BOPARAN HOLDINGS LIMITED DATA RETENTION POLICY
| Document Summary | |||
|---|---|---|---|
| Policy ref | |||
| Policy Summary | This document sets out the Group's policy on data and document retention. | ||
| Applicability | This policy applies to Boparan Holdings Limited and its affiliates, subsidiaries, business divisions/units, joint venture companies and operating companies, together the 2 Sisters Food Group ("Group") or "we", "us" or "our") including its employees, contractors and others who Process, store, transmit or have access to Personal Data | ||
| Document status | Final | ||
| Version | 0.2 | Effective Date | 23 May 2019 |
| Executive Responsible | Data Privacy Officer – Lee Greenbury - Group Director of People & Compliance | Policy Owner | Group Legal |
| Version Control | ||
|---|---|---|
| Date | Version | Summary of Changes |
| 21 May 2018 | 0.1 | Final draft produced and cascaded to the Group |
| 23 May 2018 | 0.2 | Final draft produced and cascaded to the Group |
DATA RETENTION POLICY
INTRODUCTION
This Data Retention Policy ("Policy") helps the Group to manage the controlled retention and destruction of documents which may contain Personal Data.
Retaining personal data for longer than is necessary breaches legal rights which individuals, such as our customers and employees, otherwise referred to as "Data Subjects", have under data protection legislation. It represents a significant compliance risk, and can also lead to unnecessary administrative burdens in respect of record management.
We may also have obligations to our customers in certain circumstances to delete data upon request and a failure to do so could result in a breach of contract.
This Policy sets out the general principles which are applicable to data retention, provides specific guidance on the Group's standard retention periods and provides instructions on determining retention periods for records.
Any defined terms used in this Policy are set out in Appendix 1 (Definitions).
WHEN DOES THIS POLICY APPLY?
This Policy applies to all records created or received in conjunction with the operations of any Group company which may contain Personal Data; all physical locations where records are maintained and all employees (whether permanent or temporary), contractors and consultants who that create, receive, manage, or use such records.
WHAT IF A TYPE OF RECORD IS NOT INCLUDED IN THE RETENTION SCHEDULE?
Where a specific type of record or document is not referenced in this Policy, the following general principles should be observed:
- Personal Data should only be retained for as long as is necessary to satisfy the purposes for which it was collected;
- where Personal Data is provided to us as part of services we provide to a customer under a contract we will normally be obliged to delete it shortly after the expiration or termination of the relevant contract;
- documents containing Personal Data may need to be retained for an extended period of time (generally for six years) if there is a real risk that they could be the subject of a claim, or may otherwise be relevant to future litigation;
- where the Personal Data in a document is deleted, or it is otherwise anonymised, the document may be retained for an extended period of time (subject to limitations on space, or other concerns regarding the sensitivity of the document); and
- it will rarely be appropriate to retain documents indefinitely, except in very specific circumstances (for example, an employers' liability policy).
INTERNAL RESPONSIBILITIES
All employees are responsible for compliance with this Policy, including the appropriate management and storage of their records. It is your responsibility to make sure that records which you create or receive as part of your job are handled according to this Policy.
Each company within the Group must review the records and documents which they handle and ensure all types of records / documents created and held are stored in accordance with Schedule 1.
Email traffic which passes through the Group's IT systems on a daily basis contributes significantly to the volume of data we hold. Failure to properly consider whether emails need to be retained can increase our risk in a number of areas, slow down IT systems, and cause an additional administrative burden in relation to responding to Data Subject Rights.
All emails (and attachments) within a specific category identified in Schedule 1 should be stored in accordance with the applicable retention period. For example, emails which threaten legal action, or discuss an on-going, anticipated or settled claim, should be filed separately following consultation with the Legal Department and IT.
This email retention guidance is not a substitute for good inbox management principles that all employees are expected to adhere to.
RETENTION AND DESTRUCTION - KEY PRINCIPLES
Schedule 1 of this Policy is a retention schedule which identifies records in a number of different categories and defines how long they need to be retained based on their legal, compliance, or operational requirements.
This Policy recognises that not all documents contain Personal Data, and not all documents need to be retained for specific periods of time for commercial, legal or regulatory reasons. Certain documents may be discarded or deleted at the discretion of the user once they have served their temporary useful purpose. Examples may include:
- duplicates of originals that have not been annotated;
- preliminary drafts of letters, memoranda, reports, worksheets and informal notes that do not represent significant steps or decisions in the preparation of an official record;
- spam and junk mail.
How should I destroy records and documents?
Documents that have met the retention schedule requirements, and are not subject to an exemption to normal destruction requirements (see below), should be destroyed in accordance with this Policy.
Documents should be destroyed promptly by means appropriate to their nature or level of confidentiality (e.g., shredding, recycling, deleting). Further guidance on secure deletion methods should be sought from the Legal Department.
Electronic data should be permanently deleted in such a way that it cannot be recovered or reconstituted. Further guidance on when and how to permanently delete electronic records should be discussed with the IT Team before destruction occurs.
Sometimes, it may be necessary to prepare a certificate of destruction evidencing the destruction process, to demonstrate to a customer that any Personal Data has been destroyed. If you receive a request for such a document please contact the Legal Department and note that any certificate of destruction should be retained for 10 years.
Under no circumstance should copies (i.e. duplicates or draft documents) be retained longer than official documents. This includes copies in all media and formats, such as photocopies, and electronic files, files stored on removable media, hard disks, file servers, magnetic tape, or other storage devices.
When does this Policy not apply?
If documents are or may be in any way relevant to one or more of the following suspension events:
- contemplated or actual litigation or regulatory investigation;
- a subject access request under applicable data protection legislation; or
- an order for production from a regulatory or law enforcement body,
then those documents must be preserved and not amended until the Data Privacy Officer determines they are no longer needed. If such an event has arisen, all employees are required to notify the Data Privacy Officer, and comply with any suspension notice that it circulates.
Are there any Confidentiality Requirements relating to the Documents and Records?
Each employee must maintain the security and confidentiality of the Group's documents/records. Specific guidance on procedures to ensure this are set out in the following the Group's Data Protection Policy.
POLICY OWNERSHIP AND RESPONSIBILITY
The owner of this Policy is the Data Privacy Officer who shall ensure that this Policy is properly applied across the Group.
The Data Privacy Officer is responsible for the oversight and implementation of this Policy.
The Data Privacy Officer is responsible for communicating Policy requirements and any revisions made to this Policy.
POLICY REVIEW CYCLE AND NON-COMPLIANCE
We will review this Policy periodically in order to ensure it is meeting its objectives.
It is expected that changes will be required to be made to this Policy from time to time to take account of changes in legal, regulatory, or operational requirements and this Policy will be regularly reviewed by the legal and compliance teams.
If you become aware of any breach of this Policy, please inform the Data Privacy Officer at the earliest opportunity.
QUERIES AND WAIVERS
Any queries relating to this Policy, should (in the first instance) be directed to the Data Privacy Officer, who can be contacted at dataprotection@2sfg.com.
SCHEDULE 1: RETENTION SCHEDULE
Part 1: HR / Employee Records
| Category | Record Type | Retention Period | Principle/ Legal Requirement |
|---|---|---|---|
| Job Applications, CVs, references and interview records of unsuccessful candidates | A short period (e.g. 2 - 6 months) following communication of decision. If you wish to keep names/details on file for future vacancies, inform unsuccessful candidates of this (have a clearly communicated policy) and give them the opportunity to have their details removed. | 1.7.5, The Information Commissioner's Employment Practices Code ("Employment Practices Code") | |
| Recruitment | Job Applications, CVs, references and interview records of successful candidates | Relevant information to be transferred to Personnel Records and irrelevant information deleted. |
1.7.1, Employment Practices Code No recruitment record to be held beyond statutory period in which a claim arising from recruitment may be brought, unless there is a clear business reason. 1.7.3, Employment Practices Code Do not retain information from application that has no bearing on the on-going employment relationship |
| Immigration checks (documentation required for immigration purposes - e.g. to evidence citizenship, details of residency, work permit) | Two years after the termination of employment | Immigration, Asylum and Nationality Act 2006 | |
| Personnel records | Personnel records (generally) | Whilst employment continues, and for up to six years after employment ceases. | Statutory limitation period (Limitations Act 1980) |
| Pay and bonuses, records of ad-hoc salary payments made outside of payroll. | Six years from the financial year-end in which payments were made. | Schedule 18, paragraph 21, Finance Act 1998 | |
| Benefits records | Employee bank account records. | You should keep for no longer than necessary for the purpose for which they were collected. Generally, it should be retained only until shortly after termination of employment. |
Schedule 1, paragraph 5, Data Protection Act 1998 / Article 5 (1) (e) General Data Protection Regulation |
| Records relating to private medical care, health check. |
Whilst employment continues, and for up to six years after employment ceases. Specific medical information should only be kept for as long as strictly necessary. |
Statutory limitation period (Limitations Act 1980) Schedule 1, paragraph 5, Data Protection Act 1998 / Article 5 (1) (e) General Data Protection Regulation |
|
| Records relating to employee tax payments. | Six years from the financial year-end in which payments were made. | Schedule 18, paragraph 21, Finance Act 1998 | |
| Pension records | Details relating to employee pension fund, details of payments made into fund. | 6 years from the end of the scheme year to which the document/information relates (unless required to be retained for a longer period to meet requirement that trustees/managers of pension schemes to maintain all appropriate documentation for a suitable period of time.) | Occupational Pension Schemes (Scheme Administration) Regulations 1996 (if relating to an occupational pension scheme) and/or the Registered Pension Schemes (Provision of Information) Regulations 2006 (if relating to a contractual arrangement). |
| Performance management | Appraisals. | Whilst employment continues, and for up to six years after employment ceases. | Statutory limitation period (Limitations Act 1980) |
| Employee training records. | Whilst employment continues, and for up to six years after employment ceases. | Statutory limitation period (Limitations Act 1980) | |
| Poor performance records, employee improvement plans. | Whilst employment continues, and for up to six years after employment ceases. | Statutory limitation period (Limitations Act 1980) | |
| Discipline and Grievance | Records relating to disciplinary and grievance matters. | Whilst employment continues, and for up to six years after employment ceases. | Statutory limitation period (Limitations Act 1980) |
| Absence records, sick notes, fit notes. |
Whilst employment continues, and for up to six years after employment ceases. Specific medical information should only be kept for as long as strictly necessary. |
Statutory limitation period (Limitations Act 1980) Schedule 1, paragraph 5, Data Protection Act 1998 / Article 5 (1) (e) General Data Protection Regulation |
|
| Management of ill health (not absence management) | Records relating to reasonable adjustments made pursuant to the Equality Act 2010. |
Whilst employment continues, and for up to six years after employment ceases. Specific medical information should only be kept for as long as strictly necessary. |
Statutory limitation period (Limitations Act 1980) Schedule 1, paragraph 5, Data Protection Act 1998 / Article 5 (1) (e) General Data Protection Regulation |
| TUPE | Records of colleague liability information defined under TUPE. | 6 years from termination of employment. | Statutory limitation period (Limitations Act 1980) |
| Redundancy | Records relating to redundancy processes - e.g. consultation records, letters regarding process and outcome, redundancy payment data, re-deployment search records. | Whilst employment continues, and for up to six years after employment ceases. | Statutory limitation period (Limitations Act 1980) |
| Payroll and Wages | Records of hours worked and payments made to workers | Three years beginning with the day upon which the pay reference period immediately following that to which they relate ends. | Regulation 59, National Minimum Wage Regulations 2015 (SI 2015/621) |
| Maternity/Paternity records | Maternity certificates showing expected due date and dates of maternity / paternity leave. | Three years after the end of the tax year in which the maternity pay period ends | Regulation 26, Statutory Maternity Pay (General) Regulations 196 (SI 196/1960) |
Part 2: Customer Data
| Category | Record Type | Retention Period | Principle/ Legal Requirement |
|---|---|---|---|
| Data processed in relation to a customer contract | Any data which is held by Vista Group on behalf of a customer | Three years after the end of the tax year in which the maternity pay period ends | Customer contract |
Part 3: Legal
| Category | Record Type | Retention Period | Principle/ Legal Requirement |
|---|---|---|---|
| Contractual Agreements | Terms and Conditions of Employment | Whilst employment continues, and for up to six years after employment ceases. With regard any collective workforce agreements however (including past agreements that could affect present employees), records should be kept permanently / so long as the agreements may affect present employees. | Statutory limitation period (Limitations Act 1980) |
| Simple contracts | Life of the Agreement, plus 6 years | Simple contracts | |
| Deeds | Life of the Agreement, plus 12 years | Deeds | |
| Leases | Life of the Agreement, plus 15 years | Leases | |
| Previous drafts of contracts and correspondence relating to contract negotiation | Until final contract signed and all amendments have been incorporated into the final signed version unless appropriate to keep as evidence of negotiations | N/A | |
| Claims | Details of any claims made by employees or involving employees | 6 years from termination of employment | Statutory limitation period (Limitations Act 1980) |
| IP Documents | Documents evidencing assignment of trade/ service marks and designs, Certificates of registration of trade/ service marks and designs, Intellectual property agreements and licences, Documents relating to copyright / patents. | For the life of the company | A proprietor of registered and unregistered rights may be required to prove ownership of these rights when seeking to enforcing them. As such certificates, assignments and licences (licences are particularly important to identify ownership of unregistered rights such as passing off rights) should be retained to document ownership and the chain of title in these rights. |
| Corporate Documents | Incorporation documents and certificates | For the life of the company | Commercial / Implied by CA, s.13 (Note 1) |
| Register of members | For the life of the company | N/A | |
| Minutes of directors' meetings | For 10 years from the date of the meeting | s 248 Companies Act 2006 | |
| Members' resolutions (including written resolutions) | For 10 years from the date of the meeting | s 357 Companies Act 2006 | |
| Register of members | For the life of the company | N/A | |
| Register of members | For the life of the company | N/A | |
| Minutes of general meetings | For 10 years from the date of the meeting | s 357 Companies Act 2006 |
APPENDIX 1: Definitions
"Data Subject" shall mean an identified or identifiable natural person whose Personal Data is being Processed;
"Personal Data" shall mean any information capable of identifying a natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their his or her physical, physiological, mental, economic, cultural or social identity. Data is considered personal when it enables anyone to link information to a specific person, even if the person or entity holding that data cannot make that link;
"Processing" shall mean any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, including, but not limited to collection, recording, organisation, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction (and Process, Processes and Processed shall be interpreted accordingly); and
"Sensitive Personal Data" or "Special Categories" of Personal Data shall mean the Special Categories of Personal Data that are considered to be "sensitive", requiring additional care when handling, including health, racial or ethnic origin, sexual life or orientation, religious or philosophical opinions, political opinions, trade union membership, or genetic or biometric data (for the purpose of uniquely identifying a living individual. Also considered within the Special Categories of Personal Data are criminal history/ criminal convictions and data of children (13 (thirteen) years of age and under) and personal bank, credit card or other financial information.