At BISA information and data is accumulated from both individuals within the British International Studies Association (BISA), external individuals and organisations. Additionally, BISA generates documents recording various information and data in the course of its business. The appropriate management of the data and information collected, obtained and held by BISA is essential, especially as data is one of BISA’s main corporate assets.
In particular, data should only be retained for as long as there is an operational or legal requirement for it to be retained. This policy sets out the background to data retention and the time limits that apply.
This policy addresses the requirements of data retention as set out in the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 that BISA and its employees need to meet when retaining and disposing of data.
Therefore, the purpose of the policy is to:
- Explain obligations
- Explain procedures
- Ensure that BISA complies with legal and regulatory requirements
- Educate on the responsible storage and disposal of data
One of the underlying principles of the GDPR and the Data Protection Act is that data is not kept longer than is necessary. Additionally, it is impractical to retain all documents and records indefinitely. This policy sets out BISA’s adopted standard and the attached Data Retention Schedule specifies retention periods for each type of data.
Who does the policy apply to
It is important that all employees read, understand and comply with the policy. Failure to comply with the policy may lead to fines and penalties, as well as adverse publicity for BISA.
The policy does not form part of any employee’s employment contract and may be updated from time to time.
What does the policy apply to
It applies to all data, information and records relating to BISA, its customers, suppliers and/or business partners that BISA hold or has control over. This means it covers data held by third parties or remotely on BISA’s behalf.
The records could be held in hard copy or electronically in different formats, such as e-mails, file notes, attendance notes, press releases and documents created in the course of business. They could also include video or audio recordings. For the purposes of this policy we will use the term “data” collectively below.
Who to turn to with questions
BISA is responsible for identifying data that must or should be retained and will consult with external lawyers from time to time where necessary and/or appropriate to determine appropriate retention periods. BISA will arrange for proper storage and retrieval of data, coordinating with third party processors where appropriate.
BISA has designated the Communications Manager to oversee and implement the processes set out in this policy including advising and monitoring of BISA’s compliance with data protection laws regulating personal data.
General storage guidelines
A document should ideally be stored in one format only (i.e. hard copy or electronically) and by keeping a single copy (i.e. an electronic document should not be stored in several different places for example). There may be exceptions to this rule. For example where originals of signed copies may be needed at a future date.
In any event, the storage arrangements should be safe, secure and accessible to enable business continuity at all times. No data should be kept indefinitely “just in case”.
Types of data
Disposable data may be discarded or deleted once it has served its temporary purpose. Examples are unannotated duplicates of originals, preliminary drafts of documents, printed reference materials from outside BISA and spam and junk mail. These can be permanently deleted or recycled where appropriate once they no longer have a business value.
Formal or official records
Certain data has formal or official status, such as data to be submitted to HMRC or data underlying official documents such as accounts for example. BISA may have a legal requirement to retain such information for a set duration, may need the data for the continued running of the business or may need it as evidence of transactions.
Such data is listed in the attached Data Retention Schedule together with the current retention time limits. No records should be kept beyond the expiry of the time limits without good reason (unless you have been informed that it is required for litigation purposes for example), but if you are unsure about deletion, please contact the Director.
Ultimately, destruction of this type of data must be by shredding and/or permanent deletion of electronic data.
Both disposable and/or formal/official documents may contain personal data, i.e. contain information that could identify a living individual, for example by name and contact details. Data protection laws require that personal data should not be kept longer than necessary.
For purposes of membership management and tracking over time, anonymised data may be kept past the retention point.
Again, as with formal and official data, destruction must be by shredding and/or permanent electronic deletion in conjunction with the BISA team where necessary.
Confidential data belonging to others
Where an employee receives confidential information from third parties, such as a previous employer, such information must remain confidential and must not be disclosed to or used by BISA. Unsolicited confidential information should be refused and returned where possible or, if electronically received, be deleted.
Exceptions - contemplated litigation and other situations
Where you have been informed that data is subject to legal proceedings, audits and/or an investigation, it must be preserved until legal advice has been obtained to confirm that the data no longer needs to be preserved. Management will confirm as and when certain data falls within that category and when the restrictions are lifted.
Data retention note and schedule
Drafted and implemented - August 2022
Review - August 2025