Data Retention & Disposal Policy
Records Retention and Protection Policy
Contents
- Introduction
- Records Retention and Protection Policy
2.1 General Principles
2.2 Record Types and Guidelines
2.3 Use of Cryptography
2.4 Media Selection
2.5 Record Retrieval
2.6 Record Destruction
2.7 Record Review
1. Introduction
In its everyday business operations, Comity Recruitment Ltd collects and stores records of many types and in a variety of formats. The relative importance and sensitivity of these records vary and are subject to the organisation’s security classification scheme.
It is important that these records are protected from loss, destruction, falsification, unauthorised access, and unauthorised release. A range of controls are used to ensure this, including backups, access control, and encryption.
Comity Recruitment Ltd also has a responsibility to ensure that it complies with all relevant legal, regulatory, and contractual requirements in the collection, storage, retrieval, and destruction of records. Of particular relevance is the European Union General Data Protection Regulation (GDPR) and its requirements concerning the storage and processing of personal data.
This control applies to all systems, people, and processes that constitute the organisation’s information systems, including directors, employees, clients, suppliers, and other third parties who have access to Comity Recruitment Ltd systems.
2. Records Retention and Protection Policy
This policy begins by establishing the main principles that must be adopted when considering record retention and protection. It then sets out the types of records held by Comity Recruitment Ltd and their general requirements before discussing record protection, destruction, and management.
2.1 General Principles
The following key general principles must be adopted when considering record retention and protection:
- Records must be held in compliance with all applicable legal, regulatory, and contractual requirements.
- Records must not be held for any longer than required.
- The protection of records in terms of their confidentiality, integrity, and availability must be in accordance with their security classification.
- Records must always remain retrievable in line with business requirements.
- Where appropriate, records containing personal data must be subject, as soon as possible, to techniques that prevent the identification of a living individual.
2.2 Record Types and Guidelines
Records held by Comity Recruitment Ltd are grouped into the following categories, with their required retention periods, storage media, and reasons:
| Record Category | Description | Retention Period | Reason for Retention | Allowable Storage Media |
|---|---|---|---|---|
| Accounting | Invoices, purchase orders, etc. | 10 years | HMRC compliance | Electronic only – paper scanned |
| Budgeting & Forecasting | Financial estimates and plans | 10 years | N/A | Electronic/Paper |
| System Transaction Logs | Database journals and recovery | 52 weeks | Backup strategy | Electronic/tape media |
| Audit Logs | Security and access logs | 12 months | Forensic investigation | Electronic |
| Operational Procedures | Process completion records | 7 years | Dispute resolution | Electronic/Paper |
| Customer | Personal and order data | 7 years post-purchase | Data protection law | Electronic/Paper |
| Supplier | Supplier details | 7 years post-supply | Dispute resolution | Electronic/Paper/Microfiche |
| Human Resources | Employee data | 7 years post-employment | Employment law | Electronic/Paper |
| Contractual | Legal contracts, leases, etc. | 7 years post-contract | Dispute resolution | Electronic/Paper |
2.3 Use of Cryptography
Where appropriate, cryptographic techniques must ensure the confidentiality and integrity of records. Encryption keys must be securely stored throughout the relevant record’s life in compliance with the organisation’s cryptography policy.
2.4 Media Selection
Storage media must be chosen for durability and compatibility with long-term use. For paper records, environmental conditions must be monitored, and backup methods like scanning or microfiche should be employed. For electronic records, media must be checked for deterioration, and compatibility with reading devices must be maintained.
2.5 Record Retrieval
Records must be retrievable in a usable format within an acceptable period. Storage solutions must balance cost-effectiveness with accessibility, ensuring business and legal requirements are met.
2.6 Record Destruction
Records reaching the end of their lifecycle must be securely destroyed, with disposal details recorded for evidence.
2.7 Record Review
Retention and storage of records must undergo regular reviews to ensure:
- Policy compliance.
- Secure disposal of obsolete records.
- Fulfillment of legal, regulatory, and contractual obligations.
- Effective retrieval processes.
The results of these reviews must be documented.
