Data and records retention and disposal policy

Questions about this document and policy should be directed to dataprotectionofficer@wiltonpark.org.uk.

Purpose

The purpose of this Wilton Park policy is to detail the procedures for the retention and disposal of information to ensure that our staff carry this out consistently and that any actions taken are fully documented. Unless otherwise specified, the data retention and disposal policy refers to both paper and electronic documents.

Review

Review is the examination of records which may need to be permanently preserved and only released if there are no exemptions under the various pieces of legislation.

How long we should keep our records

Records should be kept for as long as they are needed to meet the legal basis referred to in the organisation’s Privacy Notice and the operational needs of Wilton Park, together with legal and regulatory requirements. We have assessed our records to:

• determine their value as a source of information about Wilton Park, its operations, relationships and environment
• assess their importance as evidence of business activities and decisions
• establish whether there are any legal or regulatory retention requirements (including: Public Records Act 1958, Freedom of Information Act 2000, Data Protection Act 2018, and UK GDPR).

Where records are likely to have a historical value, or are worthy of permanent preservation, they will be reviewed and either transferred to The National Archives (TNA), deleted or retained (as per the Constitutional Reform and Governance Act 2010).

Sharing of information

Duplicate records will be destroyed. Where information has been regularly shared between business areas, only the original records should be retained in accordance with the guidelines in section 2 above. Care will be taken that seemingly duplicate records have not been annotated.

Where information is shared with other bodies, we will ensure that they have adequate procedures for records to ensure that the information is managed in accordance with the relevant legislation and regulatory guidance.

Audit trail

It is not required to document the disposal of records which have been listed on the records retention schedule. Documents disposed of outside the schedule either by being disposed of earlier or kept for longer than listed will need to be recorded for audit purposes.

This will provide an audit trail for any inspections conducted by the Information Commission Officer and will aid in addressing Freedom of Information requests, where we no longer hold the material.

Monitoring

Responsibility for monitoring the disposal policy rests with the Security Group. The policy will be reviewed annually.

Disposal schedule

Records on disposal schedules will fall into three main categories:

(a) Destroy after an agreed period – where the useful life of a series or collection of records can be easily predetermined (for example, destroy after 3 years; destroy 2 years after the end of the financial year).

(b) Automatically select for permanent preservation – where certain groups of records can be readily defined as worthy of permanent preservation and transferred to an archive.

(c) Review – see above.

Records can be destroyed in the following ways:

Either by destruction:

• Non-sensitive information – can be placed in a normal recycling bin.
• Confidential information – fine crosscut shredded and sent for recycling.
• Personal and sensitive information – placed in data shredding bags for collection and certified destruction.
• Electronic equipment containing information – destroyed using kill disc and for individual folders, they will be permanently deleted from the system.

Destruction of electronic records should render them non-recoverable even using forensic data recovery techniques.

Or by archival transfer – This is the transfer of physical and digital records to a permanent custody at The National Archives (TNA).