What is the purpose of this document?
Meeting Rooms ("we", "our", "us") shall only keep information it holds for as long is necessary. The retention periods can differ based on the type of data processed, the purpose of processing or other factors.
This Data Retention Policy ("Policy") covers all company data stored on company-owned, company-leased, and otherwise company-provided systems and media, regardless of location. Note that the need to retain certain information can be mandated by local, industry regulations and will comply with EU General Data
Protection Regulation ("GDPR"), the Data Protection Act 1998 and the incoming Data Protection Act 2018. Where this Policy differs from applicable regulations, the applicable regulations will take precedence.
As a general rule, we retain all information only for as long as specified in this Policy and, in general, no longer than five years plus the current year.
Current plus five-year rule
As a general rule, we shall not hold personal data for more than five years after which it ceases to be current, unless there is a specific reason for doing so (see ‘Exceptions to the five-year rule’ below for the specific categories requiring different retention periods). The definition of ‘current’ will vary according to the personal data: for example, it will mean until a customer has booked a meeting room or until a member of staff has ceased being employed by Meeting Rooms where it relates to staff.
It should be remembered that the ‘current plus five years’ rule is a maximum period for retention. If there is no need to keep the personal data that long, then it should be disposed of securely before the five-year time-limit. This may be the case in respect of a CV application for a job with us.
Exceptions to the five-year rule
Some data must be retained in order to protect Meeting Room's interests, preserve evidence, and generally conform to good business practices. Some reasons for data retention include:
- Regulatory requirements;
- Security incident investigation
Meeting Rooms may also keep the e-mail addresses and telephone numbers of data subjects who unsubscribe to marketing communications to ensure that there is a record on file noting that the individual is not directly marketed too.
Please see the attached Data Retention Schedule ("Schedule") for guidance on determining the length of time for which personal data within certain categories should be retained.
Data destruction is a critical component of a data retention policy. Data destruction ensures that the company will use data efficiently thereby making data management and data retrieval more cost effective.
When the retention timeframe expires, Meeting Rooms will actively destroy the data covered by this Policy. If an employee of Meeting Rooms feels that certain data should not be destroyed, he or she should identify the data to his or her supervisor so that an exception to the Policy can be considered. Since this decision has long-term legal implications, exceptions will be approved only by a member or members of Meeting Room’s management team.
Meeting Rooms specifically directs employees not to destroy data in violation of this Policy. Destroying data that an employee may feel is harmful to himself or herself is strictly forbidden or destroying data in an attempt to cover up a violation of law or company policy.
Records can be destroyed in the following ways:
- Non-sensitive information – can be placed in a normal rubbish bin/recycling.
- Confidential information – cross cut shredded and pulped or burnt
- Electronic equipment containing information – destroyed using killdisc and for individual folders, they will be permanently deleted from the system.
Destruction of electronic records should render them non-recoverable even using forensic data recovery techniques.
Sharing of information
Duplicate records should be destroyed. Where information has been regularly shared between business areas, only the original records should be retained. Care should be taken that seemingly duplicate records have not been annotated.
Where we share information with other bodies, we will seek to ensure that they have adequate procedures for records to ensure that the information is managed in accordance with the relevant legislation and regulatory guidance.
You do not need to document the disposal of records which have been listed on the Schedule. Any documents which are disposed of earlier or kept for longer than listed in the Schedule will need to be recorded for audit purposes.
This will provide an audit trail for any inspections conducted by the Information Commissioner, where we no longer hold the material.
Responsibility for monitoring this Policy rests with Michael Benjamin, CMO. This Policy shall be reviewed annually.
Document Retention Schedule
||Current tax year plus five years.|
|Personal data relating to customers||
||Personal data will be held for as long as the individual is a customer of the company plus 6 years.|
|Personal data relating to employees||
||General employee data will be held for the duration of employment and then for 6 years after the data of termination. Employee contracts will be held for 6 years after the date of termination.|
||Current financial year plus 6 years.|
||Current financial year plus 5 years|
||Details relating to unsuccessful applicants will be held for 6 months after interview and shall then be destroyed.|
||Current year of complaint plus six years.|
||Life of contract plus six years|
|Data protection requests||
||Current year of request plus six years|
||In general, insurance policies should be kept for the length of the policy plus 6 years. Employers Liability Claims should be kept permanently.|