Get started

Data
Retention
Policy

Last Updated November 2022

The corporate information, records and Data of Secure Screening Services Ltd. are important to how we conduct business.

There are legal and regulatory requirements for us to retain certain Data, usually for a specified amount of time. We also retain Data to help our business operate and to have information available when we need it. However, we do not need to retain all Data indefinitely.

This Data Retention Policy explains our requirements to retain Data and to dispose of Data and provides guidance on appropriate Data handling and disposal.

We may amend this Data Retention Policy from time to time



Scope of Policy

This policy covers all Data that we hold or have control over. This includes physical Data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic Data such as emails, electronic documents and CCTV recordings. It applies to both Personal Data and Non- Personal Data. In this policy we refer to this information and these records collectively as "Data".

This policy covers Data that is held by third parties on our behalf, for example cloud storage providers or offsite records storage. It also covers Data that belongs to us but is held by employees on personal devices.

This policy explains the differences between our Formal or Official Records, Disposable Information, confidential information belonging to others, Personal Data and Non-Personal Data. It also gives guidance on how we classify our Data.

This policy applies to all business units and functions of SECURE SCREENING SERVICES LIMITED in the UK.

Guiding Principles

Through this policy, and our Data retention practices, we aim to meet the following commitments:

  • We comply with legal and regulatory requirements to retain Data.
  • We comply with our Data protection obligations, in particular to keep Personal Data no longer than is necessary for the purposes for which it is processed (Storage Limitation Principle).
  • We handle, store and dispose of Data responsibly and securely.
  • We create and retain Data where we need this to operate our business effectively, but we do not create or retain Data without good business reasons.
  • We allocate appropriate resources, roles and responsibilities to Data retention.
  • We regularly remind employees of their Data retention responsibilities.
  • We regularly monitor and audit compliance with this policy and update this policy when required.

Roles and Responsibilities

  1. Responsibility of all employees. We aim to comply with the laws, rules, and regulations that govern our organisation and with recognised compliance good practices. All employees must comply with this policy, the Record Retention Schedule, any communications suspending Data disposal and any specific instructions from the Management Team.
  2. The Management Team is responsible for identifying the Data that we must or should retain, and determining the proper period of retention. It also arranges for the proper storage and retrieval of Data, co-ordinating with outside vendors where appropriate.
  3. With the assistance of our external advisors, the Management Team is responsible for:
    • administering the Data management programme;
    • helping departments implement the Data management programme and related best practices;
    • planning, developing, and prescribing Data disposal policies, systems, standards, and procedures;
    • providing guidance, training, monitoring and updates in relation to this policy;
    • advising on and monitoring our compliance with Data protection laws which regulate Personal Data; and
    • advising on the retention requirements for Personal Data and monitoring compliance with this policy in relation to Personal Data./li>

Types of data and data Classifications

  1. Formal or official records. Certain Data is more important to us and is therefore listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the running of our business. Please see paragraph 6.1 below for more information on retention periods for this type of Data.

  2. Disposable Information. Disposable Information consists of Data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or Data that may be safely destroyed because it is not a Formal or Official Record as defined by this policy and the Record Retention Schedule. Examples may include:

    • Duplicates of originals that have not been annotated.
    • Preliminary drafts of letters, reports, worksheets, and informal notes that do not represent significant steps or decisions in the preparation of an official record.
    • Books, periodicals, manuals, training binders, and other printed materials obtained from sources outside of Secure Screening Services Limited and retained primarily for reference purposes.
    • Spam and junk mail.
      Please see paragraph 6.2 below for more information on how we determine retention periods for this type of Data.
  1. Personal Data. Both Formal or Official Records and Disposable Information may contain Personal Data; that is, Data that identifies living individuals. Data protection laws require us to retain personal Data for no longer than is necessary for the purposes for which it is processed (Storage Limitation Principle). See below for more information on this.

  2. Confidential information belonging to others. Any confidential information that may have been obtained from a source outside of Secure Screening Services Limited, must not, so long as such information remains confidential, be disclosed to or used by us. Unsolicited confidential information submitted to us should be refused, returned to the sender where possible, and deleted.

Retention Periods

  1. Formal or official records. Any Data that is part of any of the categories listed in the Record Retention Schedule contained in the Annex to this policy, must be retained for the amount of time indicated in the Record Retention Schedule. A record must not be retained beyond the period indicated in the Record Retention Schedule, unless a valid business reason (or notice to preserve documents for contemplated litigation or other special situation) calls for its continued retention.
  2. Disposable information. The Record Retention Schedule will not set out retention periods for Disposable Information. This type of Data should only be retained as long as it is needed for business purposes. Once it no longer has any business purpose or value it should be securely disposed of.
  3. Personal Data. As explained above, Data protection laws require us to retain Personal Data for no longer than is necessary for the purposes for which it is processed (Storage Limitation Principle). Where Data is listed in the Record Retention Schedule, we have taken into account the Storage Limitation Principle and balanced this against our requirements to retain the Data.
  4. What if Data is not listed in the Record Retention Schedule. If Data is not listed in the Record Retention Schedule, it is likely that it should be classed as Disposable Information.

Storage, Back-up and Disposal of Data

  1. Storage. Our Data must be stored in a safe, secure, and accessible manner. Any documents and financial files that are essential to our business operations during an emergency must be duplicated and/or backed up on AWS servers based in the UK.
  2. Destruction. Our Management Team are responsible for the continuing process of identifying the Data that has met its required retention period and for supervising its destruction. We operate a paperless business, but if there is any hard copy Data which is confidential, financial, or employee- related hard copy Data, this is destroyed by shredding, if possible. Non- confidential Data may be destroyed by recycling. The destruction of electronic Data is co- ordinated via processes set up on our office software.
  3. The destruction of Data must stop immediately upon notification from the Management Team that preservation of documents for contemplated litigation is required (sometimes referred to as a litigation hold). This is because we may be involved in a legal claim or an official investigation (see next paragraph). Destruction may begin again once the Management Team lifts the requirement for preservation.

Special Circumstances

8.1 Preservation of documents for contemplated litigation and other special situations. We require all employees to comply fully with our Record Retention Schedule and procedures as provided in this policy. If the Management Team informs employees that certain records are relevant to current litigation or contemplated litigation (that is, a dispute that could result in litigation), government investigation, audit, or other event, those records must be preserved and not be deleted, disposed of, destroyed, or changed, including emails and other electronic documents, until the Management Team determines those records are no longer needed. Preserving documents includes suspending any requirements in the Record Retention Schedule and preserving the integrity of the electronic files or other format in which the records are kept.

Where to go for Advice and Questions

Questions about the policy. Any questions about this policy should be referred to our Data Protection Officer, (dpo@securescreeningservices.com) who is in charge of administering, enforcing, and updating this policy.

Breach Reporting and Audit

  1. Reporting policy breaches. We are committed to enforcing this policy as it applies to all forms of Data. If we become aware of a possible breach of this policy, we will take appropriate corrective action.
  2. Audits. Our Management Team will periodically review this policy and its procedures (including where appropriate by taking outside legal advice) to ensure we are in compliance with relevant new or amended laws, regulations or guidance. Additionally, we will regularly monitor compliance with this policy, including by carrying out audits.

Other Relevant Policies

This policy supplements and should be read in conjunction with our other policies and procedures in force from time to time.

Definitions

Data: all Data that we hold or have control over and therefore to which this policy applies. This includes physical Data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic Data such as emails, electronic documents and CCTV recordings. It applies to both personal Data and non-personal Data. In this policy we refer to this information and these records collectively as "Data".

Data Retention Policy: this policy, which explains our requirements to retain Data and to dispose of Data and provides guidance on appropriate Data handling and disposal.

Disposable Information: Disposable Information consists of Data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or Data that may be safely destroyed because it is not a Formal or Official Record as defined by this policy and the Record Retention Schedule.

Formal or Official Record: certain Data is more important to us and is therefore listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the running of our business. We refer to this as Formal or Official Records or Data.

Non-Personal Data: Data which does not identify living individuals, either because it is not about living individuals (for example financial records) or because it has been fully anonymised.

Personal Data: any information identifying a living individual or information relating to a living individual that we can identify (directly or indirectly) from that Data alone or in combination with other identifiers we possess or can reasonably access. This includes special categories of personal Data such as health Data and pseudonymised personal Data but excludes anonymous Data or Data that has had the identity of an individual permanently removed. Personal Data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour.

Record Retention Schedule: the schedule attached to this policy which sets out retention periods for our Formal or Official Records.

Storage Limitation Principle: data protection laws require us to retain Personal Data for no longer than is necessary for the purposes for which it is processed. This is referred to in the GDPR as the principle of storage limitation.




Annex B Record Retention Schedule

Secure Screening Services Limited establishes retention or destruction schedules or procedures for specific categories of Data. This is done to ensure legal compliance (for example with our Data protection obligations) and accomplish other objectives, such as protecting intellectual property and controlling costs.

Financial Records

Personal data record category Payroll records Retention period Record owner
Payroll records Seven years after audit Finance
Supplier contracts Seven years after contract is terminated Finance
Chart of Accounts Permanent Finance
Fiscal Policies and Procedures Permanent Finance
Permanent Audits Permanent Finance
Financial statements Permanent Finance
General Ledger Permanent Finance
Investment records (deposits, earnings, withdrawals) 7 years Finance
Invoices 7 years Finance
Cancelled cheques 7 years Finance
Bank deposit slips 7 years Finance
Business expenses documents 7 years Finance
Cheque registers/books 7 years Finance
Property/asset inventories 7 years Finance
Petty cash receipts/documents 3 years Finance

Business Records

Personal data record category Payroll records Retention period Record owner
Articles of Association Permanent Finance
Board policies Permanent Finance
Board meeting minutes Permanent Finance
Tax or employee identification number designation Permanent Finance
Office and team meeting minutes Not required unless employee specific and then – 6 years after employment ends Finance
Annual corporate filings Permanent Finance

HR: Employee Records

Personal data record category Payroll records Retention period Record owner
Disciplinary, grievance proceedings records, oral/verbal, written, final warnings, appeals 6 years after employment ends HR
Applications for jobs, interview notes – Recruitment/promotion panel Internal Where the candidate is unsuccessful Where the candidate is successful Deleted 12 months from application. Duration of employment plus 7 years HR
Payroll input forms, wages/salary records, overtime/bonus payments Payroll sheets, copies 7 years HR
Bank details – current Duration of employment HR
Payrolls/wages Duration of employment HR
Job history including staff personal records: contract(s), T's & C's; previous service dates; pay and pension history, pension estimates, resignation/termination letters 6 years after employment ends HR
Employee address details Duration of employment HR
Expense claims 6 years after employment ends HR
Annual leave records Duration of employment HR
Accident books Accident reports and correspondence 6 years after employment ends HR
Certificates and self-certificates unrelated to workplace injury; statutory sick pay forms 6 years after employment ends HR
Pregnancy/childbirth certification 6 years after employment ends HR
Parental leave Duration of employment plus 6 years after employment HR
Maternity pay records and calculations 6 years after employment ends HR
Redundancy details, payment calculations, refunds, notifications 6 years after employment ends HR
Training and development records Duration of employment plus 6 years HR

Contracts

Personal data record category Payroll records Retention period Record owner
Signed Permanent Finance
Contract amendments Permanent Finance
Successful tender documents Permanent Finance
Unsuccessful tenders’ documents Permanent Finance
Tender – user requirements, specification, evaluation criteria, invitation Permanent Finance
Contractors’ reports Permanent Finance
Operation and monitoring, e.g., complaints Permanent Finance

Client Data

Personal data record category Payroll records Retention period Record owner
Platform data - email address, first and second name, address etc Retained whilst organisation remains an active client and for a period of 5 years, for the purposes of re-screening. Following deletion, back- ups will be removed after 30 days. Client
Live chat history Until no longer needed or requested to be deleted Support
CRM data – inclusive of Name, Email address, mobile number, address, emails and phone call summaries Until no longer needed or requested to be deleted Support Support
Metrics data Retained whilst organisation remains a client or deleted by user. Once an organisation request all records to be deleted, data will be anonymised Development Team

Candidate Data

Personal data record category Payroll records Retention period Record owner
Personal Data in connection with candidate screening: Full name, date of birth, contact details, including telephone number, email address, postal address, postal address history, gender, educational history, work experience, training and qualifications, copy of passport or birth certificate, driving licence details, national insurance number, right to legally work in the UK, details of directorships, results of DBS checks, results of adverse media checks It is a legal requirement that we retain your DBS checks records for at least 1 year from the date of collection. This applies even where you withdraw from the screening process before it is completed. We may also be required to share any information we hold on you to DBS. We will retain your name and email address only, for a period of 5 years, for the purposes of re-screening. Candidate Support

Non – Customer Data

Personal data record category Payroll records Retention period Record owner
Name, email address Kept until person unsubscribes / requests to be removed from system Marketing & Sales

CCTV

Personal data record category Payroll records Retention period Record owner
CCTV recordings 30 to 90 days Security / Management Team

IT

Personal data record category Payroll records Retention period Record owner
Recycle Bins Cleared promptly once relevant data has been utilised and is no longer required. This system is implemented on an ongoing basis. Individual employee
Downloads Cleared promptly once relevant data has been utilised and is no longer required. This system is implemented on an ongoing basis. Individual employee
Inbox Cleared promptly once relevant data has been utilised and is no longer required. This system is implemented on an ongoing basis. Individual employee
Deleted Emails Cleared promptly once relevant data has been utilised and is no longer required. This system is implemented on an ongoing basis. Individual employee
Local Drives & files Cleared promptly once relevant data has been utilised and is no longer required. This system is implemented on an ongoing basis. Individual employee