Data Retention Policy
Overview
Key details
- Policy prepared by: Helen Hanbury
- Approved by Board/committee on: September 16, 2018
- Next review date: September 2020
Introduction
This policy sets out how Hertfordshire Community Nurses’ Charity (HCNC) will approach data retention and establishes processes to ensure we do not hold data for longer than is necessary.
It forms part of HCNC’s Data Protection Policy.
Roles and responsibilities
HCNC is the Data Controller and the Trustees are Data Controllers in common. They will determine what data is collected, retained and how it is used. The person responsible for Data Protection for HCNC is Helen Hanbury. She, together with the Trustees are responsible for the secure and fair retention and use of data by HCNC. Any questions relating to data retention or use of data should be directed to the Data Protection Officer.
Regular Data Review
A regular review of all data will take place to establish if HCNC still has good reason to keep and use the data held at the time of the review.
As a general rule a data review will be held about 2 years after the last review. The first review took place on September 16, 2018.
Data to be reviewed
- HCNC stores data on digital documents (e.g. Microsoft word documents) stored on personal devices held by Trustees.
- Data stored on third party online services (e.g. Website)
- Physical data stored at the homes of Trustees
Who the review will be conducted by
The review will be conducted by the person responsible for Data Protection for HCNC along with other Trustees to be decided on at the time of the review.
How data will be deleted
- Physical data will be destroyed safely and securely, including shredding.
- All reasonable and practical efforts will be made to remove data stored digitally.
- Priority will be given to any instances where data is stored in active lists (e.g. where it could be used) and to sensitive data.
- Where deleting the data would mean deleting other data that we have a valid lawful reason to keep (e.g. on old emails) then the data may be retained safely and securely but not used.
Criteria
The following criteria will be used to make a decision about what data to keep and what to delete.
Question | Action | |
---|---|---|
Yes | No | |
Is the data stored securely? | No action necessary | Update storage protocol in line with Data Protection policy |
Does the original reason for having the data still apply? | Continue to use | Delete or remove data |
Is the data being used for its original intention? | Continue to use | Either delete/remove or record lawful basis for use and get consent if necessary |
Is there a statutory requirement to keep the data? | Continue to use | Delete or remove the data unless we have reason to keep the data under other criteria. |
Is the data accurate? | Keep the data at least until the statutory minimum no longer applies | Ask the subject to confirm/update details |
Can the data be anonymised? | Anonymise data | Continue to use |
Statutory Requirements
Data stored by HCNC may be retained based in statutory requirements for storing data other than data protection regulations. This might include but is not limited to:
- Details of payments made and received (e.g. in bank statements and accounting records)
- Trustee meeting minutes
- Contracts and agreements with suppliers/customers
- Insurance details
- Tax and our employment records
Other data retention procedures
Trustee data
- When a Trustee leaves HCNC and all administrative tasks relating to their membership have been completed any potentially sensitive data held on them will be deleted.
- Unless consent has been given data will be removed from all email mailing lists
- All other data will be stored safely and securely and reviewed as part of the next two year review
Freelancer data
- When a freelancer stops working with HCNC and all administrative tasks relating to their work have been completed any potentially sensitive data held on them will be deleted – this might include bank details
- Unless consent has been given data will be removed from all email mailing lists
- All other data will be stored safely and securely and reviewed as part of the next two year review
Data held by individual Trustees
- Any Physical data stored at the homes of Trustees must be returned to the person responsible for Data Protection for HCNC for shredding when they leave the charity.
Other data
- All other data will be included in a regular two year review.