Polytechnic

Terms

Polytechnic data retention policy

Introduction
1.1 This policy sets out the policies and procedures of Polytechnic Works and Services Limited (the “company”) with respect to the retention, archiving and deletion of data, whether in hard copy or digital form, and including personal data.

Definitions
2.1 In this policy:

(a) “appointed person” means the individual primarily responsible for handling data retention, archiving and deletion by the company, being the data protection officer of the company;

(b) “data controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

(c) “data processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

(d) “data subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(e) “deletion” means the permanent and irreversible deletion of data from all relevant databases and storage media in the possession or control of the company including, where necessary to ensure the deletion of the data, the destruction of the relevant storage media; and

(f) “personal data” means any information relating to a data subject.

Data retention, archiving and deletion
3.1 The company must archive and delete data in its possession and/or control in accordance with schedule 1 (Data retention periods), save as set out in this section 3.

3.2 Notwithstanding the archiving rules set out in this policy, the company may retain non-archived copies of data to the extent that the data is reasonably required in non-archived form for:

(a) the fulfillment of any legal or contractual obligations of the company; and/or

(b) the establishment, exercise or defence of any legal claims.

3.3 The company must not delete data to the extent that:

(a) the company has a legal obligation to retain the data;

(b) the company has a contractual obligation to retain the data (providing that such contractual obligation is not overridden by any legal obligation to delete the data); and/or

(c) the retention of the data is reasonably required for the establishment, exercise or defence of any legal claims (providing that such requirement is not overridden by any legal obligation to delete the data).

3.4 The company must not archive or delete any records to the extent that the legal department of the company has issued a legal hold instruction in relation to such records.

Data subject to contractual deletion obligations
4.1 The following categories of data processed by the company are or may be subject to contractual deletion obligations:

(a) confidential information disclosed to the company by another person under a non-disclosure agreement or the confidentiality provisions of a contract; and

(b) personal data with respect to which the company acts as a data processor.

4.2 Any deletion obligations with respect to confidential information will be set out in the relevant contract, and may vary from contract to contract. The company must comply with those obligations.

4.3 If the company acts as a data processor with respect to personal data, the law requires that the processing contract includes an obligation upon the company to delete the personal data after the end of the provision of services relating to the processing, save to the extent that the law requires storage. All personal data that the company processes on behalf of a data controller will be subject to appropriate deletion obligations taking the law into account, and the company must comply with those obligations.

Reviewing and updating this policy
5.1 The appointed person shall be responsible for reviewing and updating this policy.

5.2 This policy must be reviewed and, if appropriate, updated annually on or around 1 March.

5.3 This policy must also be reviewed and updated on an ad hoc basis if reasonably necessary to ensure:

(a) the compliance of the company with applicable law, codes of conduct or industry best practice;

(b) the security of data stored and processed by the company; or

(c) the protection of the reputation of the company.

5.4 The following matters must be considered as part of each review of this policy:

(a) changes to the legal and regulatory environment;

(b) changes to any codes of conduct to which the company subscribes;

(c) developments in industry best practice;

(d) any new data collected by the company;

(e) any new data processing activities undertaken by the company; and

(f) any security incidents affecting the company.

SCHEDULE 1 (DATA RETENTION PERIODS)

Introduction
1.1 This schedule 1 sets out the periods during which data must be archived and deleted by the company.

1.2 If a data record falls under more than one section of this schedule 1, then the earlier section shall take precedence over the later section, unless the record constitutes a duplicate copy of data that is separately governed by the earlier section.

Permanent data: retention and archiving
2.1 In this policy, “permanent data” means data within the following categories: annual accounts, annual reviews, contracts of historical significance, director and trustee meeting minutes, fixed asset registers, investment certificates and ledger, organisational charts of the company and pension scheme records (including actuarial reports, scheme annual accounts, contribution records, insurance records, investment records, trust deeds and rules and trustee meeting minutes).

2.2 Permanent data must not be deleted.

Corporate data: retention, archiving and deletion
3.1 In this policy, “corporate data” means all records relating to the legal personality, ownership, constitution, Companies House filings and decision-making powers of the company.

3.2 Corporate data must be archived:

(a) not less than 30 days following the end of the financial year in which the relevant decision, filing or transaction occurred; and

(b) not more than 30 years following the end of that year,

subject to subsection 3.2 of the main body of this policy.

3.3 Corporate data must be deleted:

(a) not less than 2 days following the archiving of the data; and

(b) not more than 30 years following that event,

subject to subsection 3.3 of the main body of this policy.

Intellectual property data: retention, archiving and deletion
4.1 In this policy, “intellectual property data” means copies of certificates evidencing the creation and ownership of registered intellectual property rights and domain names by the company, all correspondence with registration authorities relating to registered intellectual property rights and domain names and all correspondence with third parties relating to registered intellectual property rights and domain names, including in each case applications for the same.

4.2 Intellectual property data must be archived:

(a) not less than 30 days following the end of the calendar year in which the relevant registration expires or is revoked; and

(b) not more than 30 years following the end of that year,

subject to subsection 3.2 of the main body of this policy.

4.3 Intellectual property data must be deleted:

(a) not less than 2 days following the archiving of the data; and

(b) not more than 30 years following that event,

subject to subsection 3.3 of the main body of this policy.

4.4 Intellectual property data must be deleted [specify method(s)].

Insurance data: retention, archiving and deletion
5.1 In this policy, “insurance data” means copies of all insurance policies taken out by the company, together with all correspondence with insurers and claims data relating to such policies.

5.2 Insurance data is stored by the company in the following databases: [databases].

5.3 Insurance data must be archived:

(a) not less than 30 days following the later of the end of the calendar year in which the relevant policy expires and the end of the calendar year in which all claims and disputes relating to the relevant policy were concluded; and

(b) not more than 30 years following the end of that year,

subject to subsection 3.2 of the main body of this policy.

5.4 Insurance data must be deleted:

(a) not less than 2 days following the archiving of the data; and

(b) not more than 30 years following that event,

subject to subsection 3.3 of the main body of this policy.

Contract data: retention, archiving and deletion
6.1 In this policy, “contract data” means copies of contracts entered into by the company with a person other than an employee, documents varying such contracts, notices issued under or relating to such contracts and other documents relating to the formation, performance, variation and termination of such contracts.

6.2 Contract data is stored by the company in the following databases: [databases].

6.3 Contract data must be archived:

(a) not less than 30 days following the end of the calendar year in which the relevant contract terminates; and

(b) not more than 30 years following the end of that year,

subject to subsection 3.2 of the main body of this policy.

6.4 Contract data must be deleted:

(a) not less than 2 days following the archiving of the data; and

(b) not more than 30 years following that event,

subject to subsection 3.3 of the main body of this policy.

Customer data: retention, archiving and deletion
7.1 In this policy, “customer data” means all customer relationship management records relating to the customers of the company, including customer identity details, customer identity evidence and customer contact details.

7.2 Customer data must be archived:

(a) not less than 30 days following the end of the calendar year in which the relevant customer contract terminates; and

(b) not more than 30 years following the end of that year,

subject to subsection 3.2 of the main body of this policy.

7.3 Customer data must be deleted:

(a) not less than 2 days following the archiving of the data; and

(b) not more than 30 years following that event,

subject to subsection 3.3 of the main body of this policy.

Service data: retention, archiving and deletion
8.1 In this policy, “service data” mean client contracts, statements of work, schedules, client and other third party feedback and relevant correspondence..

8.2 Service data must be archived:

(a) not less than 30 days following the end of the calendar year in which the contract under which the service data is processed expires or terminates; and

(b) not more than 30 years following the end of that year,

subject to subsection 3.2 of the main body of this policy.

8.3 Service data must be deleted:

(a) not less than 2 days following the archiving of the data; and

(b) not more than 30 years following that event,

subject to subsection 3.3 of the main body of this policy.

Electronic communications data: retention, archiving and deletion
9.1 In this policy, “electronic communications data” means email and other electronic communications content data, attachment data and metadata that is in the possession and/or control of the company.

9.2 Electronic communications data must be archived:

(a) not less than 30 days following the end of the calendar year in which the relevant communication was sent; and

(b) not more than 30 years following the end of that year,

subject to subsection 3.2 of the main body of this policy.

9.3 Electronic communications data must be deleted:

(a) not less than 2 days following the archiving of the data; and

(b) not more than 30 years following that event,

subject to subsection 3.3 of the main body of this policy.

Residual data: retention, archiving and deletion
10.1 In this policy, “residual data” means all data not falling into the other categories specified in this schedule 1 that is held by or on behalf of the company.

10.2 Residual data must be archived:

(a) not less than 30 days following the end of the calendar year in which the relevant data was created or collected; and

(b) not more than 30 years following the end of that year,

subject to subsection 3.2 of the main body of this policy.

10.3 Residual data must be deleted:

(a) not less than 2 days following the end of the calendar year in which the relevant data was created or collected; and

(b) not more than 30 years following that event,

subject to subsection 3.3 of the main body of this policy.