UK data retention requirements



Similar documents
Information security due diligence

BIG LOTTERY FUND Document archive and retention policy

Document Management Policy

Practice Note. 10 (Revised) October 2010 AUDIT OF FINANCIAL STATEMENTS OF PUBLIC SECTOR BODIES IN THE UNITED KINGDOM

CODE OF PRACTICE ON THE MANAGEMENT OF POLICE INFORMATION

WEST LOTHIAN COUNCIL RECORDS MANAGEMENT POLICY. Data Label: Public

MPS NA Termination of contract + 6 years 1980 c.58 Limitation Act 1980 NA Review for archival value.

COMPLYING WITH THE E-COMMERCE REGULATIONS 2002

A Guide To Retention And UK Compliance Laws

Records Retention and Disposal Schedule. Information Management

IFRS FOUNDATION DOCUMENT RETENTION AND DESTRUCTION POLICY

EXPLANATORY MEMORANDUM TO THE DATA RETENTION (EC DIRECTIVE) REGULATIONS No. 2199

A Users Guide to the recast Late Payment Directive

Disposal Schedule for Functional records of Retirement Benefits Fund. Disposal Authorisation No. 2416

Information Management Policy. Retention and Destruction Policy

Safe management of healthcare waste

Corporate Policy and Strategy Committee

LCR Ltd. Freedom of Information Act LCR Publication Scheme

Information Governance Policy

Guidance on political campaigning

Council Policy. Records & Information Management

The Manchester College

Policy on Preservation of Documents and archival of documents in its website

Information Integrity & Data Management

Introduction to Notice Processing and Information Management. Assessment criteria. The learner can:

The structure of the qualification is shown below. It is necessary to pass all three modules to be awarded the full qualification.

THE ROYAL COLLEGE OF RADIOLOGISTS

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

RECORDS RETENTION AND SECURITY REGULATIONS THINK ABOUT IT!

OFFICIAL. NCC Records Management and Disposal Policy

CROSSWORD CYBERSECURITY PLC

University of Stirling. Records Management Strategy I. Introduction

Data Retention Policy

Policy on Public and School Bus Closed Circuit Television Systems (CCTV)

We are the nursing and midwifery regulator for England, Wales, Scotland, Northern Ireland and the Islands.

Information Management Advice 4 Managing Electronic Communications as Records

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Pay Circular (M&D) 2/2013

Records Management Policy

Retaining staff records: What HR needs to keep and for how long

Miscellaneous Technical Statement

Legal help: where to go and how to pay

Information sharing. Advice for practitioners providing safeguarding services to children, young people, parents and carers

The Manitowoc Company, Inc.

Data Protection Policy June 2014

Information Governance Policy

West Midlands Police and Crime Commissioner Records Management Policy 1 Contents

Excess Professional Indemnity policy

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY

Excess Professional Indemnity. Policy document

HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU

ITEM NO: 4. Date: 23 March Pam Williams Borough Treasurer Wendy Poole Head of Risk Management Audit Services. Reporting Officers:

POLICY FOR PRESERVATION / ARCHIVAL OF DOCUMENTS

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

University of Sunderland Business Assurance. Over-arching Information Governance Policy. Document Classification: Public

Privacy Policy. January 2014

29. Human Resources Management

Interface between NHS and private treatment Guidance from the Ethics Department February 2004

Records Retention and Disposal Schedule. Human Resources Management

CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline)

Self-Help Kit. Limited Company. Guidance Manual. The contents of this Manual have been approved by H M Williams Chartered Accountants

Standard terms of business

How To Protect Your Personal Information At A College

Argyll, Bute and Dunbartonshires Criminal Justice Social Work Partnership Joint Committee

University of Birmingham. Closed Circuit Television (CCTV) Code of Practice

INTERNATIONAL SOS. Data Protection Policy. Version 1.05

Excepted Group Life Assurance for Police Federations

Scottish Rowing Data Protection Policy

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Guidance for Mobile Air Conditioning (MAC) Sectors. Guidance: F Gas and Ozone Regulations Information Sheet MAC 3: Key Obligations

3. Ensure the management of information is compliant with legislative requirements to maximise the benefits and minimise risks;

Under European law teleradiology is both a health service and an information society service.

Company Investigations What we do.

Statistics on Requests for data under the Data Retention Directive

Excess Directors and Officers Liability. Policy document

Records Management retention scheduling

(4) THAMES VALLEY POLICE of Oxford Road, Kidlington, OX5 2NX ("Police Force"),

Transcription:

UK data retention requirements information data retention and disposal W A T S O N H A L L Watson Hall Ltd London 020 7183 3710 Edinburgh 0131 510 2001 info@watsonhall.com www.watsonhall.uk Each type of data within an organisation should be identified and classified. Once this has been completed and during periodic reviews, it is necessary to define the retention and disposal policy. Business data records should be assessed for the statutory and legal requirements, business and accountability requirements and the risks associated with keeping or disposing of the data records. A records management system or schedule of data retention criteria can be used to document the data records, the requirements and the security controls needed for their identification, storage, protection, retrieval, retention and disposal. There are a large number of statutes, case law and regulations defining the period some data must be kept for before it is destroyed some of which are outlined on the following pages. A few requirements such as records of wages apply to almost all sectors, but we have listed some specific requirements for the communications, financial and governmental sectors. Other sectors have equally important requirements. The exact minimum retention period varies with the specific data type, and the starting date is often context related e.g. period from an event like an accident, retirement or the advertisement of a product. The first version (2007) of this document was based on the previous work by InTechnology Ltd: Making Sense of Data Law, A review by InTechnology of legislation and regulation concerning data storage in the UK and Europe http://www.intechnology.co.uk/documents/whitepapers/makingsense_datalaw.pdf InTechnology Ltd, April 2004 The chart on the next page summarises this data in the subsequent sections. P1-2015-5.0 1

Watson Hall Ltd 2

Cross-sector General data types are: Limits to actions/claims 1 30 years C 1 4 Latent damage 3 15 years C 5 Income tax and national insurance records 3 years C 6, C 16 17 Value added tax records 6 years C 7 Wages and salary 6 years C 8 Personnel records (pay, accidents, health, retirement benefits) up to 40 years C 9 10 Data Protection Act 1998 No longer than necessary C 11 Company formation Indefinite C 12 Sarbanes-Oxley Act (cross listed UK cos) 5 7 years C 13 Insurance certificates 40 years C 14 Corporation tax records 6 years C 15 Some personnel records must be maintained up to an age of 75. Communications Some data types and retention periods for the Communications business sector are: Subscriber information 1 year COM 1 Telephony, SMS, EMS, MMS, email and web data 1 year COM 1 2 Identity of services 1 year COM 1 ISP data (log on, connection) 1 year COM 1 Web activity (content and traffic) 4 days COM 1 The Data Retention Regulations are currently in dispute following a case in the EU Court of Justice (COM 3). 3

Financial Some data types and retention periods for the Financial sector are: Emails 6 years FIN 1 Record of election to comply Indefinite FIN 1 All other financial records 3 6 years FIN 1 MiFID 1 5 years FIN 2 Basel II risk legacy data 2 5 years FIN 3 Telephone & electronic communications 6 months FIN 4 Governmental For government organisations, there are well defined policies: Building records 2 40 years GOV 1 Personnel records 6 months 100 years GOV 2 Accounting records 1 6 years GOV 3 Health and safety records >40 years GOV 4 Contractual records 1 16 years GOV 5 Project records 1 25 years GOV 6 Complaints records 3 10 years GOV 7 Press and public relations 1 month 25 years GOV 8 Information management records 1 10 years GOV 9 Central expenditure records 1 12 years GOV 10 Internal audit records 1 6 years GOV 11 Parliamentary papers in depts & agencies 2 years up to indefinite GOV 12 Public records in the regions 1 year up to indefinite GOV 13 Freedom of Information Act records 6 months 10 years GOV 14 Security services records Up to indefinite GOV 15 Web estate Nil to indefinite GOV 16 Other Operational Selection Policy for specific information types. See National Archives for details. Policies, procedures, standards, guides, manuals and handbooks generally to be retained until superseded. 4

References C 1. Limitation Act 1980 http://www.legislation.gov.uk/ukpga/1980/58/contents C 2. Prescription and Limitation (Scotland) Act 1973 http://www.legislation.gov.uk/ukpga/1973/52/contents Prescription and Limitation (Scotland) Act 1984 http://www.legislation.gov.uk/ukpga/1984/45/contents C 3. The Limitation (Northern Ireland) Order 1989 http://www.legislation.gov.uk/nisi/1989/1339/contents C 4. Consumer Protection Act 1987 http://www.legislation.gov.uk/ukpga/1987/43/contents C 5. Latent Damage Act 1986 http://www.legislation.gov.uk/ukpga/1986/37/contents C 6. Income Tax (Pay As You Earn) Regulations 2003 http://www.legislation.gov.uk/uksi/2003/2682/contents/made C 7. Accounts and Records for Your VAT, HM Revenues and Customs http://www.hmrc.gov.uk/vat/managing/returns-accounts/accounts.htm C 8. Taxes Management Act 1970 http://www.legislation.gov.uk/ukpga/1970/9/contents/enacted C 9. The Control of Substances Hazardous to Health Regulations 1999 http://www.legislation.gov.uk/uksi/1999/437/contents/made C 10. Summaries of staff record retention Chartered Institute of Personnel and Development http://www.cipd.co.uk/hr-resources/factsheets/retention-hr-records.aspx C 11. The Data Protection Act 1998 http://www.legislation.gov.uk/ukpga/1998/29/contents C 12. Companies Act 2006 http://www.legislation.gov.uk/ukpga/2006/46/contents C 13. C 14. C 15. C 16. C 17. COM 1. Sarbanes-Oxley Act http://www.sec.gov/about/laws/soa2002.pdf The Employers' Liability (Compulsory Insurance) Act 1969, Regulations and Amendments http://www.legislation.gov.uk/all?title=employers liability compulsory insurance Records for Corporation Tax, HM Revenues and Customs http://www.hmrc.gov.uk/ct/managing/record-keeping.htm Records for PAYE, HM Revenues and Customs http://www.hmrc.gov.uk/payerti/payroll/record-keeping.htm Other Record Keeping, HM Revenues and Customs http://www.hmrc.gov.uk/record-keeping/ Retention of Communications Data under Part 11: Anti-Terrorism, Crime and Security Act 2001, Home Office http://www.opsi.gov.uk/si/si2003/draft/5b.pdf COM 2. Data Retention (EC Directive) Regulations 2009 http://www.legislation.gov.uk/uksi/2009/859/contents/made COM 3. Judgment, Court of Justice, 2014 http://curia.europa.eu/juris/document/document.jsf?docid=150642&doclang=en FIN 1. FIN 2. Financial Conduct Authority Handbook http://fshandbook.info/fs/html/fca/ Financial Conduct Authority MiFID Information http://www.fca.org.uk/firms/being-regulated/meeting-your-obligations/firmguides/guide-financial-advisers/mifid 5

FIN 3. FIN 4. GOV 1. GOV 2. GOV 3. GOV 4. GOV 5. GOV 6. GOV 7. GOV 8. GOV 9. Basel II: International Convergence of Capital Measurement and Capital Standards http://www.bis.org/publ/bcbs128.pdf Telephone Recording, Financial Conduct Authority http://www.fsa.gov.uk/pubs/policy/ps08_01.pdf Records Management: Retention Scheduling 1: Building records National Archives, 2012 http://www.nationalarchives.gov.uk/documents/informationmanagement/sched_buildings.pdf Records Management: Retention Scheduling 2: Employee Personnel National Archives, 2012 http://www.nationalarchives.gov.uk/documents/informationmanagement/sched_personnel.pdf Records Management: Retention Scheduling 3: Accounting National Archives, 2006 http://www.nationalarchives.gov.uk/documents/informationmanagement/sched_accounting.pdf Record Keeping, Health and Safety Executive http://www.hse.gov.uk/health-surveillance/record-keeping/index.htm Records Management: Retention Scheduling 5: Contractual records http://www.nationalarchives.gov.uk/documents/informationmanagement/sched_contractual.pdf Records Management: Retention Scheduling 6: Project Records http://www.nationalarchives.gov.uk/documents/informationmanagement/sched_projects.pdf Records Management: Retention Scheduling 7: Complaints http://www.nationalarchives.gov.uk/documents/informationmanagement/sched_complaints.pdf Records Management: Retention Scheduling 8: Press and Public Relations National Archives, 2002 http://www.nationalarchives.gov.uk/documents/informationmanagement/sched_press.pdf Records Management: Retention Scheduling 9: Information Management National Archives, 2002 http://www.nationalarchives.gov.uk/documents/informationmanagement/sched_info_management.pdf GOV 10. Records Management: Retention Scheduling 10: Central Expenditure National Archives, 2003 http://www.nationalarchives.gov.uk/documents/informationmanagement/sched_central_exp.pdf GOV 11. Records Management: Retention Scheduling 11: Internal Audit National Archives, 2003 http://www.nationalarchives.gov.uk/documents/informationmanagement/sched_internal_audit.pdf GOV 12. Records Management: Retention Scheduling 12: Parliamentary Records in Departments and Agencies http://www.nationalarchives.gov.uk/documents/informationmanagement/sched_parliamentary.pdf GOV 13. Records Management: Retention Scheduling 13: Public Records Held in Local Government and Specialist Local Repositories http://www.nationalarchives.gov.uk/documents/informationmanagement/sched_public.pdf GOV 14. Records Management: Retention Scheduling 14: Freedom of Information Act Records Public Records Office, Kew http://www.nationalarchives.gov.uk/documents/foi_sched_retention.pdf 6

GOV 15. Operational Selection Policy OSP 8 Security Services National Archives, 2005 http://www.nationalarchives.gov.uk/documents/informationmanagement/osp8.pdf GOV 16. Operational Selection Policy OSP 27 UK Central Government Web Estate National Archives, 2014 http://www.nationalarchives.gov.uk/documents/informationmanagement/osp27.pdf Why Watson Hall? Watson Hall helps United Kingdom organisations design, develop, implement and operate software applications by defining security and privacy policy, undertaking threat modelling, performing vulnerability assessments, developing information security management programmes, providing advice on development best practice and testing security. To discuss any security and privacy matters in confidence and without obligation, telephone us on either 020 7183 3710 or 0131 510 2001, or use the enquiry form on our website at https://www.watsonhall.uk/form/ Watson Hall Ltd is a limited company registered in England no 6004969 at North Bastle, Gatehouse, Northumberland, NE48 1NG, United Kingdom. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information