Purpose
This policy sets out the required processes that all SSAFA employees and volunteers must adhere to when creating, holding, using, retaining and disposing of information and data, in all forms
(paper-based copies, digital and online records).
Scope
This policy applies to any person directly employed, contracted, working on behalf of the Charity or volunteering with the Charity.
Responsibilities
Information Asset Owners identified within the data retention schedule are responsible for:
- Ensuring that all applicable records are listed and that retention periods are accurate;
- Approving the retention periods; and
Ensuring that personal data is retained in accordance with the schedule; is reviewed before disposal and appropriately disposed of/destroyed at the end of the retention period.
Retention of Records
Data protection law does not set specific time limits for the retention of different types of personal information. It is up to each organisation’s data controllers to set their own retention periods. These will depend on how long the information is required in relation to the specified purposes for which it has been collected and how long it needs to be held. For SSAFA, those decisions will be made by the Information Asset Owners shown within the schedule.
Decisions relating to the retention and disposal/deletion of personal data, or any other information should be taken with reference to the Schedule (as set out in this policy).
In all cases where the retention period recommended in the Schedule for specific types or items of personal information has expired, a review must be carried out prior to disposal, and consideration should be given as to the most appropriate method of secure deletion or disposal.
In certain circumstances an individual may exercise their right to be erased or forgotten from an organisation’s data records. Anyone receiving such a request should be directed to/seek guidance from the Data Governance Manager in the first instance prior to any action being taken.
Disposal/ Destruction of Records
All paper documents containing personal information should be disposed of confidentially and securely either by shredding or by using confidential waste bins or sacks. Such documents may include, but are not limited to, those containing names and contact details, verification documents, health-related information and financial information.
Electronic or digital communications including emails, digital versions of advertising and marketing collateral, Facebook pages, twitter accounts, photography, videos etc. and all other information stored digitally should also be reviewed regularly and if no longer required should be closed and/or permanently deleted. It is understood that the word “deletion” can mean different things in relation to electronic data, and that it is not always possible to erase all traces of it. However, the requirement is to delete the data or information record ‘beyond use’, so it will normally be sufficient simply to delete the information, with no intention of it ever being used or accessed again by anyone. In addition to deleting personal information from a live system, it should also be deleted from any back- up records of that system.
Retention of records for archiving, research or statistical purposes
Personal information can be kept indefinitely if held only for archiving purposes in the public interest; scientific or historical research purposes; or statistical purposes. There must be appropriate safeguards in place to protect individuals - for example, in some cases pseudonymisation may be appropriate. If retaining personal information for archiving purposes, it must not be used for any other purposes. In cases where archiving is considered appropriate the Data Governance Manager should be consulted for advice.
Data Retention Schedule
Use the following tables to find the types of personal data with specific retention requirements.
(Use keyboard arrows to move across columns)
| Type of Record | Microsoft Sensitivity Label Name | Retention Period | Reason for Retention Period | Information Asset Owner |
| Social Work and Welfare Support Records | ||||
|
Children in Need Case files which have: a) CiN meetings b) CiN plan Records of one-off contact/consultations |
Child in Need Case File | Last Entry +35 years | Statute of Limitations Act | Director of Social Care Operations |
|
Parenting skills long term sickness compassionate posting |
Parenting Skills | Last Entry +1 year | Departmental Policy | Director of Social Care Operations |
|
Child protection case files which have: a) Conference minutes b) Core assessment c) Investigation d) CP Plans |
Child Protection Case File | Last Entry +35 years | Statute of Limitations Act | Director of Social Care Operations |
|
Child Protection files: a) initial assessment b) advice only |
Child Protection Initial Assessment | Last Entry +7 years | Statute of Limitations Act | Director of Social Care Operations |
| Child Protection files referral investigated and found to be malicious or unfounded / unproven | Child Protection Referral Malicious or Unfounded | Last Entry +3 years | Children Act 1989 | Director of Social Care Operations |
| Looked after children | Looked After Child | Personal information retained for 100 years then destroyed | Adoption and Children Act 2002 | |
| PS&SWS-RAF | ||||
| Consultation - Record of one-off contacts | PS and SWS Consultation | Last Entry +1 year | Service Policy | Director of Social Care Operations |
| Referral - Process involving individual case management in the provision of support by SSAFA | PS and SWS Referral | Last Entry +6 years | Statute of Limitations Act | Director of Social Care Operations |
| Referral with assessment or report | PS and SWS Referral with Assessment or Report | Last Entry +6 years | Statute of Limitations Act | Director of Social Care Operations |
| Referral that involves supporting a Child in Need or Child Protection Plan | PS and SWS Referral – CiN or Child Protection | Last Entry +6 years | Statute of Limitations Act | Director of Social Care Operations |
| Adoption Services | ||||
| Initial enquiry | Adoption Initial Enquiry | Data is kept for up to two years following an initial enquiry before being destroyed. | Adoption Agencies Regulation 2005 | Director of Social Care Operations |
| Where an assessment of a prospective adopter does not conclude with an Adoption Order | Adoption Assessment Result No Adoption Order | The Agency must destroy the records after a period of 10 years other than those where there is an issue of safeguarding importance which will be kept for 50 years. | Adoption Agencies Regulation 2005 | Director of Social Care Operations |
| Where a case does result in the granting of an Adoption Order | Adoption Case Adoption Order Granted | Retained for 100 years | Adoption and Children Act 2002 | Director of Social Care Operations |
| Schedule 1 offenders | Schedule 1 Offender | Date of birth +75 years | Children Act 1989 | Director of Social Care Operations |
| Young person’s files Foster carers files |
|
Date of birth +75 years or 15 years after death of child (where child under 18 years) | Reg 50 of care planning and case review (England) regs 2010 | Director of Social Care Operations |
| Children and young people subject to supervision orders | Child Subject to Supervision Order | Age 18 years +3 Years | Adoption and Children Act 2002 | Director of Social Care Operations |
| Approved foster carers | Approved Foster Carer File | Closure +75 years | Fostering regulations 2002 | Director of Social Care Operations |
| Placements record of accidents | Accident Placement Record | Last entry +15 years and then review | Fostering service (England) regulations 2011. Care planning regulations | Director of Social Care Operations |
| Foster carer files | Foster Carer File |
Age 18 +none Minimum 10 years from approval |
Fostering service (England) regulations 2011. Care planning regulations | Director of Social Care Operations |
| Enquiries/applications to become foster parents which do not lead to approval | Foster Parent Enquiries and Applications | Minimum 3 years from refusal or withdrawal, then review | Fostering service (England) regulations 2011. Care planning regulations | Director of Social Care Operations |
| Service users who have had the provision of advice and information only. | Service User Advice and Information Only | Last action + 5 years | Fostering service (England) regulations 2011. Care planning regulations | Director of Social Care Operations |
| Processes involved in assessing and providing individual support for children who have special educational or welfare needs | Child Assessment of SEN or Welfare Needs | Destroy 35 years from closure | Common Practice | Director of Social Care Operations |
| Short Break records | Short Break Record | 12-months after the end of the Short Break | Operational department requirement | Director of Social Care Operation |
| Employment Information | ||||
| Employment records | N/A | 6 years + the current financial year after the employee has left | Limitation Act 1980 | Director of People |
| Personnel files including training records and notes of disciplinary and grievance hearings | N/A |
6 years + the current financial year after the employee has left | Limitation Act 1980 | Director of People |
| Pay and benefits input information | N/A |
6 years from the end of the tax year to which they relate | Taxes Management Act 1970 | Director of People |
| Criminal record disclosure Certificates | N/A |
No longer than is necessary after a recruitment decision is made | Disclosure & Barring Service guidance, any retention will allow for the consideration and resolution of disputes or complaints. | Director of People |
| Application forms/interview notes | N/A |
1 year from the date the vacancy is filled for unsuccessful candidates. 6 years + the current financial year after the employee has left for successful candidates | Discrimination Acts and Limitation Act 1980 | Director of People |
| Facts relating to redundancies | N/A |
6 years from the date of redundancy | Limitation Act 1980 | Director of People |
| Income Tax and NI Returns, including correspondence with tax office | N/A |
At least 3 years after the end of the financial year to which the records related | Income Tax (Employment) Regulations 1993 | Director of People |
| Statutory Maternity Pay records and calculations | N/A |
3 years after the end of the tax year in which the maternity period ends minimum but likely to be 6 years + the current financial year after the employee has left | Statutory Maternity Pay (General) Regulations 1986 | Director of People |
| Statutory Sick Pay records and calculations | N/A |
6 years + the current financial year after the employee has left | Limitation Act 1980 | Director of People |
| Accident books, and records and reports of accidents | N/A |
3 years after the date of the last entry | Social Security (Claims and Payments) Regulations 1979; RIDDOR 1985 |
Director of People |
| Health Records | N/A |
6 years + the current financial year after the employee has left | Discrimination Acts and Limitation Act 1980 | Director of People |
| Beneficiary Records | ||||
|
Contact notes Risk and other assessments Form A Referral forms |
N/A |
6 years after the end of service delivery relationship plus the current financial year | HMRC requirement | Director of Volunteer Operations |
| Volunteers | N/A |
Director of Volunteer Operations | ||
| Details of applicants not recruited | N/A |
No longer than 6-months after the volunteer decides he/she does not wish to join | Operational department requirement | Director of Volunteer Operations |
| Accident, injury or incident reports | N/A |
Three years for accident records and 40 years for any health-related records (i.e. asbestos surveys | Health and Safety Executive | Director of Volunteer Operations |
| Initial application form and contact details | N/A |
3 years after leaving SSAFA | Operational department requirement | Director of Volunteer Operations |
| Volunteer complaints and or grievances | N/A |
3 years after completion of the investigation | Financial Conduct Authority | Director of Volunteer Operations |
| Training records | N/A |
Destroy as soon as notified that the volunteer is leaving | Operational department requirement | Director of Volunteer Operations |
| Vetting decisions | N/A |
3 years after leaving SSAFA | Operational department requirement | Director of Volunteer Operations |
| Conflicts of interest register for trustees | N/A |
5 years from the date on which the record was made. | Financial Conduct Authority | Director of Volunteer Operations |
| Volunteer expenses | N/A |
6 years from the end of the tax year to which they relate | Taxes Management Act 1970 | Director of Volunteer Operations |
| Fundraising | ||||
| Donations | N/A |
6 years + the current financial year | HMRC requirement | Director of Fundraising/ Marketing/ Communications |
| Legacies | N/A |
15 years from financial year file was closed | Operational department requirement | Director of Fundraising/ Marketing/ Communications |
| Donor/supporter indicates intention to leave a gift in a will or notification of possible legacy | N/A |
From date of notification to One hundred and ten (110) years. | Operational department requirement | Director of Fundraising/ Marketing/ Communications |
| Analyse performance of fundraising over time and future targeting. | N/A |
Indefinitely | UK GDPR (Anonymised data for statistical purposes) | Director of Fundraising/ Marketing/ Communications |
| Managing unsubscribes | N/A |
Indefinitely | UK GDPR (Anonymised data for statistical purposes) | Director of Fundraising/ Marketing/ Communications |
| Suppression when renting 3rd party data | N/A |
Indefinitely | UK GDPR (Anonymised data for statistical purposes) | Director of Fundraising/ Marketing/ Communications |
| Website data | N/A |
6 months, personal information on website database must be deleted after 6-months | Operational department requirement | Director of Fundraising/ Marketing/ Communications |
| Declarations (gift aid etc.) | N/A |
6 years in case of an audit: These records must provide a clear link between the donor, declaration and donation. | HMRC requirement | Director of Fundraising/ Marketing/ Communications |
| Marketing & Communications | ||||
| Crisis communications log | N/A |
Partial destruction, note of name and address kept after four years – total destruction after 10 years | Operational department requirement | Director of Fundraising/ Marketing/ Communications |
| Case study log | N/A |
Partial destruction, note of name and address kept after four years – total destruction after 10 years | Operational department requirement | Director of Fundraising/ Marketing/ Communications |
| Case study information/ stories for publicity and fundraising purposes; including all consent files, photos and videos | N/A |
Held for 2 years, then removed from all marketing channels | Operational department requirement/ best practice | Director of Fundraising/ Marketing/ Communications |
| Email marketing records on DotDigital | N/A |
Manual deletion of email lists every six months | UK GDPR requirement | Director of Fundraising/ Marketing/ Communications |
| SSAFA Housing | ||||
| Applications and registration forms | N/A |
7 months after applicant is notified of outcome, or, in the case of people taking up residency: 5 years after departure or, in the case of a child protection issue, until the youngest child reaches 18 years of age or 7 years after death or other departure | Operational department requirement | Chief Operating Officer |
Hard copies of Residents Induction/ Sign up pack. |
N/A |
5 years | Operational department requirement | Chief Operating Officer |
| Prospective residents who are not admitted | N/A |
3 years after the last action | Operational department requirement | Chief Operating Officer |
| Accident and injuries report and records | N/A |
6 years from time of accident occurring | Operational department requirement | Chief Operating Officer |
| Files relating to Steppingstone homes family in residence | N/A |
5 years after departure or, in the case of child protection issues, until the youngest child reaches 18 years of age | Operational department requirement | Chief Operating Officer |
| Facilities | ||||
| TDSI | N/A |
Data is deleted by the administrator when the building pass is handed in and no longer required. | Operational department requirement | Chief Operating Officer |
Corporate Governance Records Management
The Companies Act 1985 requires certain statutory records and registers to be kept for the life of the company, such as the Memoranda and Articles of Association, copies of all resolutions filed at Companies House, minutes of board and shareholder meetings and the registers of directors/secretaries.
| Record Type | Record Description | Retention Period | Reason/ Further Guidance | Information Asset Owner | |
|---|---|---|---|---|---|
| Governing/ Constitutional Documents |
Certificates of Incorporation Constitution, Trust Deed, Memorandum and Articles of Association, Royal Charter, Charity
Commission schemes/orders |
Permanent | Charities Act 2011, Companies Act 2006 |
Controller | |
| Board meetings |
Board meetings, AGMs, Special Committee meetings |
Permanent |
Companies Act 2006 |
Controller |
|
| Trustee appointments |
Appointment notices, election results, signed contracts, trustee declarations |
Permanent |
Charities Act 2011, Companies Act 2006 |
Controller |
|
| Statutory Registers |
Registers of directors and voting members, directors’ residential addresses,
charges, secretaries, debentures. For members of charity with non-voting rights or no material influence on governance. |
Permanent |
Charities Act 2011, Companies Act 2006 |
Controller |
|
| Merged charities |
Merger registration documentation, registers
of mergers, vesting declarations |
Permanent |
Charities Act 2011 |
Controller |
|
| Joint working agreements |
Partnership agreements,
memoranda of understanding, Service Level Agreements |
6 years from conclusion of relationship |
Limitation Act 1980 |
Controller |
|
| Policy and Strategy documents |
Business Plans, organisation charts,
strategies, policies, procedures |
Standards 7 years from superseded |
Recommended practice |
Controller |