Data retention policy
Introduction
Re-engage collects a large amount of data while carrying out our various charitable activities. The information is collected from a range of sources including, but not limited to, staff, volunteers, older people, funders and donors, referrers, and organisations, most of this data is personal data about individuals.
The bulk of this data is stored as electronic records. Appropriate retention of data is necessary for our operational performance and in some cases is required to fulfil statutory or other regulatory and donor requirements or to evidence events and agreements in disputes.
The retention of data can lead to unnecessary and excessive use of electronic storage space which can create significant cost. Importantly, the indefinite retention of personal data can breach the UK GDPR. Failure to comply with the GDPR can lead to financial penalties from the Information Commissioner’s Office. It is therefore essential that Re-engage has appropriate systems and processes in place for the preservation and timely disposal of records in line with business requirements and relevant legislation.
1. Scope
This Data Retention Policy applies to:
- all staff, volunteers, consultants, contractors, trustees and, as appropriate, partnership organisations, partner staff and third parties of Re-engage.
- all records that are created, handled, stored, or processed by Re-engage, electronically (soft copy) or in paper (hard copy) form. All those people or groups to whom this policy applies should, as appropriate, be aware of this policy.
1.1 Procedures associated with this document
- Back-up and disaster recovery procedure
- Data protection policy
- Data security policy
- Register of systems
2. Easy read data retention principles
- All emails, documents, and other data relating to people using our services – older people, volunteers, should be stored in the relevant system as directed by type.
- Any initial collection forms, or processing steps in between collecting the data and storage in OPUS, should be securely deleted at the first opportunity, unless otherwise agreed.
- All documents and materials produced for Re-engage must be stored on SharePoint.
1. Subject access and erasure requests
Anyone we hold personal data about has the right to ask us to disclose what information we hold about them and be forgotten by us (have their data erased). This includes service beneficiaries, donors, staff and volunteers. If you receive a formal request for information about a data subject, or a request to be forgotten, you must do the following:
- If the request is by phone, you should ask the caller to put their request in writing (this allows us to have a formal record of the request)
- Establish who should answer the request – depending on the type of data and the simplicity of the request, it may be appropriate to deal with the request yourself. Otherwise, you may need to pass the request to a manager or member of the senior management team
- If you are in any doubt as to whether the person requesting the data is the data subject themselves, please contact our internal Data Protection Officer(s) for further guidance.
- We must respond to a Subject Access Request or Subject Erasure Request within a strict time frame (this is currently 40 calendar days), and failure to do so will place Re-engage in breach of data protection law.
- Processing subject erasure (anonymisation) requests: In some circumstances and in order to retain analytical data relating to operational performance, it is not necessary to delete records rather than anonymise them. A record is effectively anonymised when it:
- does not relate to an identified or identifiable individual; or
- is rendered anonymous in such a way that individuals are not (or are no longer) identifiable
The extent to which we can anonymise data depends on the purpose for which it is retained. For individuals recorded in OPUS, it is acceptable to scrub personal and sensitive data (including attached emails and documents) from their record. Other areas – such as finance or HR records depend on legal requirements. Any data erasure/anonymisation request must be carried out in consideration of the data retention schedules (below), clarify legal requirements to keep data and may override the request.
Re-engage’s data protection officer is the director of finance and resources.
2. Data storage systems / locations
2.1 Formstack
Collects, processes, and stores personal and sensitive data for processing in other systems. Data is stored in Formstack and transposed via Power Automate into OPUS and retained against the individual’s record. The Formstack database is retained to ensure accurate data ingestion. Formstack data may be archived to Excel spreadsheets in order to release storage capacity in the Formstack database. Where this occurs, the spreadsheets will be securely stored, and password protected, on Re-engage SharePoint.
2.2 OPUS
CRM and Fundraising system storing personal and sensitive data relating to volunteers, older people, funders and donors, and referrers. The system also stores data on organisations and corporate bodies. OPUS is built on Microsoft Dynamics 365, using Power Automate and Power Apps. Access is granted with approval from OPUS administrators.
2.3 Together.ly
A ‘tele-health’ platform, that facilitates delivery of our call companion program, with an API connection to OPUS. Together.ly holds telephone numbers and names of matched volunteers and contacts. When a match is broken the numbers are removed from Together.ly but the history of calls is retained. The system stores the date and duration of calls and has a facility to record calls. It is Re-engage policy not to record calls without the informed consent of the volunteer and older person. The system is password protected and numbers can only be viewed by administrators.
2.4 Office 365 (including SharePoint, Teams, Outlook, OneDrive)
2.4.1 Personal and sensitive data relating to individuals in OPUS
- Emails from and relating to individuals must be appended to their record in OPUS.
- Documents from and relating to individuals should be scanned (if not received electronically) and appended to their record in OPUS.
If retention of original physical document is thought essential, the document should be:
- Scanned and appended to the individual’s record in OPUS
- Stored securely under lock and key, in line with document management rules
2.4.2 Operational data relating to business activities
- All documents essential to Re-engage must be stored on SharePoint.
2.5 QuickBooks
Financial reporting system storing names and addresses of donors, supporters, suppliers, volunteers, trustees, and staff members for the purpose of financial accounting.
2.6 BreatheHR
HR management system storing employee information, names and addresses, details of employment terms such as hours of work. Used to manage people-related functions and processes. It's a self-service system that allows employees to report absences, request holidays, update personal information and more. Managers and HR users control permission-setting tools to grant or restrict employee access to sensitive information. This is key to data and employee information security.
2.7 Volunteero
MEL system storing older people and volunteer contact details. Used to facilitate gathering of evaluation data by means of allowing self-service of missions.
3. Data review schedule
Where possible, automated retention processes should be established in line with data retention schedules (below). Reviews of data will be carried out annually, for example OPUS will be reviewed to identify and delete any records that no longer meet storage requirements. This process will be carried out for all the systems listed above.
4. Data retention schedules
4.1 Personal and sensitive data (Formstack, OPUS, Office 365)
| Type of record | Trigger | Retain for | Action | Retention rationale |
| Formstack (online database) | Data collected / Form discontinued | 3 years | Delete | To verify ingestion processes |
| Formstack (Excel exports) | File created | 3 years | Delete | To verify ingestion processes |
| OPUS record | End of relationship | 5 years | Delete | To meet reporting cycle requirements. |
| Emails and documents appended to OPUS records OPUS | Record created | Duration of relationship plus 5 years | Delete | Allows for reporting to funders and relationship management after the relationship has ended. |
| Hard copies of documents | Record created | Duration of relationship plus 5 years | Dispose securely | Allows for reporting to funders and relationship management after the relationship has ended. |
| Together.ly history | Log item date | 5 years | Delete | To meet reporting cycle requirements. |
| Safeguarding concerns | At point of notification | 7 years | All information held securely within the O365 framework. | Such allegations do not have to relate solely to Re-engage but can extend to other situations. Once notified the retention period starts, and all data available must be retained. Extension to permanent retention reflects civil law changes allowing for compensation claims involving deceased individuals. |
| Volunteero | End of relationship | 5 years | Delete | To meet reporting cycle requirements. |
4.2 Finance data (QuickBooks)
| Type of record | Trigger | Retain for | Action | Retention rationale |
| BACS | Record created | 7 years | Destroy securely – financial records | Guidance in-line with Limitation Act 1980 +1 year |
| Banking records | Record created | 7 years | Destroy securely – financial records | Guidance in-line with Limitation Act 1980 +1 year |
| Financial authorities or delegations | Record created | 7 years | Destroy securely – financial records | Guidance in-line with Limitation Act 1980 +1 year |
| Funding – accountable grants | Record created | 7 years | Destroy securely – financial records | Guidance in-line with Limitation Act 1980 +1 year |
| Authorisation for expenditure | Record created | 7 years | Destroy securely – financial records | Guidance in-line with Limitation Act 1980 +1 year |
| Accounts payable / purchase invoicing | Record created | 7 years | Destroy securely – financial records | Guidance in-line with Limitation Act 1980 +1 year |
| Accounts receivable / sales invoicing | Record created | 7 years | Destroy securely – financial records | Guidance in-line with Limitation Act 1980 +1 year |
| Expenses | Record created | 7 years | Destroy securely – financial records | Guidance in-line with Limitation Act 1980 +1 year |
| Capital expenditure | Record created | 7 years | Destroy securely – financial records | Guidance in-line with Limitation Act 1980 +1 year |
| Credit control – reconciliation | Record created | 7 years | Destroy securely – financial records | Guidance in-line with Limitation Act 1980 +1 year |
| Taxation | Record created | 7 years | Destroy securely – financial records | Guidance in-line with Limitation Act 1980 +1 year |
| Legacy records (Hard copy) | Legacy being fulfilled / completed | 7 years | Destroy securely – financial records | Guidance in-line with Limitation Act 1980 +1 year |
| Legacy record (electronic copy) | Legacy being fulfilled / completed | 7 years | Destroy securely – financial records | Guidance in-line with Limitation Act 1980 +1 year |
| R185 forms (Tax income on estates) (hard copy/ electronic copy) | Receipt of R185 Form | 7 years | Destroy securely – financial records | HMRC guidance for Gift Aid donations |
| Gift Aid declarations for ceased donations, or declarations which are no longer valid. Declarations for ongoing donations should be retained. | Record created | 7 years from final donation, or from date Re-engage has been notified the declaration is no longer valid | Destroy securely – personal data and financial records | Limitation Act 1980 |
| Donations correspondence | Date of initial correspondence | 7 years, or 13 years if there are payments outstanding or any dispute regarding the deed | Destroy securely – personal data and financial records | Limitation Act 1980 |
| Endowments trust | Date of last payment | 7 years | Destroy securely – personal data and financial records | Limitation Act 1980 |
| Pensions – investment | Record created | Permanent retention | Destroy securely – financial records | Pensions Act 2004; Occupational Pension Schemes (Scheme Administration) |
| Pensions – professional advice | Record created | Permanent retention | Destroy securely – financial records | Regulations 1996; Limitation Act, 1980 |
| Financial records | Record created | Permanent retention | Permanent retention | Companies Act 2006; Charities Act 2011 |
| Investment certificates | Record created | Permanent retention | Permanent retention | Companies Act 2006; Charities Act 2011 |
| Fixed assets register | Record created | Permanent retention | Permanent retention | Companies Act 2006; Charities Act 2011 |
| Pension scheme contribution reports | Record created | Permanent retention | Permanent retention | Companies Act 2006; Pensions Act 2004 |
4.3 HR data
| Type of record | Trigger | Retain for | Action | Retention rationale |
| Recruitment – unsuccessful candidates | Notification of unsuccessful application | 1 year | Destroy securely – personal data |
Following Chartered Institute of Personnel and Development (CIPD) guidance of a 1 year retention period to ensure any response from the unsuccessful candidates are factored in. Source:
Related sources:
|
| Personnel file; including training, medical records (self-certification for non-work injuries) | End of employment | 6 years | Destroy securely – personal data |
Following CIPD guidance 6 to 7 years after employment ceases. Source:
|
| Employee relations including records of incidents, grievances, and associated meetings | End of employment | 6 years | Destroy securely – personal data |
Good practice to retain, non-statutory rationale, but may be unreasonable to refer to expired warnings after two years have elapsed.
|
| Right to work in the UK checks, including employee work permits and visas | End of employment | 2 years | Destroy securely – personal data |
Following Home Office guidance. Source:
|
| Life assurance – next of kin/expression of wish forms | End of employment | Until the employee has left | Destroy securely – personal data |
Source:
|
| Pensions – details on pension scheme members (future and current pensioners) | Last payment | Indefinitely | Destroy securely – personal data |
Source:
|
| Compensation history: record Pay / minimum wage / NI, job & salary details (incl. pay awards) | 6 years (from pay reference period) | 6 years (from pay reference period) | Destroy securely – personal data | National Minimum Wage Act 1998; Income Tax (Employments) Regulations 1993; Taxes Management Act 1970 |
| PAYE: payroll exports, P11d, P60 | 7 years (from pay reference period) | 7 years | Destroy securely | HMRC Guidance |
| Family leave: Maternity / paternity / shared parental / adoption leave and pay | 3 years (from end of tax | 3 years (from end of tax year leave ended) | Destroy securely | The Statutory Maternity Pay (General) Regulations 1986; Maternity & Parental Leave Regulations 1999 |
| Working time records including overtime, annual holiday, jury service, time off for dependants | Point of record creation | 7 years | Destroy securely |
Source:
|
| Flexible working requests | Once the appeal has been made | 18 months | Destroy securely – personal data | CIPD guidance is 18 months, as a further request cannot be made for 12 months following a request plus allowing for a 6 month tribunal limitation period on top |
| Redundancy details, calculations of payments, refunds, notification to the Secretary of State | 7 years (from the date of redundancy) | 7 years (from the date of redundancy) | Destroy securely – personal data | Business Rule |
| References | End of employment | 6 years (as part of employment file) | Destroy securely – personal data | Business Rule |
| Right to work in the UK checks | End of employment | 3 years after employment ends | Destroy securely – personal data | Home Office recommended practice |
| Statutory Sick Pay records, calculations, certificates, self-certificates, occupational health reports | End of the period of sick leave | 7 years | Destroy securely – personal data | |
| Termination of employment, for example early retirement, severance or death in service | End of employment | At least 7 years although the ICO's retention schedule suggest until the employee reaches 100 | Destroy securely – personal data | ICO Guidance will influence the updates to this policy in accordance with the policy review schedule. |
| Terms and conditions including offers, written particulars, and variations | 7 years after employment ends | Review 6 years after employment ceases or the terms are superseded. | Destroy securely – personal data | The National Archives Retention Scheduling: Employee Personnel Records and CPID. |
| Successful Recruitment Candidate Information | End of employment | 6 months | Destroy | The National Archives Retention Scheduling: Employee Personnel Records and CPID |
| Equality and Diversity Published Information | Last published report | 7 years | Review | Public Sector Equality Duty |
4.4 Legal and Info Gov data
| Type of record | Trigger | Retain for | Action | Retention rationale |
| Bids and tender documentation (successful) | Award of tender | 7 years | Destroy securely – commercially sensitive | National Archives guidance |
| Bids and tender documentation (unsuccessful) | Rejection of tender | 1 year | ||
| Data Controller notifications | Date of notification | 1 year | Destroy securely | Evidence of current notification as a data controller under the Data Protection Act 2018 |
| Subject access requests (SAR). Anonymised reports / statistics | Last action – record to be marked | 10 years | Destroy securely – personal data | Data Protection Act 2018 |
| Subject access requests which resulted in appeals or complaints | Last action – record marked | 10 years | Destroy securely – personal data | |
| Contracts with customers, suppliers or agents, licensing agreements, rental or hire purchase agreements, indemnities and guarantees and other agreements or contracts | End of contract | 7 years, 13 years if contract executed as a deed, or 16 years if risk of latent damage. | Destroy securely – financial records | Limitation Act 1980 |
| Insurance policies. For insurance policies, summary policy information should be retained permanently: identity of broker and insurer; cover values policy reference number) | Policy end date | 7 years | Destroy securely – financial records; Retain summary policy information on a permanent basis. | Limitation Act 1980 |
| Complaints and incidents – no legal matters arising | A resolution being attained | 7 years | Destroy securely – personal data | Limitation Act 1980 |
| Directors’ contracts | End of contract | 7 years | Destroy securely – personal data | Limitation Act 1980; Companies Act 2006 |
| Fraud cases investigation | Close of investigation | 7 years, 10 years if external action has been taken | Destroy securely – personal data and financial records | 10 years where external action has been taken; otherwise six years after investigation |
| Legal case management – from case closure | Date of Case closure | 16 years | Destroy securely – personal data | Limitation Act 1980 |
| Legal case management – from case closure Scotland | Date of Case closure | 21 years | Destroy securely – personal data | Limitation Act 1980 |
| Employers’ liability insurance certificate | Commencement of policy | 40 years | Destroy securely | Employers’ Liability; (Compulsory Insurance) Regulations 1998 |
| Summary information about insurance policies (identity of broker and insurer; cover values policy reference number) |
|
|
Destroy securely | |
| Waste electrical equipment records | Date of capture | 4 years | Destroy | Waste Electrical and Electronic Equipment Regulations 2006 |
| Health and safety – equipment monitoring | Date of capture | 6 years | Destroy (securely, if records contain personal data) | Limitation Act 1980 |
| Health and safety risk assessments | Date of capture | 6 years | Destroy (securely, if records contain personal data) | Limitation Act 1980 |
4.5 Trustee and incorporation data
| Type of record | Trigger | Retain for | Action | Retention rationale |
| Evidence of agreement to appoint Trustees | Date of appointment | 10 years | Destroy securely – personal data |
Source:
|
| Register of Trustees’ interests | Date of capture | 10 years | Destroy securely – personal data | Best practice, but not a regulatory requirement |
| Constitutional documents | Point of creation | Permanent retention | Permanent retention |
Source:
|
| Agendas and minutes of Trustee's Board and its Committees | Date of capture | Permanent retention | Permanent retention |
Source:
|
4.6 Marketing and communications
| Type of record | Trigger | Retain for | Action | Retention rationale |
| Advertising / marketing materials | Date of publication | 7 years | Review for permanent retention for reference / heritage value |
Source:
|
| Press releases | Date of publication | 7 years | Review for permanent retention for reference / heritage value |
Source:
|
| Website content | Date of publication | 7 years after removal from website | Review for permanent retention for reference / heritage value | Limitation Act 1980 |
| Surveys | Completion of survey | 7 years (where compatible with DPA requirements – may need to aggregate or anonymise responses) | Destroy securely or anonymise – personal data | Limitation Act 1980; Data Protection Act 2018 |