Information Management and Retention Policy

Updated on Dec 12, 2024

Document History

Document Reference	DP03
Document Purpose:	This policy sets out the required processes that all SSAFA employees and volunteers must adhere to when creating, holding, using, retaining and disposing of information and data, in all forms (paper-based copies, digital and online records).
Policy Sponsor:	Data Protection & Governance Manager
Target Audience:	This policy applies to any person directly employed, contracted working on behalf of the Charity or volunteering with the Charity.
Associated Documents:	All data governance relation policies including: Employee and Volunteer Data Protection Policy IT Policy Privacy Notices Social Media Policy

Note: This document was approved by Senior Managers at the Controller’s Meeting held on 14^th October 2021.Minor amendments to include records specific to the PS&SWS-RAF service were made on 10^th June 2022.

Legal Obligations and Standards

The key legislation and guidance supporting the Records Management policy are:

UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018
The Caldicott Review 2012
The Common Law Duty of Confidentiality

Responsibilities

Information Asset Owners identified within the data retention schedule are responsible for:

Ensuring that all applicable records are listed and that retention periods are accurate;
Approving the retention periods; and
Ensuring that personal data is retained in accordance with the schedule; is reviewed before disposal and appropriately disposed of/destroyed at the end of the retention period.

Retention of records

Data protection law does not set specific time limits for the retention of different types of personal information. It is up to each organisation’s data controllers to set their own retention periods. These will depend on how long the information is required in relation to the specified purposes for which it has been collected and how long it needs to be held. For SSAFA, those decisions will be made by the Information Asset Owners shown within the schedule.

Decisions relating to the retention and disposal/deletion of personal data, or any other information should be taken with reference to the Schedule (as set out in this policy).

In all cases where the retention period recommended in the Schedule for specific types or items of personal information has expired, a review must be carried out prior to disposal, and consideration should be given as to the most appropriate method of secure deletion or disposal.

In certain circumstances an individual may exercise their right to be erased or forgotten from an organisation’s data records. Anyone receiving such a request should be directed to/seek guidance from the Data Governance Manager in the first instance prior to any action being taken.

Disposal/deletion of records

All paper documents containing personal information should be disposed of confidentially and securely either by shredding or by using confidential waste bins or sacks. Such documents may include, but are not limited to, those containing names and contact details, verification documents, health-related information and financial information.

Electronic or digital communications including emails, digital versions of advertising and marketing collateral, Facebook pages, twitter accounts, photography, videos etc. and all other information stored digitally should also be reviewed regularly and if no longer required should be closed and/or permanently deleted. It is understood that the word “deletion” can mean different things in relation to electronic data, and that it is not always possible to erase all traces of it. However, the requirement is to delete the data or information record ‘beyond use’, so it will normally be sufficient simply to delete the information, with no intention of it ever being used or accessed again by anyone. In addition to deleting personal information from a live system, it should also be deleted from any back- up records of that system.

Retention of records for archiving, research or statistical purposes

Personal information can be kept indefinitely if held only for archiving purposes in the public interest; scientific or historical research purposes; or statistical purposes. There must be appropriate safeguards in place to protect individuals - for example, in some cases pseudonymisation may be appropriate. If retaining personal information for archiving purposes, it must not be used for any other purposes. In cases where archiving is considered appropriate the Data Governance Manager should be consulted for advice.

Use the following tables to find the types of personal data with specific retention requirements.

(Use keyboard arrows to move across columns)

Column 1

Type of Record	Microsoft Sensitivity Label Name (applicable to Social Work Records only)	Retention Period	Reason for Length of Period	Information Asset Owner
Social Work and Welfare Support Records
Children in Need Case files which have: a) CiN meetings b) CiN plan Records of one-off contact/consultations	Child in Need Case File	Last entry + 35 years	Statute of Limitations Act	Director, Social Care Operations
Parenting skills long term sickness compassionate posting	Parenting Skills	Last entry + 1 Year	Department policy	Director, Social Care Operations
Child protection case files which have: a) Conference minutes b) Core assessment c) Investigation d) CP Plans	Child Protection Case File	Last entry + 35 years	Statute of Limitations Act	Director, Social Care Operations
Child Protection files: a) initial assessment b) advice only	Child Protection Initial Assessment	Last entry +7 years	Statute of Limitations Act	Director, Social Care Operations
Child Protection files referral investigated and found to be malicious or unfounded / unproven	Child Protection Referral Malicious or Unfounded	Last entry +3 years	Children Act 1989	Director, Social Care Operations

Column 2

Looked After children	Looked After Child	Personal information retained for 100 years then destroyed	Adoption and Children Act 2002	Director, Social Care Operations
PS&SWS-RAF Consultation - Record of one-off contacts	PS and SWS Consultation	Last entry + 2 years	Service Policy	Director, Social Care Operations
PS&SWS-RAF Referral - Process involving individual case management in the provision of support by SSAFA	PS and SWS Referral	Last entry + 6 years	Statute of Limitations Act	Director, Social Care Operations
PS&SWS-RAF Referral with assessment or report	PS and SWS Referral with Assessment or Report	Last entry + 6 years	Statute of Limitations Act	Director, Social Care Operations
PS&SWS-RAF Referral that involves supporting a Child in Need or Child Protection Plan	PS and SWS Referral – CiN or Child Protection	Last entry + 6 years	Statute of Limitations Act	Director, Social Care Operations
Adoption services*
Initial enquiry	Adoption Initial Enquiry	Data is kept for up to two years following an initial enquiry before being destroyed.	Adoption Agencies Regulation 2005	Director, Social Care Operations
Where an assessment of a prospective adopter does not conclude with an Adoption Order	Adoption Assessment Result No Adoption Order	The Agency must destroy the records after a period of 10 years other than those where there is an issue of safeguarding importance which will be kept for 50 years.	Adoption Agencies Regulation 2005	Director, Social Care Operations
Where a case does result in the granting of an Adoption Order	Adoption Case Adoption Order Granted	retained for 100 years	Adoption and Children Act 2002	Director, Social Care Operations
Schedule 1 offenders	Schedule 1 Offender	Date of birth +75 years	Children Act 1989	Director, Social Care Operations
Young person’s files Foster carers files	Young Person's Files = Young	Date of birth +75 years or 15 years after death of child (where child under 18 years)	Reg 50 of care planning and case review (England) regs 2010	Director, Social Care Operations
Children and young people subject to supervision orders	Child Subject to Supervision Order	Age 18 years +3 Years	Adoption and Children Act 2002	Director, Social Care Operations
Approved foster carers	Approved Foster Carer File	Closure + 75 years	Fostering regulations 2002	Director, Social Care Operations
Placements record of accidents	Accident Placement Record	Last entry + 15 years and then review	Fostering service (England) regulations	Director, Social Care Operations

			2011. Care planning regulations
Foster carer files	Foster Carer File	Age 18 + none Minimum 10 years from approval	Fostering service (England) regulations 2011. Care planning regulations	Director, Social Care Operations
Enquiries/applications to become foster parents which do not lead to approval	Foster Parent Enquiries and Applications	Minimum 3 years from refusal or withdrawal, then review	Fostering service (England) regulations 2011. Care planning regulations	Director, Social Care Operations
Service users who have had the provision of advice and information only.	Service User Advice and Information Only	Last action + 5 years	Fostering service (England) regulations 2011. Care planning regulations	Director, Social Care Operations
Processes involved in assessing and providing individual support for children who have special educational or welfare needs	Child Assessment of SEN or Welfare Needs	Destroy 35 years from closure	Common Practice	Director, Social Care Operations
Short Break records	Short Break Record	12-months after the end of the Short Break	Operational department requirement	Director, Social Care Operations
Forcesline
Consultation - Record of one-off contact	N/A	Last Entry +2 year	Service Policy	Director, Social Care Operations
Vetting
Local Authority and other agencies	N/A	1 year from request processed	Service Policy	Director, Social Care Operations

Employment Information
Employment records	6 years + the current financial year after the employee has left	Limitation Act 1980	Director of People
Personnel files including training records and notes of disciplinary and grievance hearings	6 years + the current financial year after the employee has left	Limitation Act 1980	Director of People
Pay and benefits input information	6 years from the end of the tax year to which they relate	Taxes Management Act 1970	Director of People
Criminal record disclosure Certificates	No longer than is necessary after a recruitment decision is made	Disclosure & Barring Service guidance, any retention will allow for the consideration and resolution of disputes or complaints.	Director of People
Application forms/interview notes	1 year from the date the vacancy is filled for unsuccessful candidates. 6 years + the current financial year after the employee has left for successful candidates	Discrimination Acts and Limitation Act 1980	Director of People
Facts relating to redundancies	6 years from the date of redundancy	Limitation Act 1980	Director of People
Income Tax and NI Returns, including correspondence with tax office	At least 3 years after the end of the financial year to which the records related	Income Tax (Employment) Regulations 1993	Director of People
Statutory Maternity Pay records and calculations	3 years after the end of the tax year in which the maternity period ends minimum but likely to be 6 years + the current financial year after the employee has left	Statutory Maternity Pay (General) Regulations 1986	Director of People

Statutory Sick Pay records and calculations	6 years + the current financial year after the employee has left	Limitation Act 1980	Director of People
Accident books, and records and reports of accidents	3 years after the date of the last entry	Social Security (Claims and Payments) Regulations 1979; RIDDOR 1985	Finance Director
Health Records	6 years + the current financial year after the employee has left	Discrimination Acts and Limitation Act 1980	Director of People
Beneficiary records
Contact notes Risk and other assessments Form A Referral forms	6 years after the end of service delivery relationship plus the current financial year	HMRC requirement	Director of Volunteer Operations
Volunteers
Details of applicants not recruited	No longer than 6-months after the volunteer decides he/she does not wish to join	Operational department requirement	Director of Volunteer Operations
Accident, injury or incident reports	Three years for accident records and 40 years for any health-related records (i.e. asbestos surveys	Health and Safety Executive	Director of Volunteer Operations
Initial application form and contact details	3 years after leaving SSAFA	Operational department requirement	Director of Volunteer Operations
Volunteer complaints and or grievances	3 years after completion of the investigation	Financial Conduct Authority	Director of Volunteer Operations
Training records	Destroy as soon as notified that the volunteer is leaving	Operational department requirement	Director of Volunteer Operations

Vetting decisions	3 years after leaving SSAFA	Operational department requirement	Director of Volunteer Operations
Conflicts of interest register for trustees	5 years from the date on which the record was made.	Financial Conduct Authority	Director of Volunteer Operations
Volunteer expenses	6 years from the end of the tax year to which they relate	Taxes Management Act 1970	Director of Volunteer Operations
Fundraising
Donations	6 years + the current financial year	HMRC requirement	Director of Fundraising
Legacies	Fifteen years from financial year file was closed	Operational department requirement	Director of Fundraising
Donor/supporter indicates intention to leave a gift in a will or notification of possible legacy	From date of notification to One hundred and ten years.	Operational department requirement	Director of Fundraising
Analyse performance of fundraising over time and future targeting.	Indefinitely	UK GDPR (Anonymised data for statistical purposes)	Director of Fundraising
Managing unsubscribes	Indefinitely	UK GDPR (Legitimate Interests)	Director of Fundraising
Suppression when renting 3rd party data	Indefinitely	UK GDPR (Statistical purposes)	Director of Fundraising
Website data	6 months, personal information on website database must be deleted after 6-months	Operational department requirement	Director of Fundraising
Declarations (gift aid etc.)	6 years in case of an audit: These records must provide a clear link	HMRC requirement	Director of Fundraising

	between the donor, declaration and donation.
Marketing & Communications
Crisis communications log	Partial destruction, note of name and address kept after four years – total destruction after 10 years	Operational department requirement	Director of Marketing & Communications
Case study log	Partial destruction, note of name and address kept after four years – total destruction after 10 years	Operational department requirement	Director of Marketing & Communications
Case study information/ stories for publicity and fundraising purposes; including all consent files, photos and videos	Held for 2 years, then removed from all marketing channels	Operational department requirement/ best practice	Director of Marketing & Communications
Email marketing records on DotDigital	Manual deletion of email lists every six months	UK GDPR requirement	Director of Marketing & Communications
SSAFA Housing
Applications and registration forms	7 months after applicant is notified of outcome, or, in the case of people taking up residency: 5 years after departure or, in the case of a child protection issue, until the youngest child reaches 18 years of age or Seven years after death or other departure	Operational department requirement	Finance Director
Hard copies of Residents Induction/ Sign up pack.	Held for 5 years.	Operational department requirement	Finance Director

Prospective residents who are not admitted	3 years after the last action	Operational department requirement	Finance Director
Accident and injuries report and records	6 years from time of accident occurring	Operational department requirement	Finance Director
Files relating to Steppingstone homes family in residence.	5 years after departure or, in the case of child protection issues, until the youngest child reaches 18 years of age	Operational department requirement	Finance Director
Facilities
TDSI	Data is deleted by the administrator when the building pass is handed in and no longer required.	Operational department requirement	Finance Director

Corporate Governance Records Management

The Companies Act 1985 requires certain statutory records and registers to be kept for the life of the company, such as the Memoranda and Articles of Association, copies of all resolutions filed at Companies House, minutes of board and shareholder meetings and the registers of directors/secretaries.

Record Type	Record Description	Retention Period	Reason/ Further Guidance	Information Asset Owner
Governing/ Constitutional Documents	Certificates of Incorporation Constitution, Trust Deed, Memorandum and Articles of Association, Royal Charter, Charity Commission schemes/orders	Permanent	Charities Act 2011, Companies Act 2006	Controller
Board meetings	Board meetings, AGMs, Special Committee meetings	Permanent	Companies Act 2006	Controller
Trustee appointments	Appointment notices, election results, signed contracts, trustee declarations	Permanent	Charities Act 2011, Companies Act 2006	Controller
Statutory Registers	Registers of directors and voting members, directors’ residential addresses, charges, secretaries, debentures. For members of charity with non-voting rights or no material influence on governance.	Permanent	Charities Act 2011, Companies Act 2006	Controller
Merged charities	Merger registration documentation, registers of mergers, vesting declarations	Permanent	Charities Act 2011	Controller
Joint working agreements	Partnership agreements, memoranda of understanding, Service Level Agreements	6 years from conclusion of relationship	Limitation Act 1980	Controller
Policy and Strategy documents	Business Plans, organisation charts, strategies, policies, procedures	Standards 7 years from superseded	Recommended practice	Controller

Previous Article IT Policy

Next Article Staff who also Volunteer Guidance

SSAFA Volunteer Knowledgebase