Data Retention

1. Purpose, Scope and Users
This policy sets the required retention periods for specified categories of personal data and sets out the minimum standards to be applied when destroying certain information within UCM Education (henceforth called the “Company”).
This Policy applies to all business units, processes and systems in all countries in which the Company conducts business and has dealings or other business relationships with third parties.
This Policy applies to all Company officers, directors, employees, agents, affiliates, contractors, consultants, advisors or service providers that may collect, process, or have access to data (including personal data and/or sensitive personal data). It is the responsibility of all of the above to familiarise themselves with this policy and ensure adequate compliance with it.
This policy applies to all information used at the Company. Examples of documents include:
• Emails
• Hard copy documents
• Soft copy documents
• Video and audio
• Data generated by physical access control systems

2. Reference Documents
UK General Data Protection Regulation (UKGDPR)
Data Protection Act 2018
UCM Data Protection & Processing Policy


3. Retention Rules

3.1 Retention General Principle

For any category of document not specifically defined elsewhere in this policy (and in particular within the Data Retention Schedule, below) or otherwise mandated differently by applicable law, the required retention period for personal data will be two years from the date of creation of the document and/or data.

3.2 General Retention Schedule

The Data Protection Officer defines the time period for which the documents and electronic records should to be retained through the Data Retention Schedule.

As an exemption, retention periods within Data Retention Schedule can be prolonged in cases such as:
• Records of personal data are needed by the Company to prove compliance with any legal requirements
• When exercising legal rights in cases of lawsuits or similar court proceeding recognized under local law.

3.3 Safeguarding of Data During Retention Period

The possibility that data media used for archiving will wear out shall be considered. If electronic storage media are chosen, any procedures and systems ensuring that the information can be accessed during the retention period (both with respect to the information carrier and the readability of formats) shall also be stored in order to safeguard the information against loss as a result of future technological changes. The responsibility for the storage falls to the Data Protection Officer.

3.4 Destruction of Data

The Company and its employees should therefore, on a regular basis, review all data, whether held electronically on their device or on paper, to decide whether to destroy or delete any data once the purpose for which those documents were created is no longer relevant. See Appendix for the retention schedule. Overall responsibility for the destruction of data falls to the Data Protection Officer.

Once the decision is made to dispose according to the Data Retention Schedule, the data should be deleted, shredded or otherwise destroyed to a degree equivalent to their value to others and their level of confidentiality. The method of disposal varies and is dependent upon the nature of the document. For example, any documents that contain sensitive or confidential information (and particularly sensitive personal data) must be disposed of as confidential waste and be subject to secure electronic deletion. Some expired or superseded contracts may only warrant in-house shredding. The Document Disposal Schedule section below defines the mode of disposal.

In this context, the employee shall perform the tasks and assume the responsibilities relevant for the information destruction in an appropriate way. The specific deletion or destruction process may be carried out either by an employee or by an internal or external service provider that the Data Protection Officer subcontracts for this purpose. Any applicable general provisions under relevant data protection laws and the Company’s Data Protection Policy shall be complied with.

Appropriate controls shall be in place to prevent the permanent loss of information essential to the Company as a result of malicious or unintentional destruction of information. These controls are described in the company’s IT Security Policy.

The Data Protection Officer shall fully document and approve the destruction process. The applicable statutory requirements for the destruction of information, particularly requirements under applicable data protection laws, shall be fully observed.

3.5 Breach, Enforcement and Compliance

The Data Protection Officer is the person appointed with the responsibility for Data Protection and has the responsibility to ensure that each of the Company’s offices complies with this policy. It is also the responsibility of the Data Protection Officer to assist any local office with enquiries from any local data protection or governmental authority.

Any suspicion of a breach of this policy must be reported immediately to Data Protection Officer. All instances of suspected breaches of the policy shall be investigated and action taken, as appropriate.

Failure to comply with this policy may result in adverse consequences, including, but not limited to, loss of customer confidence, litigation and loss of competitive advantage, financial loss and damage to the Company’s reputation, personal injury, harm or loss. Non-compliance with this policy by permanent, temporary or contract employees, or any third parties who have been granted access to Company premises or information, may therefore result in disciplinary proceedings or termination of their employment or contract. Such non-compliance may also lead to legal action against the parties involved in such activities.

4. Document Disposal

4.1 Routine Disposal Schedule

Records which may be routinely destroyed unless subject to an on-going legal or regulatory inquiry are as follows:
• Announcements and notices of day-to-day meetings and other events, including acceptances and apologies
• Requests for ordinary information such as travel directions
• Reservations for internal meetings without charges or external costs
• Transmission documents such as letters, fax cover sheets, email messages, routing slips, compliments slips and similar items that accompany documents but do not add any value
• Message slips
• Superseded address lists, distribution lists and any list no longer in use
• Duplicate documents such as CC and FYI copies, unaltered drafts, snapshot printouts or extracts from databases and day files
• Stock in-house publications which are obsolete or superseded
• Trade magazines, vendor catalogues, flyers and newsletters from vendors or other external organisations

In all cases, disposal is subject to any disclosure requirements which may exist in the context of litigation.

4.2 Destruction Method

Level I documents are those that contain information that is of the highest security and confidentiality and those that include any personal data. These documents shall be disposed of as confidential waste (cross-cut shredded and incinerated) and shall be subject to secure electronic deletion. Disposal of the documents should include proof of destruction.

Level II documents are proprietary documents that contain confidential information such as parties’ names, signatures or addresses, or which do not contain any personal data but could be used by third parties to commit fraud. These documents should be cross-cut shredded and then placed into locked rubbish bins for collection by an approved disposal firm, and electronic documents will be subject to secure electronic deletion.

Level III documents are those that do not contain any confidential information or personal data and are published Company documents. These should be strip-shredded or disposed of through a recycling company and include, among other things, advertisements, catalogues, flyers and newsletters. These may be disposed of without an audit trail.

5. Managing Records Kept on the Basis of this Document

Record nameStorage locationPerson responsible for storageControls for record protectionRetention time
Data Retention ScheduleData Protection Officer’s Google DriveData Protection OfficerOnly authorised persons may access this documentPermanent

6. Validity and Document Management

This document is valid as of September 2021.

The owner of this document is the Data Protection Officer who must check and, if necessary, update the document at least once a year.

7. Appendix – Data Retention Schedule

7.1 Financial Records
PERSONAL DATA RECORD CATEGORYMANDATED RETENTION PERIODRECORD OWNER
Payroll records7 years after auditFinance
Supplier contracts7 years after contract is terminatedFinance
Chart of AccountsPermanentFinance
Fiscal Policies and ProceduresPermanentFinance
Permanent AuditsPermanentFinance
Financial statementsPermanentFinance
General LedgerPermanentFinance
Investment records (deposits, earnings, withdrawals)7 yearsFinance
Invoices7 yearsFinance
Cancelled checks7 yearsFinance
Bank deposit slips7 yearsFinance
Business expenses documents7 yearsFinance
Check registers / books7 yearsFinance
Property / asset inventories7 yearsFinance
Credit card receipts3 yearsFinance
Petty cash receipts/documents3 yearsFinance

7.2 Business Records
PERSONAL DATA RECORD CATEGORYMANDATED RETENTION PERIODRECORD OWNER
Article of Incorporation to apply for corporate statusPermanentFinance
Board policiesPermanentFinance
Board meeting minutesPermanentFinance
Tax or employee identification number designationPermanentFinance
Office and team meeting minutes2 yearsFinance
Annual corporate filingsPermanentFinance
7.3 HR: Employee Records
PERSONAL DATA RECORD CATEGORYMANDATED RETENTION PERIODRECORD OWNER
Disciplinary, grievance proceedings records, oral/verbal, written, final warnings, appealsAs per legal requirementHR
Applications for jobs, interview notes – recruitment / promotion panel Internal
• Where the candidate is unsuccessful • Where the candidate is successful
Deleted immediately
Duration of employment
HR
Payroll input forms, wages/salary records, overtime/bonus payments, payroll sheets, copies7 yearsHR
Bank details – currentDuration of employmentHR
Payroll / wages4 yearsHR
Job history including staff personal records: contract(s), T & Cs; right to work checks; previous service dates; pay and pension history, pension estimates, resignation/termination lettersAs per legal requirementHR
Employee address detailsDuration of employmentHR
Expense claimsAs per legal requirementHR
Annual leave recordsDuration of employmentHR
Accident books. Accident reports and correspondenceAs per legal requirementHR
Certificates and self-certificates unrelated to workplace injury; statutory sick pay formsAs per legal requirementHR
Pregnancy/childbirth certificationAs per legal requirementHR
Parental leaveDuration of employmentHR
Maternity pay records and calculationsAs per legal requirementHR
Redundancy details, payment calculations, refunds, notificationsAs per legal requirementHR
Training and development recordsDuration of employmentHR



7.4 Contracts
PERSONAL DATA RECORD CATEGORYMANDATED RETENTION PERIODRECORD OWNER
SignedPermanentFinance
Contract amendmentsPermanentFinance
Successful tender documentsPermanentFinance
Unsuccessful tender documentsPermanentFinance
Tender – user requirements, specification, evaluation criteria, invitationPermanentFinance
Contractors’ reportsPermanentFinance
Operation and monitoring, eg complaintsPermanentFinance



7.5 Candidate & Client Data

Once a client/candidate requests all records to be deleted, data will be removed from the back-ups within 9 months. All records will be deleted when a candidate/client is inactive with UCM Education for 2 years.
PERSONAL DATA RECORD CATEGORYMANDATED RETENTION PERIODRECORD OWNER
Platform data – inclusive of video data, comments, attachments, profile picture, email address, first and second nameRetained whilst candidate/client remains registered with UCM Education or deleted by user.Customer
CRM data – inclusive of name, email address, mobile number, address, emails and phone call summaries, DPO informationRetained whilst client/candidate remains registered with UCM Education or deleted by user. Once a client / candidate requests all records to be deleted, data will be removed from the backups within 9 months. All records will be deleted when a candidate/client is inactive with UCM Education for 2 years.Support


7.6 Non-Client/Candidate Data
PERSONAL DATA RECORD CATEGORYMANDATED RETENTION PERIODRECORD OWNER
Name, email addressKept until person unsubscribes / requests to be removed from systemMarketing & Sales


7.7 IT

PERSONAL DATA RECORD CATEGORYMANDATED RETENTION PERIODRECORD OWNER
Recycle binsCleared monthlyIndividual employee
DownloadsCleared monthlyIndividual employee
InboxAll emails containing PII attachments deleted after 3 yearsIndividual employee
Deleted emailsCleared monthlyIndividual employee
Local drives & filesMoved to network drive monthly, then deleted from local driveIndividual employee
Google drives, drop boxReviewed quarterly; any documents containing PII deleted after 3 yearsIndividual employee