Colchester Borough Council has to collect and use information about the people with whom it works; members of the public; current, past and prospective employees; customers; suppliers and others in order to carry out its duties. Colchester Borough Council will ensure that it treats all personal information entrusted to it lawfully and correctly.
The Council fully endorses and adheres to the principles set out in the Data Protection legislation (Data Protection Act 2018 and General Data Protection Regulations). This Retention Policy and the procedures set down in it are reviewed annually to ensure that the Council continues to comply with the requirements of Article 5 (e) of the General Data Protection Regulations (GDPR), ‘kept in the form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’.
The purpose of this Policy is to ensure that Colchester Borough Council ensures that:
- crucial records can be located and retrieved as required
- records are kept in accordance with legislation
- records are kept in accordance with business requirements
- the best use is made of available storage facilities
- the medium used for each record is the most appropriate
This policy should be read in conjunction with the Council’s Data Protection Policy.
Application of policy
The Council will ensure that all personal data is retained and disposed of correctly. For the purposes of this policy, personal data can be held in any medium including, but not exclusively, paper documents or files, electronic images and documents, emails, data records within an electronic dataset, other images, video and audio recordings.
In addition to meeting the requirements of Data Protection legislation, The Freedom of Information (FoI) Act and the Environmental Information Regulations (EIR) require the Council to maintain records management practices that enable it to respond to requests for information as soon as possible and at the latest within 20 working days.
The Retention Schedule is a control document setting out the periods for which records should be retained to meet the operational needs of the Council and to comply with legal and other requirements. This is a ‘live’ document which is continually maintained.
Relevant principles of data protection
Whenever retaining or disposing of personal information the Council will ensure that:
- Personal data is retained only for as long as necessary
- Data is disposed of properly
- All personal data is processed in accordance with the rights of the individual concerned
- Security is maintained at all times
- The movement of personal data is done in a lawful way, both inside and outside the Council, and that suitable safeguards exist, at all times
Defining retention periods
There are a number of considerations that must be made when deciding upon an appropriate retention period.
- Statutory - some retention periods are governed by statute, for example the ‘Health and Safety at Work Act 1974’ and ‘HMRC VAT Notice 700/21: keeping VAT records’. It is therefore essential that any relevant statutory provisions are taken into account when deciding upon a retention period.
- Civil Action - personal data must be retained if it may be needed to defend possible future legal claims. However, linked information that could not possibly be relevant to any claim must not be retained. Personal data must be deleted when a claim could no longer arise. The Limitation Act 1980 imposes various time limits for the taking of legal action.
- DPA, FoI and EIR - if a request for information is made where the records holding that information are due to be destroyed, the destruction of these records must be suspended.
- Data Protection Act - does not specify retention periods. However, the Act does state that where other statutory record retention provisions exist these take precedence. Data controllers are responsible for implementing the DPA and must decide for how long personal data is retained, taking into account the Data Protection Principles, business needs, other legal requirements, any professional guidelines, and best or common practice.
- Historical and research - there may be good grounds for keeping personal data for historical, statistical or research purposes.
There is no requirement to keep records of material routinely discarded in the course of any administrative activity such as duplicates, leaflets or other publicity material, rough drafts or ephemera such as sticky notes.
It is an offence to destroy, delete or amend records or data in order to prevent or attempt to prevent the release of information requested under the FoI Act or the EIR. Where the records holding the information requested have been destroyed in accordance with the retention schedule again the Council has a duty to explain why the information is no longer held.
Roles and responsibilities
Colchester Borough Council will ensure that:
- Anyone managing and handling personal information understands that they are legally bound to follow good data protection practice
- Anyone managing and handling personal information is appropriately trained and supervised
- Members of staff have access only to personal information relevant to their roles
- A record of personal data processing is kept and maintained, this will include a data classification.
All managers and staff will ensure that:
- Paper files and other records or documents containing personal and or sensitive data are kept securely and destroyed securely
- All personal data is kept in accordance with the Council’s retention schedule
- Where there is uncertainty around a retention matter ensure that advice is sought from the Data Protection Officer
- The Retention Schedule reflects current legislative requirements for document and records in their care
- The retention of documents and records is fully defined
- Records are accessible and are made available when necessary so that information requests can be responded to promptly
- Records and documents are destroyed or deleted at the end of the retention period in a secure way
- Records are held in accordance with the Data Protection and Freedom of Information Acts and any other relevant provisions.
All contractors, consultants, partners or other servants or agents of the Council must:
- Provide assurance relating to their compliant destruction of personal data and when requested allow the Council to audit the protection of data held on its behalf.
The Council’s Data Protection Officer, is responsible for:
- Advising the Council and its staff on matters relating to the retention and destruction of personal data.
In the event of an information breach, or suspected breach, contact the ICT team and Data Protection Officer.
Data Protection Officer