Records Retention and Protection Policy
Effective Date: 14 July 2023
This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Daon systems.
The following policies and procedures are relevant to this document:
- ISMS14001 Information Asset Inventory
- ISMS14002 Information Security Classification Guidelines
- ISMS14003 Information Security Labelling Procedure
- PIMS10009 Policy on Good Research Practice
In its everyday business operations, Daon collects and stores records of many types and in a variety of different formats. The relative importance and sensitivity of these records also varies and is subject to the organization’s security classification scheme (see ISMS14002 Information Security Classification Guidelines).
It is important that these records are protected from loss, destruction, falsification, unauthorised access and unauthorised release and range of controls are used to ensure this, including backups, access control and encryption.
Daon also has a responsibility to ensure that it complies with all relevant legal, regulatory and contractual requirements in the collection, storage, retrieval and destruction of records.
This policy begins by establishing the main principles that must be adopted when considering record retention and protection. It then sets out the types of records held by Daon (including personal data) and their general requirements before discussing record protection, destruction and management.
There are a number of key general principles that should be adopted when considering record retention and protection policy. These are:
- Records should be held in compliance with all applicable legal, regulatory and contractual requirements
- Records should not be held for any longer than required in relation to the purposes for which they are collected or otherwise processed
- The protection of records in terms of their confidentiality, integrity and availability should be in accordance with their security classification
- Records should remain retrievable in line with business requirements at all times
A summary of the specific requirements can be found in ISMS24001 Legal Responsibilities Policy.
In order to assist with the definition of guidelines for record retention and protection, records held by Daon are grouped into the categories listed in the table on the following page. As a company, we are required to retain certain records, usually for a specific amount of time, for example, the accidental or unintentional destruction of these records during their specified retention period could result in fine or penalties imposed by a regulator, Therefore, we must retain certain records because they contain information, for instance where such must be kept in order to satisfy legal, accounting or other regulatory requirements. We must balance these requirements with our statutory obligation to only keep records for the periods required and to comply with data minimisation principles. The table sets out the required or recommended retention period and allowable storage media for each category, together with a reason for the recommendation or requirement.
Personal Data is defined as any data which can identify an individual either on its own or when combined with other data which we possess. Some examples of personal data include names and addresses, email addresses and bank information which we may process on behalf of a customer in the provision of services (collectively “Customer Personal Data”). We have specific obligations relating to Customer Data and such will be set out in the relevant contract which should address this activity. Daon is responsible for identifying the documents that it must or should retain and determining the proper period of retention in accordance with applicable data protection laws, including (where relevant) GDPR.
In some instances, Daon may be required to maintain certain types of records, Customer Data or information for designated periods of time pursuant to its contractual obligations with customers and/or third parties. To the extent agreed to by Daon, those contractual obligations must be honoured. If there is a conflict between the periods set out in Table 1 and any contract, the longer of the two terms shall prevail unless otherwise prevented by any local legal or regulatory requirements.
Daon also carries out scientific research, and so upon completion of a contract or project, Daon may retain Personal Data for scientific research purposes. In the absence of specific legal or external requirements, Daon’s guidelines mandate the secure retention of such data after completion of a project. Since data protection legislation does not specify particular periods beyond which personal data may not be held. It is the responsibility of the research organisers to determine the retention period for their research data. Periods can vary depending on the research discipline and its purpose and the type of data concerned. Retention periods will be determined on a case-by-case basis having regard to legal obligations, conditions imposed by researchers, commercial or ethical sensitivity and good practice elsewhere. In some situations, it may be sufficient for the research purpose to retain only de-identified data. For as long as Personal Data are held the obligations of the applicable data protection legislative obligations remain and such is in line with our Policy on Good Research Practice.
Therefore, Daon will consider for each processing activity:
- Whether any legal or regulatory requirements specific a retention period for Customer Personal Data to be processed;
- How long will Daon will need to retain Customer Personal Data in relation to the proposed processing activity:
- Whether the duration of the proposed retention period is necessary for the purposes of the relevant processing activity.
Note that these are guidelines only and there may be specific circumstances where records need to be kept for a longer or shorter period of time. This should be decided on a case-by-case basis as part of the design of the information security elements of new or significantly changed processes and services.
Further information about records held by the organization, including their security classifications and owners can be found in ISMS14001 Information Asset Inventory.
Reason for Retention Period
Allowable Storage Media
|Accounting||Invoices, purchase orders, accounts and other historical financial records||It will vary depending on applicable legislation and the jurisdiction – check with legal||SOX compliance requirement||Electronic only – paper records must be scanned|
|Budgeting and Forecasting||Forward-looking financial estimates and plans||It will vary depending on applicable legislation and the jurisdiction – check with legal||SOX compliance requirement||Electronic/Paper|
|System Transaction Logs||Database journals and other logs used for database recovery||It will vary depending on applicable legislation and the jurisdiction – check with legal||Based on backup and recovery strategy||Electronic/tape media|
|Audit Logs||Security logs e.g. records of logon/logoff and permission changes||It will vary depending on applicable legislation and the jurisdiction – check with legal||Maximum period of delay before forensic investigation||Electronic|
|Operational Procedures||Records associated with the completion of operational procedures||It will vary depending on applicable legislation and the jurisdiction – check with legal||Maximum period of time elapsed regarding dispute||Electronic/Paper|
|Customer||Customer names, addresses, order history, credit card and bank details||It will vary depending on applicable legislation and the jurisdiction – check with legal||Data Protection Act requirement||Electronic/Paper|
|Supplier||Supplier names, addresses, company details||Each agreement will vary depending on applicable legislation and the jurisdiction – check with legal||Maximum period within which dispute might occur||Electronic/Paper/Microfiche|
|Human resources||Employee names, addresses, bank details, tax codes, employment history||It will vary depending on applicable legislation and the jurisdiction – check with legal||Data Protection Act requirement; Employment law||Electronic/Paper|
|Contractual||Legal contracts, terms and conditions, leases||Each contract varies depending on applicable legislation and the jurisdiction – check with legal||Maximum period within which dispute might occur||Electronic/Paper|
|Customer Personal Data||Includes names, addresses, identification documents, bank details and biometric data – such personal data will be set out in the relevant agreement.||Until the initial purpose for collecting has been satisfied in accordance with the relevant agreement or within one year of the data subject’s last interaction with the services (as outlined in the agreement)– whichever occurs first.||Maximum period as per BIPA (1 year)||Electronic/Paper|
|Customer Personal Data||Customer names, addresses, identification documents, bank details and biometric data.||For scientific research purposes the period of retention is 25 years (unless such other shorter period is deemed appropriate or set out in the relevant agreement) given the type of data and scientific research that is being carried out.||Exemption under GDPR, CCPA and CPRA – Maximum period given the purpose – i.e. scientific research.||Electronic/Paper|
Table 1 – Record types and retention periods
Where appropriate to the classification of information and the storage medium, cryptographic techniques should be used to ensure the confidentiality and integrity of records.
Care should be taken to ensure that encryption keys used to encrypt records are securely stored for the life of the relevant records and comply with the organization’s policy on cryptography (see ISMS16001 Cryptographic Policy).
The choice of long-term storage media should take into account the physical characteristics of the medium and the length of time it will be in use.
Where records are legally (or practically) required to be stored on paper, adequate precautions must be taken to ensure that environmental conditions remain suitable for the type of paper used. Where possible, backup copies of such records should be taken by methods such as scanning or microfiching. Regular checks should be made to assess the rate of deterioration of the paper and action taken to preserve the records if required.
For records stored on electronic media such as tape, similar precautions must be taken to ensure the longevity of the materials, including correct storage and copying onto more robust media if necessary. The ability to read the contents of the particular tape (or other similar media) format should be maintained by the keeping of a device capable of processing it. If this is impractical an external third party may be employed to convert the media onto an alternative format.
There is little point in retaining records if they are not able to be accessed in line with business or legal requirements. The choice and maintenance of record storage facilities should ensure that records can be retrieved in a usable format within an acceptable period of time. An appropriate balance should be struck between the cost of storage and the speed of retrieval so that the most likely circumstances are adequately catered for.
Once records have reached the end of their life according to the defined policy, they should be securely destroyed in a manner that ensures that they can no longer be used in line with ISMS14006 Procedure for the Disposal of Media.
This procedure allows for the correct recording of the details of disposal which should be retained as evidence.
The retention and storage of records should be subject to a regular review process carried out under the guidance of management to ensure that:
- The policy on records retention and protection remains valid
- Records are being retained according to the policy
- Records are being securely disposed of when no longer required
- Legal, regulatory and contractual requirements are being fulfilled
- Processes for record retrieval are meeting business requirements
The results of these reviews should be recorded and following such review process, we implement any necessary actions identified in the review process.