Records Retention and Disposal Policy

Document owner: Lindsey Reeves
Version: V2
Date: 1 July 2024
Document classification: Official

Contents

  1. Introduction
  2. Objectives
  3. Scope
  4. Responsibilities
  5. Destruction of records
  6. General records/weeding
  7. Compliance
  8. Policy review

1. Introduction

As part of delivering our services, we collect and record data (information).  Some of this data may be personal data.

The general data protection regulation (GDPR) states that we should not hold personal data longer than is absolutely necessary.  It also says that we should set time limits for how long we store data and destroy data on a regular basis.

Under the Freedom of Information Act we must both have and put into practice a records retention and disposal policy.  You can find out more information in the Code of Practice document.  We publish our record retention schedules on the data protection page on our website.

Back to top

2. Objectives

The aim of this policy is to:

  • provide a framework for making decisions on the retention of information
  • prevent the premature destruction of records
  • provide consistency for the destruction of those records no longer needed
  • promote improved records management practices
  • protect personal rights as required by law

Back to top

3. Scope

This policy applies to all documents we keep as a record of the council’s actions and contacts with the public and staff.  It covers records in all formats, paper or electronic, including emails, letters, photographs, databases, spreadsheets and recordings.

It applies until the data is either destroyed or, in the case of data of historic importance, transferred to West Sussex Public Records Office.

All staff must follow this policy, this includes agency staff, contractors, and councillors.

All staff should read this policy along with the:

  • record retention schedules
  • information security policy
  • privacy policy
  • data protection policy
  • data subject access request policy

Back to top

4. Responsibilities

All staff are responsible for:

  • following procedures and guidance for managing, keeping, and disposing of records
  • only disposing of records as per the requirements outlined within this policy, provided they have the authority to do so
  • ensuring that any proposed change from this policy is authorised
  • reporting security incidents and breaches of this policy as soon as possible via the breaches form

Team leaders/managers are responsible for ensuring:

  • their team implement this policy
  • record keeping systems are in place to enable identification of records due for disposal
  • written procedures are in place for records management, retention and disposal
  • that staff or systems routinely identify and review records due for disposal to make sure we no longer need the records
  • any change from this policy is authorised
  • that they sent any changes to the information management team
  • staff are aware of policies to keep and dispose of records
  • staff dispose of records by following this policy
  • disposal of records considers their sensitivity, security classification and what media or format they are
  • disposal of IT equipment and storage media follows the guidelines of the IT security policy
  • staff find and transfer any records of potential historic interest or research value to West Sussex County Council’s Record Office with their agreement
  • a disposal register is kept showing the process of disposal
  • contractual arrangements follow this policy

Back to top

5. Destruction of records

We must destroy all data 6 financial years after we no longer need it.  This is based on the last entry or the account closure as per Section 2 of the Limitation Act 1980.

The only exceptions are:

  • there is a different retention period within the directorate record retention schedule
  • a business case to keep the data for longer is presented and agreed

If there is the possibility of legal action, we should not amend or dispose of the records until we are sure that this is no longer a threat.

We should make sure that we destroy data on time using the timescales in the record retention schedule as keeping unnecessary personal data is unlawful.  This extra data also costs us money and makes searching for records less efficient.

Every department should review records marked for destruction to make sure they destroy nothing of value.  Each department must keep a register that shows which records they destroy.

The register should:

  • not hold any personal or sensitive data other than the name of the person the record relates to
  • hold enough data to show which and when records were destroyed

An example table is below:

Sample record destruction log
Name What was destroyed When was it destroyed

Back to top

6. General records/weeding

Not all data we create has long-term value.  Our record retention schedules do not include redundant, obsolete or trivial (ROT) information.  Every department should destroy ROT data as part of routine housekeeping.  Approval or sign-off is not required for the deletion of ROT data.

Weeding is the process of removing out of date or inaccurate data from the records.

Weeding does not apply to corporate records included on the record retention schedules, which should only be destroyed when they have reached the end of their retention period.

We should weed data for 2 reasons:

  1. To make sure we are not wasting money or space, either digital or physical, by storing ROT data.
  2. To make the process of reviewing and appraising data easier – sifting through low-value data makes this process more time consuming.

Below are common examples of data which is usually of limited value when not in use.  We can usually weed this data.  This list Is not an exhaustive list.

  • Drafts – these lose value and can become outdated once there is a final published version.  You can keep a draft to show how you made the final decision where there are significant changes or deviations.
  • Duplicates – we should not keep any duplications.  Duplications can lead to multiple versions of information which can cause confusion.
  • Research material – whether developing policy or preparing to give advice, you may create or collect research material such as notes or copies of guidance from external organisations.  The value of this data decreases once you have created the published version.
  • Limited long term operational value – sometimes data only has an importance for a short period of time and then become redundant.  You should weed this data as soon as you no longer need it.

We should do weeding on a regular basis to make sure that clutter does not build up over time.  It is up to each team to decide a reasonable schedule for housekeeping, based on their resources and the amount of data they generate, Information Asset Owners (Group Heads of Service) should encourage weeding on a regular basis.

Regardless of the system that holds the data, weeding should cover all data a department stores.

Back to top

7. Compliance

The Corporate Management Team and the Group Head of Law and Governance will check across the council for compliance with this policy.  This may include random and scheduled checks.

The council will act appropriately to remedy any breach of this policy.  We may use the council's disciplinary procedures in the case of staff non-compliance.

A breach of this policy can be defined as an event which could have or has resulted in loss or damage to the council’s assets, or an event which is in breach of the council’s security policies and procedures.

Back to top

8. Policy review

This policy will be reviewed annually by the Data Protection Officer and will be reviewed 3 yearly by the Corporate Support Committee.