Retention Policy 2023
Colchester City Council has to collect and use information about the people with whom it works, members of the public, current, past and prospective employee, customers, suppliers and others in order to carry out its duties.
We will ensure that we treat all personal information entrusted to it in accordance with its Data Protection Policy.
We fully endorse and adhere to the principles set out in the Data Protection Legislation (Data Protection Act 2018 and UK General Data Protection Regulations).
This Retention Policy and the procedures set down in it are reviewed annually to ensure that we continue to comply with the requirements of Article 5 (e) of the UK General Data Protection Regulations (GDPR), ‘kept in the form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’.
The purpose of this policy is to ensure that we make sure:
For the purposes of this policy, personal data can be held in any medium including, but not exclusively, paper documents or files, electronic images and documents, emails, data records within an electronic dataset, other images, video and audio recordings.
In addition to meeting the requirements of Data Protection Legislation, The Freedom of Information (FoI) Act and the Environmental Information Regulations (EIR) require us to maintain records management practices that enable us to respond to requests for information as soon as possible and at the latest within 20 working days.
The Retention Schedule is a control document setting out the periods for which records should be retained to meet our operational needs and to comply with legal and other requirements. This is a ‘live’ document which is regularly updated.
It is an offence to destroy, delete or amend records or personal data in order to prevent or attempt to prevent the release of information requested under the Freedom of Information Act or Environmental Information Regulations. Where the records holding the information requested have been destroyed in accordance with the retention schedule, we have a duty to explain why the information is no longer held.
Status: Final
To be reviewed: August 2024
We will ensure that we treat all personal information entrusted to it in accordance with its Data Protection Policy.
We fully endorse and adhere to the principles set out in the Data Protection Legislation (Data Protection Act 2018 and UK General Data Protection Regulations).
This Retention Policy and the procedures set down in it are reviewed annually to ensure that we continue to comply with the requirements of Article 5 (e) of the UK General Data Protection Regulations (GDPR), ‘kept in the form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’.
The purpose of this policy is to ensure that we make sure:
- crucial records can be located and retrieved as required
- records are kept in accordance with data protection legislation
- records are kept in accordance with business requirements
- records are not kept for longer than necessary
- the best use is made of available storage facilities
- the medium used for each record is the most appropriate.
Application of policy
We will ensure that all personal data is retained and disposed of correctly.For the purposes of this policy, personal data can be held in any medium including, but not exclusively, paper documents or files, electronic images and documents, emails, data records within an electronic dataset, other images, video and audio recordings.
In addition to meeting the requirements of Data Protection Legislation, The Freedom of Information (FoI) Act and the Environmental Information Regulations (EIR) require us to maintain records management practices that enable us to respond to requests for information as soon as possible and at the latest within 20 working days.
The Retention Schedule is a control document setting out the periods for which records should be retained to meet our operational needs and to comply with legal and other requirements. This is a ‘live’ document which is regularly updated.
Relevant principles of data protection
Whenever retaining or disposing of personal information we will ensure that:- Personal data is retained only for as long as necessary
- Personal data is disposed of securely and properly
- All personal data is processed in accordance with the rights of the individual concerned
- The movement of personal data is done in a lawful way, both inside and outside the council, and that suitable safeguards exist
- Retention periods are regularly reviewed.
Defining retention periods
There are a number of considerations that must be made when deciding upon an appropriate retention period.- Statutory - some retention periods are governed by statute, for example the ‘Health and Safety at Work Act 1974’ and ‘HMRC VAT Notice 700/21: keeping VAT records’. It is therefore essential that any relevant statutory provisions are taken into account when deciding upon a retention period.
- Civil Action - personal data must be retained if it may be needed to defend possible future legal claims. However, linked information that could not possibly be relevant to any claim must not be retained. Personal data must be deleted when a claim could no longer arise. The Limitation Act 1980 imposes various time limits for the taking of legal action.
- Data Protection Act, Freedom of Information and Environmental Information Regulations - if a request for information is made where the records holding that information are due to be destroyed, the destruction of these records must be suspended.
- Data Protection Act – this Act does not specify retention periods. However, the Act does state that where other statutory record retention provisions exist these take precedence. The Council are responsible for implementing the DPA and must decide for how long personal data is retained, taking into account the Data Protection principles, business needs, other legal requirements, any professional guidelines, and best or common practice.
- Historical and research - there may be good grounds for keeping personal data for historical, statistical or research purposes.
It is an offence to destroy, delete or amend records or personal data in order to prevent or attempt to prevent the release of information requested under the Freedom of Information Act or Environmental Information Regulations. Where the records holding the information requested have been destroyed in accordance with the retention schedule, we have a duty to explain why the information is no longer held.
Roles and responsibilities
We will ensure that:- Anyone managing and handling personal information understands that they are legally bound to follow good data protection practice
- Anyone managing and handling personal information is appropriately trained and supervised
- Members of staff have access only to personal information relevant to their roles
- Records of personal data processing are kept and maintained
- Paper files, digital files and other records or documents containing personal and or special category data are kept securely
- Paper files, digital files and other records or documents containing personal and or special category data are destroyed securely
- Information which could be released under a Freedom of Information (FoI) request – e.g. information that’s already publicly available or which wouldn’t attract an exemption, cause harm, distress or embarrassment can be disposed of in normal waste bins.
- Personal data, special category data, confidential information and commercially sensitive data requires secure disposal e.g via confidential waste bins, shredding, destruction of CD etc. ICT can arrange secure disposal of devices such as laptops, phones and removable media.
- Anyone who is unsure of whether secure disposal is required should contact data.protection@colchester.gov.uk for advice.
- All personal data is kept in accordance with our retention schedule
- Where there is uncertainty around a retention matter ensure that advice is sought from the Data Protection Officer
- The Retention Schedule reflects current legislative requirements for document and records in their care
- The retention of documents and records is fully defined and applied
- Records are accessible and are made available when necessary so that information requests can be responded to promptly
- Records and documents are destroyed or deleted at the end of the retention period in a secure way (including SharePoint and Teams files)Records are held in accordance with the Data Protection and Freedom of Information Acts and any other relevant provisions.
- Records are held in accordance with the Data Protection and Freedom of Information Acts and any other relevant provisions.
- Provide assurance relating to their compliant destruction of personal data and when requested allow us to audit the protection of data held on our behalf
- Records held on our behalf (particularly by suppliers of IT systems) are securely destroyed or returned to us at the end of service provision.
- Advising the council and its staff on matters relating to the retention and destruction of personal data.
Policy review
The policy will be reviewed on an annual basis and updated as necessary at these reviews.Further information
For further information about Colchester City Council’s compliance with Data Protection Legislation, visit www.colchester.gov.uk/privacy or email dpo@colchester.gov.uk.Version control
Purpose: To specify how we comply with Data Protection Legislation with regard to Data Retention.Status: Final
To be reviewed: August 2024
Page last reviewed: 20 December 2023