Context and overview
Principle 5 of the GDPR requires us to retain personal data no longer than is necessary for the purpose we obtained it for.
The Act does not set out any specific minimum or maximum periods for retaining personal data. Instead, it says that:
“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”
In practice, it means that we will need to:
- review the length of time we keep personal data;
- consider the purpose or purposes we hold the information for in deciding whether (and for how long) to retain it;
- securely delete information that is no longer needed for this purpose or these purposes; and
- update, archive or securely delete information if it goes out of date.
Therefore, a vital part of Legacy Link’s Data Protection Policy and practice is that personal data is retained for the appropriate period of time – neither too long nor too short.
The purpose of this document is to provide clarity and transparency around the types of data we will retain, how long we will retain it for, and what we will do with the data once it is no longer required for our business purposes.
The time that documents are retained by Legacy Link will depend on what the document is and also any current legislation regarding the retention period.
Data Retention Periods
- Minute books/files will be kept forever. These are legal documents and must not be destroyed. These will be kept in a secure cabinet/storage area.
- Title deeds, leases, agreements etc. will be kept whilst the organisation owns/occupies property/land. These will be kept in a secure cabinet/storage area.
- Insurance documents, Certificates of Employer’s Liability and Public Liability will be kept as required by law, which is currently 40 years.
- The organisation will keep documents as required by individual funders.
This policy helps to protect Legacy Link from data security risks, including:
- Breaches of confidentiality. For instance, information being given out inappropriately.
- Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
- Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.
- Statutory accounts and all supporting documentation are to be retained for six years plus the current year.
- VAT records (electronic or paper format) including standard-rated goods, exempt supplies and the VAT account are to be retained for six years plus the current year.
- Corporation Tax records of all company assets (e.g. receipts, sales and purchases), company liabilities, income and expenses and tax deduction or tax credit vouchers are to be retained for six years plus the current year.
- Application forms for candidates are to be retained for six months after notifying the unsuccessful candidate.
- Application forms – duration of employment.
- References obtained from third parties – one year.
- Sickness and leave records – three years after the end of each tax year.
- Statutory maternity pay records to be retained for three years after the end of the tax year in which the maternity period ends.
- Records relating to accident or injury at work – three years.
- Annual appraisal records – five years.
- Redundancy details to be retained six years after employment has ceased.
- Promotion, transfer, training and disciplinary records – one year from end of employment.
- Payroll records, P45, other HMRC documentation and forms to be retained for six years plus current year.
- Personnel file will be retained for two years after employment terminates. After this time the file will be destroyed and a summary or record of service e.g. name, position held, dates of employment, etc. will be retained for ten years from end of employment. This will include references given or details retained to enable reference to be provided for future employment.
- Any documentation and personal data that is held by Legacy Link on behalf of a charity for the purposes of administering its legacy gifts should be held for no longer than is necessary to carry out the legacy administration function.
- On completion of a legacy case, all documentation should be returned to the charity destroyed from our systems when the charity confirms receipt.
- Any financial records that the charity requires Legacy Link to hold on to for auditing purposes should be held for 6 years plus the current financial year (7 years in total).
- Any data that needs to be held on file for longer than 3 years should be suitably archived and any information not required for the purposes of legacy administration should be destroyed.