General Data Protection Regulation (GDPR) – Personal Data Retention Policy
SCOPE AND PURPOSE
This policy sets out the policy and procedure for Joves GDPR - Personal Data Retention Policy. This policy applies to all personal data collected, processed and stored by Jove Technology. Jove Technology is both a Data Controller and Data Processor and is registered with the ICO.
We acknowledge personal data should only be retained for as long as necessary and for the purpose it was obtained. We dispose of data when it is no longer needed, also reducing the risk that it will become inaccurate, out of date, irrelevant or misappropriated.
There is no specific minimum or maximum period for retaining personal data instead the Data Protection Act / GDPR states that:
“Personal data shall not be kept for longer than is necessary for that purpose or those purposes.”
This means each department needs to:
Review for how long you keep personal data.
Consider the purpose or purposes for which you hold information in deciding whether and for how long to retain it.
Securely delete information that is no longer needed and
Update, archive, destroy or securely delete information if it goes out of date.
Concerns about holding personal data
We recognise that keeping personal data too long can cause the following problems:-
Increased risk that information will go out of date, or that outdated information will be used in error.
Data is likely to become inaccurate.
Personal data must still be held securely, even if no longer needed.
Responding to Subject Access Requests may be more difficult and time consuming if we are holding more data than we need.
Approach to deciding about retention of data
Bi-Annually (6 months) we are responsible for reviewing the personal data held and deleting anything no longer needed. Information that does not need to be accessed regularly but which still needs to be retained must be safely archived.
Retention periods have been established for different categories of information. The retention periods take into account any professional rules or regulatory requirements that apply.
The responsible person(s) will ensure that we keep to these retention periods in practice and that there is a documented policy relating to retention periods that is reviewed annually and updated as necessary.
Every 18 months the responsible Director will contact each department and request that they review the retention periods for the personal data they hold.
Every 24 months a refresher course on Data Protection must be undertaken including reference to retention of data.
What determines how long we hold data for?
Personal data will need to be retained for longer in some cases than in others. The length of time personal data is retained must be based on business needs. A judgement must be made about:
What the information is used for
Legal or regulatory requirements
Policy Information (including policies held on behalf of partners)
Policies with Employers Liability – 50 years
Liability Policies (without Employers Liability) – 12 years
Professional Indemnity Records – 7 years
Personal lines - 7 years
Other General Insurance Records – 7 years
Complaints records – Once resolved, 3 years. Subsequently skeleton records on the complaints log will be retained.
Claims Records – Retention length is the same as policy on which claim was made.
Company Records - Staff
HR Records (including Training, Performance & Attendance) – 7 years from the date employees cease to work for the company.
Prospective employees records will be kept for a maximum period of 3 years
Company Records - Business
Appointed Representatives (which may include personal data) – 7 years from the date the relationship is terminated and / or the contract is amended.
Partner Records – Once a partnership or a delegated authority has ceased, full records will be kept for 7 years. After that date skeleton records will be retained excluding any personal data.
Accounting Records – 12 years
Client Money Audits – 12 years
At the end of the retention period
We advise individuals that the data will be deleted irretrievably or simply deactivated or archived. It is noted that the rules around Data Protection apply to data that is archived.
The DPA / GDPR does not provide a definition of delete or deletion. Our interpretation implies deletion and removal of backups.
It is noted that our data is held electronically may be deleted but still exist in some format within Google Cloud system for a period of time. As a firm we need to be clear about what we mean by deletion and what actually happens to personal data once deleted.
At the end of the retention period, we will make every effort to ensure Personal Data has been made unavailable or inaccessible. We will then dispose of your information by deleting data stored via Google cloud. This process is detailed here https://cloud.google.com/docs/security/deletion
The ICO under the GDPR will adopt a realistic approach in terms of recognising that deleting information is not always a straightforward matter and that it is possible to put data beyond use.
Paper files are not stored by Jove, any paper documentation received will be digitised and retained in accordance to their content. Original papers will then be either returned or securely disposed of.
Where personal data has been shared between organisations, once it is no longer necessary to share the information the information must be returned to the organisation that supplied it, without keeping a copy.
In other cases, with agreement, all the organisations involved should delete their copies of the information in line with their data retention policies.