Data Retention Policy and Schedule
Purpose, Scope and Users
In its everyday business operations Mystique collects and stores records of many types and in a variety of different formats. The relative importance and sensitivity of these records also varies in classification and includes paper or manual records and digital or electronic records.
It is important that these records are protected from loss, destruction, falsification, unauthorized access and unauthorized release and that a range of controls are used to ensure this, including backups, access control and encryption.
These controls apply to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Mystique’s systems.
This policy sets the required retention periods for specified categories of personal data and sets out the minimum standards to be applied when destroying certain information within Mystique.
This Policy applies to all business units, processes and systems in all countries in which Mystique conducts business and has dealings or other business relationships with third parties.
This Policy applies to all officers, directors, employees, agents, affiliates, contractors, consultants, advisors or service providers that may collect, process, or have access to data (including personal data and/or sensitive personal data). It is the responsibility of all of the above to familiarise themselves with this Policy and ensure adequate compliance with it.
Reference Documents
- Data Protection Act
- other local laws and regulations, as applicable
- Data Protection Policy
- Privacy Notice
Retention rules
Data Retention Principles
All decisions relating to the retention and disposal of documents should be taken in accordance with this Policy and the Retention Schedule.
In circumstances where the retention period for a specific document has expired, a review should always be carried out prior to a decision being made to dispose of the record.
Mystique adopts the following principles as part of its record retention and protection policy. These are:
- Records must be held in compliance with all applicable legal, regulatory and contractual requirements;
- Records must not be held for any longer than is required;
- The protection of records in terms of their confidentiality, integrity and availability must be in accordance with Mystique’s policies relating to information security;
- Records must always remain retrievable in line with business requirements;
- Where appropriate, records containing personal data must be subject, where practicable, to techniques that prevent the identification of a living individual such as anonymization or pseudonymization.
Retention general schedule
The Data Protection Officer defines the time period for which the documents and electronic records should be retained through the Data Retention Schedule appended to this Policy.
Unless specifically defined elsewhere in this Policy (and in particular within the Data Retention Schedule) and unless otherwise mandated differently by applicable law, the required retention period for records will be deemed to be 7 years [from the date of creation of the document].
In certain circumstances it will be necessary to retain specific records for longer in order to fulfill statutory or regulatory requirements and to meet operational needs. Any retention of specific records should be retained under the retention period specified in our Retention Schedule.
As an exemption, retention periods within the Data Retention Schedule can be prolonged in cases where:
- Ongoing investigations by Mystique or governmental authorities, if there is a chance records of personal data are needed by Mystique to prove compliance with any legal requirement or otherwise; or
- When exercising legal rights in cases of lawsuits or similar court proceedings recognized under local law.
Safeguarding of data during retention period
The possibility that data media used for archiving will wear out must be considered. If electronic storage media are chosen, any procedure and system ensuring that the information can be accessed during the retention period (both with respect to the information carrier and the readability of formats) shall also be stored in order to safeguard the information against loss as a result of future technological changes. The responsibility for the storage falls to [job title].
- Use of Cryptography
Where appropriate to the classification of information and the storage medium, cryptographic techniques must be used to ensure the confidentiality and integrity of records.
Care must be taken to ensure that encryption keys used to encrypt records are securely stored for the life of the relevant records and comply with the organization’s policy on cryptography.
- Media Selection
The choice of long-term storage media must consider the physical characteristics of the medium and the length of time it will be in use.
Where records are legally (or practically) required to be stored on paper, adequate precautions must be taken to ensure that environmental conditions remain suitable for the type of paper used. Where possible, backup copies of such records should be taken by methods such as scanning or microfiching. Regular checks must be made to assess the rate of deterioration of the paper and action taken to preserve the records, if required.
For records stored on electronic media, similar precautions must be taken to ensure the longevity of the materials, including correct storage and copying onto more robust media if necessary. The ability to read the contents of the media format must be maintained by the keeping of a device capable of processing it. If this is impractical an external third party may be employed to convert the media onto an alternative format.
- Record Retrieval
The choice and maintenance of record storage facilities must ensure that records can be retrieved in a usable format within an acceptable period. An appropriate balance should be struck between the cost of storage and the speed of retrieval.
- Record Review
The retention and storage of records must be subject to a regular review process carried out under the guidance of management to ensure that:
- The policy on records retention and protection remains valid;
- Records are being retained according to the policy;
- Records are being securely disposed of when no longer required;
- Legal, regulatory and contractual requirements are being fulfilled;
- Processes for record retrieval are meeting business requirements;
The results of these reviews must be recorded.
Archiving
The method of archiving selected for a particular document will vary between departments and services. Any questions regarding archiving should be raised in the first instance with the department manager who shall consult with the Data Protection Officer. In all cases prior to commencing the archival process, identify the documents that need to be retained in accordance with the Retention Schedule. Prior to archiving, all duplicates and any unnecessary papers should be removed. Standard Archiving Boxes should be obtained, clearly labelled and correctly sealed.
Disposal & Destruction of data
Once records have reached the end of their life according to the defined policy, they must be securely destroyed in a manner that ensures that they can no longer be used. The destruction procedure must allow for the correct recording of the details of disposal which should be retained as evidence.
The person responsible for erasing data / destroying media must inform the Data Protection Officer or the owner of the asset in question about the destruction, and the Data Protection Officer must update the Data Asset Inventory.
- Equipment
[Job title] is responsible for checking and ensuring the erasure of data from equipment such as on servers, backups, etc.
- Digital media
[Job title] is responsible for ensuring the erasure of data from mobile storage media. Data must be fully erased, but if the erasure process is not secure enough considering the sensitivity of the data, then the storage medium must be destroyed.
- Paper media
[Job title] is responsible for ensuring the destruction of paper documents by shredding or other suitable method.
- Classified records
Special consideration should be given to the procedure for erasure or destruction of all “Classified” information including conducting the process in the presence of a representative or commission consisting of persons authorised to access the information in question.
- Record-keeping
Records of erasure/destruction must be kept. Records must include the following information: information about the media, date of erasure/destruction, method of erasure/destruction, person who carried out the process.
Breach, enforcement and compliance
The Data Protection/Privacy Officer has the responsibility to ensure that Mystique complies with this Policy.
Any suspicion of a breach of this Policy must be reported immediately to the Data ProtectionPrivacy Officer. All instances of suspected breaches of the Policy shall be investigated and action taken as appropriate.
Failure to comply with this Policy may result in adverse consequences, including, but not limited to, regulatory sanctions, loss of customer confidence, litigation and loss of competitive advantage, financial loss and damage to Mystique’s reputation, personal injury, harm or loss. Non-compliance with this Policy by permanent, temporary or contract employees, or any third parties, who have been granted access to Mystique’s premises or information, may therefore result in disciplinary proceedings or termination of their employment or contract. Such non-compliance may also lead to legal action against the parties involved in such activities.
Routine disposal schedule
Records which may be routinely destroyed unless subject to an ongoing legal or regulatory inquiry include:
- Notices of day-to-day meetings and other events including acceptances and apologies;
- Requests for ordinary information such as travel directions;
- Reservations for internal meetings without charges / external costs;
- Transmission documents such as Fax cover sheets, e-mail messages, routing slips, compliment slips and similar items that accompany documents but do not add any value;
- Duplicate documents such as CC copies, drafts, or extracts from databases and day files;
- Stock in-house publications which are obsolete or superseded eg old newsletters;
- Trade magazines, catalogues and promotional material from vendors or other third parties.
Validity and document management
This document is valid as of [date].
The owner of this document is [job title], who must check and, if necessary, update the document at least once a year.
Appendices
- Appendix – Data Retention Schedule
DATA RETENTION SCHEDULE