As a general rule, we retain all information only for as long as specified in this Policy and, in general, no longer than five years plus the current year.
Current plus five-year rule
As a general rule, we shall not hold personal data for more than five years after which it ceases to be current, unless there is a specific reason for doing so (see ‘Exceptions to the five-year rule’ below for the specific categories requiring different retention periods). The definition of ‘current’ will vary according to the personal data: for example, it will mean until a customer has found office space or until a member of staff has ceased being employed by Sikamaster where it relates to staff.
It should be remembered that the ‘current plus five years’ rule is a maximum period for retention. If there is no need to keep the personal data that long, then it should be disposed of securely before the five-year time-limit. This may be the case in respect of a CV application for a job with us.
Exceptions to the five-year rule
Some data must be retained in order to protect Sikamaster’ interests, preserve evidence, and generally conform to good business practices. Some reasons for data retention include:
- Regulatory requirements;
- Security incident investigation
Sikamaster may also keep the e-mail addresses and telephone numbers of data subjects who unsubscribe to marketing communications to ensure that there is a record on file noting that the individual is not directly marketed too.
Please see the attached Data Retention Schedule (“Schedule”) for guidance on determining the length of time for which personal data within certain categories should be retained.
Data destruction is a critical component of a data retention policy. Data destruction ensures that the company will use data efficiently thereby making data management and data retrieval more cost effective.
When the retention timeframe expires, Sikamaster will actively destroy the data covered by this Policy. If an employee of Sikamaster feels that certain data should not be destroyed, he or she should identify the data to his or her supervisor so that an exception to the Policy can be considered. Since this decision has long-term legal implications, exceptions will be approved only by a member or members of Sikamaster’s management team.
Sikamaster specifically directs employees not to destroy data in violation of this Policy. Destroying data that an employee may feel is harmful to himself or herself is strictly forbidden or destroying data in an attempt to cover up a violation of law or company policy.
Records can be destroyed in the following ways:
Non-sensitive information – can be placed in a normal rubbish bin/recycling.
Confidential information – cross cut shredded and pulped or burnt
Electronic equipment containing information – destroyed using killdisc and for individual folders, they will be permanently deleted from the system.
Destruction of electronic records should render them non-recoverable even using forensic data recovery techniques.
Sharing of information
Duplicate records should be destroyed. Where information has been regularly shared between business areas, only the original records should be retained. Care should be taken that seemingly duplicate records have not been annotated.
Where we share information with other bodies, we will seek to ensure that they have adequate procedures for records to ensure that the information is managed in accordance with the relevant legislation and regulatory guidance.
You do not need to document the disposal of records which have been listed on the Schedule. Any documents which are disposed of earlier or kept for longer than listed in the Schedule will need to be recorded for audit purposes.
This will provide an audit trail for any inspections conducted by the Information Commissioner, where we no longer hold the material.
Data Retention Schedule