unsuccessful Applicants Data including testing data)||Staff in Confidence||For no longer than 6 months after the post has been filled||Secure destruction||Deletion. Emails and attachments deleted.|
|HR Data (Employment Contracts; hours worked, payments;)||Staff in Confidence||6 years from the date of termination||Secure destruction||Deletion. Emails and attachments deleted.|
|HR Records (Payroll; staff personal records; test results; PAYE; incidents;)||Staff in Confidence||6 years from the date of termination of the employee to whom they relate;||Secure destruction||Deletion. Emails and attachments deleted.|
|Customer Support Records||Personal in Confidence||Retain indefinitely and for as long as required by law.||Secure destruction||Deletion. Emails and attachments deleted.|
|Customer complaints||None||Retain indefinitely unless otherwise required by GDPR||Secure destruction||Deletion. Emails and attachments deleted|
|Installation Records||Commercial in Confidence||For so long as the business needs to retain these for business purposes.||Secure destruction||Deletion. Emails and attachments deleted|
|Finance||Finance in Confidence||7 years for financial reporting and tax records (backup and working files)||Secure destruction||Deletion. Emails and attachments deleted.|
|Company Records||Dependent on information||Indefinitely e.g. Company Secretarial records, statutory accounts, registration and incorporation documents||Secure destruction||Deletion. Emails and attachments deleted.|
|Management system documentation||None, stored on Intranet||Retain indefinitely||N/A|
|Certificates of conformity||None||Retain indefinitely||N/A|
|Email / Correspondence||None||Deletion. Emails and attachments deleted.||N/A||Retain indefinitely unless otherwise required by GDPR|
|CCTV (Video footage/images taken from CCTV cameras installed on geo premises)||None||90 days from the date of being recorded||N/A||Deletion.|
|All other records – consult with legal||Dependent on information||Consult with legal.|
Records shall be stored in such a way as to be retrievable and in an environment which minimizes risk of deterioration, damage or loss.
All soft copies of documents are backed up on a nightly basis. GEO maintains a “daily” and “monthly” backup cycle. Backups are stored in the cloud with a local copy also held on premise to aid in fast recovery.
Last updated: 25 Jun 2020