Document Retention: How stored documents could harm your business
Are you a hoarder when it comes to business documents? Are your filing cabinets and drawers overflowing with paper? Do you store electronic devices such as hard drives and laptops containing confidential documents after they are no longer needed?
If you answered yes to any of these questions then it’s definitely time for you to reconsider your workplace document retention policy. And you’re not alone.
Poor handling of information by the British Transport Police (BTP) is putting the safety of the public and the police at risk, according to a report by the BBC earlier this month. A whistleblower told the news service that the BTP has some 10,000 boxes of personal information in storage, dating back at least eight years. A similar number of intelligence reports stored electronically were to be deleted but are still on the system, the report said.
Also this month, the ICO issued a warning to shoe retailer Office after a hack into a historical database exposed the personal information of over one million customers. Not only was the information unencrypted but it was stored on a less secure server outside the company’s core server infrastructure.
A clear document retention policy is the best way to ensure that the confidential information of your customers, employees and other stakeholders is protected. Without this in place, organisations of all sizes risk the legal, financial and reputational damage of a security breach.
Although there are no specific minimum or maximum periods for retaining personal data under the Data Protection Act, the legislation does set standards that you must meet before you can use (or ‘process’) this information.
The DPA is governed by eight principles and particularly relevant to document retention are principles 3, 4 and 5, which outline your responsibility for ensuring any personal data you hold is adequate, relevant, accurate, up-to-date and not excessive, and that any data shall not be kept for longer than is necessary for the purpose it was collected in the first place.
Here are some tips for putting a document retention policy in place:
- Set out your own guidelines for how long certain key types of documents that you produce in your business should be held
- Follow to the letter established standard guidelines on keeping official data for specific purposes (for example, tax records, banking information, company records, etc.) - contact the ICO and/or your relevant trade organisation for their recommended guidelines if you are unsure
- Consider the purpose you hold the data for when deciding whether (and for how long) you need to retain it
- Put in place secure destruction procedures for deleting/destroying information that is no longer needed
- Delete, update or archive information if it goes out of date
- Carry out regular reviews to keep the retention policy up-to-date to reflect changing business needs and new legislation
Shred-it has developed this guide to document retention which suggests some recommended minimum retention periods for various types of documents. Want to know more about information security and developments in the industry? Join the conversation @Shredit_UK on Twitter.