Data Retention Policy

Notes:

Within this document we make references to other documents which can be found at the following links:

Midshore Consulting Limited (a member of Midshore Group) is hereinafter referred to as “Us”, We”, “Midshore”.

Last updated: 11/10/2019

Overview

The need to retain data varies widely with the type of data. Some data can be immediately erased, and some must be retained until reasonable potential for future need no longer exists.

Since this can be somewhat subjective, this retention policy is important to ensure that the company’s guidelines on retention are consistently applied throughout the organisation.

Data controller for the company: Christopher Jehan

Data controllers email address: christopher@midshoreconsulting.com

Purpose

The purpose of this policy is to specify the company’s guidelines for retaining different types of data.

Scope

The scope of this policy covers all company data stored on company-owned, company-leased, and otherwise company-provided systems and media, regardless of location.

Note that the need to retain certain information can be mandated by local, industry regulations and will comply with U.S. Privacy Act of 1974, EU General Data Protection Regulation GDPR and the Data Protection (Bailiwick of Guernsey) Law, 2017.

Policy

Reasons for Data Retention

For the general purposes related to continued and safe business with our clients, it is necessary to hold some data. There are various reasons behind this and this document aims to explain those with the aid of our Data Privacy Policy and general Terms & Conditions. Some data, however, must be retained in order to protect the company’s interests, client access, preserve evidence, and generally conform to good business practices.

Some reasons for data retention include:

  • Litigation
  • Accident investigation
  • Security incident investigation
  • Regulatory requirements
  • Intellectual property preservation
  • Client access – both business and personal
Data Duplication
  • Backups
    • We create monthly, weekly and daily backups of all our systems so that in the event of a systems failure we are able to restore data accurately and efficiently
    • These backups are stored onsite for daily and weekly backups and offsite for monthly backups on an encrypted drive.
  • Sharing with approved partners
    • This will open happen when pre-approved and in order to complete schedules outlines within consultation agreements
  • Midshore Online Training
    • Some information is duplicated on our Midshore Online Training (MOT) platform, this will only be done should you engage with Midshore for online training.
Retention Requirements

This section sets guidelines for retaining the different types of company data.

  • Personal customer data:
    • Personal data will be held for as long as the individual is a customer of the company plus 5 years.
  • Client Relationship Data
    • This will be held for 5 years after the end of the client relationship
  • Personal employee data:
    • General employee data will be held for the duration of employment and then for 5 years after the last day of contractual employment.
    • Employee contracts will be held for 5 years after last day of contractual employment.
    • Tax payments will be held for 6 years.
    • Records of leave will be held for 3 years.
    • Recruitment details:
      • Interview notes, CV’s, Supporting Documentation including Criminal Record Checks of unsuccessful applicants will be held for 1 year after interview.
  • Planning data:
    • 5 years.
  • Health and Safety:
    • 5 years for records of major accidents and dangerous occurrences.
  • Public data:
    • Public data will be retained for 3 years.
  • Operational data: Most company data will fall in this category.
    • Operational data will be retained for 5 years.
  • Critical data including Tax and VAT:
    • Critical data must be retained for 6 years.
  • Confidential data:
    • Confidential data must be retained for 7 years.
Retention of Encrypted Data

If any information retained under this policy is stored in an encrypted format, considerations must be taken for secure storage of the encryption keys.
Encryption keys must be retained as long as the data that the keys decrypt is retained.

Data Destruction

Data destruction is a critical component of a data retention policy. Data destruction ensures that the company will use data efficiently thereby making data management and data retrieval more cost effective.

When the retention timeframe expires, the company must actively destroy the data covered by this policy. If a user feels that certain data should not be destroyed, he or she should identify the data to his or her supervisor so that an exception to the policy can be considered. Since this decision has long-term legal implications, exceptions will be approved only by a member or members of the company’s management team.

The company specifically directs users not to destroy data in violation of this policy. Destroying data that a user may feel is harmful to himself or herself is Particularly forbidden, or destroying data in an attempt to cover up a violation of law or company policy.

Applicability of Other Policies

This document is part of the company’s cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.

Enforcement

This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.

IT Manger: Sam du Feu
IT Manager email: sam@midshoreconsulting.com

Definitions

Backup: To copy data to a second location, solely for the purpose of safe keeping of that data.
Encryption: The process of encoding data with an algorithm so that it is unintelligible and secure without the key. Used to protect data during transmission or while stored.
Encryption Key: An alphanumeric series of characters that enables data to be encrypted and decrypted.