Data Retention and Disposal Policy

Purpose and Introduction

LCM LABOUR LIMITED (“LCM”) is committed to the secure and efficient management of its data, and records for supporting the delivery of its services, documenting its principle activities. This policy is comprehensive and compliant with UK legislation, including GDPR (General Data Protection Regulation), Data Protection Act 2018 and LCM has implemented GDPR principles such as lawfulness, fairness, transparency abd accountability.

The benefits of effective records management within LCM LABOUR LIMITED are:

• Protect business critical records,
• Ensure that data, information and records can be retrieved easily and efficiently,
• Ensure compliance with legal, regulatory requirements,
• Reduce the risks relating to litigation, audit and government investigations,
• Minimising storage requirements and therefore costs.

The principles outlined in this policy have been developed to provide a consistent approach to managing records throughout their lifecycle, irrespective of their format.

Scope

The scope of this policy relates to all data, information and records irrespective of how they are generated, received, managed, retained and disposed of.

This policy applies to all members of staff (including workers and contractors) of LCM and will also where necessary, apply to third parties and suppliers who manage records on behalf of our business.

LCM has an Information Register (IR) which provides clarity regarding what information we collect, how we use it and how long we keep it and is provided at Appendix A to this policy.

The key business areas are as follows;

• Dealing with candidates and Partner Agencies
• Emails
• Sub-contractors
• External Communications (website/social media)

Procedures to support specific areas of the business have been produced and are provided at Appendix B to this policy.

Policy Principles

A record is defined as any information, created, received and maintained as evidence of a business transaction related to its legal obligations and / or business functions acting as a recruitment business

All information created by LCM staff, including Partner Agencies and contractors and third-party suppliers belongs to LCM and must be reviewed and disposed of in line with this policy.

Records should remain in their original format (electronic or manual).

Records will be processed in line with legal and regulatory requirements.

Retention Policy

Records and Information held and therefore processed for any longer than is necessary carries additional risk and cost to LCM.  Records will only be retained for legitimate business purposes and in line with legal and regulatory requirements.  Under GDPR it is clear that ‘personal data’ should not be retained for any longer than its lawful purpose.  Any information that is not by definition ‘personal data’ may be disclosable under Freedom of Information legislation.

Records and information will not be retained indefinitely by LCM. The majority of records will be held for 18 months. At that time, a decision will be taken to retain, archive or arrange for the destruction of the particular records.  We will consider whether there is a pressing business need, public interest or other reason for retaining a record or information for example, under HMRC guidance, payroll records will need to be kept for 6 years.

The retention of any record beyond its disposal date will be documented and a new review / retention date agreed and documented.

Hard copy information relating to LCM will be stored securely

All IT based information will be held on password protected systems. 

Records that are scheduled for destruction will be destroyed promptly and securely. For electronic records suitable software that can wipe the media clear and provide a certificate of destruction will be used where possible.  Similarly, hard copy information will be shredded.

Information Rights

Information and records held by LCM may under certain circumstances be disclosable.  There is a right of access to personal data under both GDPR and the Freedom of Information legislation.

GDPR requires that personal data should only be processed for as long as it is needed for the purposes it was collected for.

GDPR does not stipulate specific time periods for retention.  For how long information is retained is dependent upon the purpose for which it is processed.

LCM understand and acknowledge that to retain a copy anywhere, deliberately or recklessly, of personal data that has been marked for and then subsequently destroyed is committing a criminal offence.

Review

This policy and associated procedures will be reviewed annually or sooner if new record types are introduced.

What information do we collect? How do we use it? How long do we keep it for?

Information relating to temporary workers or LCM staff

We collect personal data in order to fulfil the contract with the Partner agency and end client and to comply with our legal obligations and where it is in our legitimate interests to supply our partner agencies with labour.

What type of information do we collect?

• Name and contact details
• Right to work status (copies of passport/ID documents)
• Next of kin details
• If any reasonable adjustments are required in the recruitment process
• Questions about work seeking activity to protect welfare and worker rights
• NINO and bank account details to allow us to pay for work carried out
• Sickness absence records
• Correspondence records (including disciplinary/grievance notes where relevant)

How do we use it?

The information collected is only used for the purpose of work finding services or to fulfil legal or regulatory requirements if necessary.

Disposal policy

The information is kept for a minimum of 18 months (or some information may be for 6 years if required by law) as long as consent has been granted.

Information relating to External Business Contacts

External business contacts mean individual members of staff at the partner agency, end client and any other organisations that we may work with to perform the legitimate activities of our business.

What type of information do we collect?

• Names and contact details including email addresses, telephone numbers
• Information about charge rates, risk assessments, end client information
• Sensitive data about the partner agency and end client
• Professional information in the public domain (for example linked in, client website pages etc.)

How do we use it?

The information collected is only used in connection with the legitimate activities of LCM.

Disposal policy

The information is kept for a minimum of 18 months or for along as we are required to do so by law. Information will be kept whilst business with the client is ongoing.

Individuals within external business contacts have the same rights as any other individual with regards to the processing of their data.

Personal data is collected in order to comply with legal obligations and where it is in the company’s interests as an employer to do so.

Individuals within the company we work with are also entitled to have their personal information protected.

Activities relating to Records Management, Retention and Disposal will comply with the policy section of this document (above).

The objective of this procedure is to ensure that LCM processes and retains the information and records necessary to carry out its functions, are kept in a structured format to enable best use of the information when carrying out those functions and are disposed of when no longer needed.

LCM will ensure that all worker details are held safely and securely either in hard copy format or electronically and are disposed of accordingly.

We understand that significant records may also be generated as a result of receiving emails and attachments. There are specific processes regarding email procedures detailed below.

Review or destruction dates must not be ignored, they must be acted upon.  Where there is no automatic review or destroy date, records will be checked every six months and arrangements made for any records that have exceeded their retention period are securely deleted.

Email Procedure

1. Activities relating to Records Management, Retention and Disposal will comply with the policy section of this document (above).
2. Email is a vital business communication tool. It is not a tool for generating an audit trail and should not be used as such.
3. It is important that email messages are properly managed to ensure that they support business needs and to also assist with compliance with information rights legislation
4. It is important to distinguish between email messages that contain significant information, and therefore need to be retained, and messages of trivial or only passing significance. Significant emails and in almost every case, attachments, should be removed from inboxes and personal folders as soon as possible and stored on the appropriate record for the specific system or business area. For example, candidate files should be filed in an appropriate candidate folder so can be easily accessible should the need arise.
5. An email is likely to be significant and needs to be retained if it contains information relating to candidates or clients. Significant emails are likely to be copied or forwarded to more than one recipient. 
6. External messages that are received should also be stored on the appropriate business area folder.
7. Less significant emails or those of only passing significance should be managed within the inbox and kept only as long as required before being deleted.
8. If after consideration, it is decided to delete an email from the inbox or folder including the deleted items folder then such a deletion is acceptable. If an email (including attachments etc.) is deliberately deleted following the receipt of a subject access request for personal data under GDPR then a criminal offence is committed

Partner Agencies

1. Activities relating to Records Management, Retention and Disposal will comply with the policy section of this document (above).
2. When personal data is obtained via a Partner agency we will ensure that the data is contained and stored on a separate folder identifying the origin of the data.
3. Sub-contractors will be expected to comply with LCM policy relating to retention and disposal of personal data.

External Communications

1. Activities relating to Records Management, Retention and Disposal will comply with the policy section of this document (above).
2. Wherever possible, the LCM website does not contain any personal data. We will review the website on an ongoing basis to ensure that policies, guidance and other information remains correct and up to date and that out of date material is removed.
3. Social Media will be used responsibly, and we will ensure that we do not hold personal data on this platform.
4. Information disclosed to Social Media sites will be in the public domain and once there cannot generally be removed.
5. Where there is no automatic review or destroy date, records will be checked every six months and arrangements made for any records that have exceeded their retention period to be securely deleted.