1 Purpose
1.1 Nelsons is committed to compliance with data protection legislation and UK GPDR in force from time to time to ensure that the data of clients, employees and third parties is properly protected. This policy sets out the approach by Nelsons to data retention and deletion across all its business activities.
2 Application
2.1 This policy applies to all employees of Nelsonslaw LLP, Nelsons Solicitors Limited and Nelsons Solicitors Trust Corporation Limited (together referred to as ‘Nelsons’);
2.2 The terms ‘employee’ and ‘employees’ refer to all members, partners, directors, managers and employees of Nelsons including those undertaking work through an outsourcing or consultancy arrangement, in a volunteer capacity, on a temporary basis or through an agency.
2.3 All employees must familiarise themselves with this policy and comply with it. Failure to comply may result in disciplinary action.
3 Background
3.1 Under data protection legislation and regulation, Nelsons must not retain personal data for any longer than is necessary. Irrespective of the statutory requirements, continued data retention (either physical or electronic) also increases costs and exposes Nelsons to potential liabilities as this information ages and becomes inaccurate.
3.2 Nelsons must have systems and processes in place to ensure compliance with its data protection obligations and ensure that all employees comply with the systems and processes including retaining data for appropriate periods, destroying files and other paper records and deleting data as required.
3.3 Retention of personal data depends on the subject matter. The length of time that data contained in a document or electronic file should be retained must be based upon its content and its category under the various sections of this policy. Retention of all data and documents must conform to the retention policy outlined in this document irrespective of storage location.
4 Relevant legislation and regulation
4.1 The key legislative and regulatory requirements governing the length of time for which data may be retained are contained in the UK GDPR, Data Protection Act 2018, the SRA Standards and Regulations and other legislation referred to in the schedules.
4.2 Under the UK GDPR, personal data processed for any purpose or purposes must not be kept for longer than is necessary for that purpose or those purposes.
4.3 Nelsons must keep safe data, documents and assets entrusted to the practice to comply with SRA Principles.
5 Responsibilities
5.1 The COLP has overall responsibility for compliance with the UK GDPR and data protection/confidentiality obligations including responsibility for:
5.1.1 the oversight of the policies and procedures to ensure compliance with the legal and regulatory requirements relating to data protection and data retention;
5.1.2 the administration of this policy and the implementation of processes and procedures to ensure that the records retention schedules are followed;
5.1.3 ensuring the records retention and disposal programme is reviewed annually and that compliance with this policy is monitored;
5.1.4 making modifications to the records retentions schedules from time to time to ensure they are in compliance with appropriate statutory requirements.
5.2 All employees are responsible for:
5.2.1 ensuring compliance with this policy and any systems and procedures in place to which they relate;
5.2.2 complying with any requests from partners/managers to take any appropriate action, in relation to clients or client matters, external and internal;
5.2.3 ensuring that all types of data are properly retained and destroyed in accordance with this policy;
5.2.4 keeping up to date with Nelsons’ policies and procedures.
6 Policy detail
6.1 Under the UK GDPR, personal data:
6.1.1 must be processed lawfully, fairly and in a transparent manner in relation to those individuals to whom the data relates;
6.1.2 must be collected for specific, explicit and legitimate purposes. Data cannot be processed unless there is a specific, explicit or legitimate purpose. Further processing over and above that purpose, for example for archiving purposes, in the public interest, or for scientific or historical or statistical purposes, is not allowed;
6.1.3 shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
6.1.4 shall be kept up to date, and every reasonable step must be taken to ensure that personal data that is inaccurate is corrected, or deleted without delay;
6.1.5 shall be processed in a manner that ensures appropriate security of the data. This includes protection against unauthorised access, unauthorised processing and measures taken against accidental loss, destruction or damage, using technical or organisational measures.
6.2 Personal data may be held within other records, documents and confidential information belonging to others.
6.3 The key types of personal and special categories of personal data held by Nelsons are set out in our Information Management and Security Policy.
6.4 The lawful basis for processing the personal data of clients and employees is set out in the relevant Privacy Notice.
7 Handling of data held in paper and electronically
7.1 In accordance with our Information Management and Security Policy, all currently required paper records must he securely stored when not in use in lockable filing cabinets.
7.2 All electronic documents relating to client related work must be stored and accurately profiled in the document management system (DMS) in place from time to time.
7.3 Employees must regularly review all their email and hard copy mailboxes to delete irrelevant or outdated email correspondence and/or transfer to the DMS.
7.4 Electronic documents and communications containing client data or any other personal identifiable information must not be retained in the online email archiving facility, OneDrive or on individual desktops.
7.5 Documents and records in paper format should be scanned and stored electronically in accordance with the relevant policy.
7.6 The originals must then be destroyed securely except where paper copies must be preserved for legal reasons, e.g. title deeds to property, certificates or guarantees, wills, trust and other deeds, etc. Such originals should be returned to the client unless there is a compelling reason not to do so – otherwise they should be stored securely offsite. In all cases, these documents should be scanned and held in the relevant DMS file.
7.7 All archived paper files are stored offsite for the retention periods specified Schedule 1.
8 Data destruction – client matters
8.1 Personal data about a client should be retained for legal, contractual, regulatory and/ or operational reasons for the retention periods specified in Schedule 1 but must not be used or accessed in respect of any other purpose or for a purpose that is no longer relevant.
8.2 Personal data must not be retained when there is no longer a lawful business or regulatory reason to retain it.
8.3 Personal data held in electronic or paper format must be disposed of securely at the end of the retention periods specified in Schedule 1. The requirements apply to all personal data that is collected by Nelsons.
9 End of matter – handling of client documents and data
9.1 At the end of each client matter, fee earners must review the file and check whether any original documents are held. All original documents must be processed in accordance with clients’ instructions including their return or storage.
9.2 Files belong to the clients, subject to a limited number of documents that can be removed and/or belong to Nelsons.
9.3 Documents/data that come into existence during the retainer fall into four broad categories:
9.3.1 documents prepared by Nelsons for the client and that have been paid for by the client belong to the client;
9.3.2 documents prepared for Nelsons’ own benefit or protection for which the client has not been charged belong to Nelsons;
9.3.3 documents and letters written by the client to Nelsons where property passes to Nelsons on dispatch belong to Nelsons;
9.3.4 documents prepared by a third party during the course of the retainer and paid for by the client belong to the client.
9.4 The file should be assessed to determine what category the document/data falls into for document/data retention purposes.
9.5 The file should be reviewed to assess whether any documents/data are held by any third parties and what the agreement is with the third party as to destruction of the documents/data at the end of the matter. The fee earner must remind the third party of its contractual obligations.
9.6 Paper and electronic data will be archived in accordance with our End of Matter procedure.
10 Data handling and destruction – People & Culture
10.1 All data relating to Nelsons’ current, past and prospective employees should be copied to People & Culture for retention on individual employment records and deleted from transmitting email accounts.
10.2 All data relating to Nelsons’ current, past and prospective employees should be destroyed in accordance with the retention periods specified in Schedule 2.
11 Data handling and destruction – Finance
11.1 All client data is to be destroyed in accordance with the retention periods specified in Schedule 1
12 Data handling and destruction – Marketing & BD
12.1 All client data is to be destroyed in accordance with the retention periods specified in Schedule 3.
13 Data handling and destruction in event of investigations, litigation or claims concerning Nelsons
13.1 If Nelsons is served with any subpoena or request for documents, or receives an intimation of legal or regulatory proceedings against or concerning Nelsons, or any employee becomes aware of an investigation or audit by a government department or a regulator concerning Nelsons or the threat of or commencement of any litigation against or concerning Nelsons, they must inform the Professional Standards Team (PST). Any further disposal of documents must be suspended until the COLP determines otherwise.
13.2 The PST will take such steps as is necessary to promptly inform all employees of any suspension in the further disposal of documents.
14 Destruction of data – routine reviews of data held
14.1 On the first working day of each quarter commencing August, November, February and May, a report will be run identifying matters where paper and/or electronic records are held which have passed their destruction/deletion date as at the report date and passed to the COLP.
14.2 The COLP will undertake a risk assessment of the listed items and, so far as is practicable taking account of whether:
14.2.1 the risks are low or minimal, approve the list and confirm that the files/data are to be destroyed/deleted;
14.2.2 the risks are to be medium or high, the file/data will be referred to the head of the appropriate Department for review and recommendation for destruction or the allocation of a new destruction/deletion date.
15 Reporting
15.1 Employees must report any potential or suspected breaches of this policy to the PST who will liaise with the COLP in conjunction with the department head and any required remedial action be agreed.
16 Monitoring and review
16.1 The COLP will review this policy annually to monitor the effectiveness of the processes, systems and controls.
Schedule 1
Paper and Electronic Records Retention Periods for Client Matter Files
Type of matter/Enquiry | Retention period from matter conclusion | Exceptions/reasons for storing file for longer | Suggested reason for retention |
Accounting records relating to client matters | To coincide with data destruction variants as below | ||
Administration of Estates | 7 years | Primary Limitation Period | |
Corporate & Commercial – business acquisitions and disposals | 7 years | Primary Limitation Period | |
Corporate & Commercial -including company, partnership formation, insolvency, trademark, copyright, patent, T&Cs | 7 years | Primary Limitation Period | |
Dispute Resolution – all client types | 7 years | Longer if client is under a disability | Primary Limitation Period |
Employment | 7 years | Primary Limitation Period | |
Family – all where children not involved | 7 years | Primary Limitation Period | |
Family – where private or public law children issues involved | 7 years to run from child’s 18th birthday | Primary Limitation Period | |
Freehold purchase and/or mortgage | 16 years | Primary and Secondary Limitation Period | |
Freehold sale | 7 years | Primary Limitation Period | |
Investment Management | 7 years from completion of last annual review | Primary Limitation Period | |
Leasehold and tenancy | Length of term plus 7 years | Primary Limitation Period | |
Non-contentious – any other | 7 years | Primary Limitation Period | |
Personal injury & Clinical Negligence (adults) | 7 years | Primary Limitation Period | |
Personal injury & Clinical Negligence (children) | 7 years to run from child’s 18th birthday | Primary Limitation Period | |
PST – Regulatory Records including CDD for AML purposes | To coincide with data destruction variants | ||
Trusts | Duration of trust plus 7 years | Reflects the potential “long tail” nature of potential claims |
|
Wills | Indefinitely if still valid original will is also held or known to be in existence; | Reflects the potential “long tail” nature of potential claims |
Schedule 2
Paper and Electronic Records Retention Periods for People & Culture
Record Type | Recommended retention period | Justification |
Rejected job applicant records, including: -contact details -application letters or forms -CVs -references -certificates of good conduct -interview notes -assessment and psychological test results |
6 months after the applicant is notified of rejection; or
12 months if there is a clearly communicated policy to keep candidates’ CVs for future reference
|
ICO Employment Practices Code para 1.7 |
Application records of successful candidates, including: -application letters or forms -copies of academic qualifications and other training received -references -correspondence concerning employment -CVs and job history -interview notes and evaluation forms, assessment and psychological test papers and results |
7 years after employment ceases | Limitation Act 1980, s 5 (LA 1980) |
Criminal records information including: -criminal records -requirement assessments for a particular post -criminal records information forms-the Disclosure and Barring Service (DBS) check forms-DBS certificates |
Criminal records requirement assessments for a particular post—12 months after the assessment was last used
All other information in this category—as soon as practicable after the check has been completed and the outcome recorded (i.e. whether satisfactory or not) unless, in exceptional circumstances, the COLP assesses that it is clearly relevant to the ongoing employment relationship in which case, 6 months If the COLP considers it necessary to keep the information for longer than 6 months, the DBS should be consulted |
DBS guidance for employers: Duration of criminal record check validity |
Employment contracts, including:
-personnel and training records -written particulars of employment -changes to terms and conditions -resignation, termination and/or retirement letters |
7 years after employment ceases | LA 1980, ss 5, 8 |
Directors’ service contracts and any variations | 7 years from termination or expiry of the contract, unless executed as a deed, in which case 13 years from termination or expiry | LA 1980, ss 5, 8 |
Copies of identification documents (e.g. passports) | Not less than 2 years from the date of termination of employment | Immigration (Restrictions on Employment) Order, SI 2007/3290, Art 6(1)(b) |
Identification documents of foreign nationals (including right to work) | 2 years and 6 months from the date of termination of employment | Immigration (Restrictions on Employment) Order, SI 2007/3290, art 6(1)(b) |
Records concerning a temporary worker | 7 years after employment ceases | LA 1980, s 5 |
Employee performance and conduct records, including:
-probationary period reviews -review meetings and assessment interviews -appraisals and evaluations -promotions and demotions -all information relevant to an assessment of the individual’s fitness and propriety under the FCA Senior Managers and Certification (SM&CR) regime |
7 years after employment ceases
Under SM&CR information regarding a relevant individual’s gross misconduct must be retained indefinitely |
LA 1980, s 5 |
Records relating to and/or showing compliance with Working Time Regulations 1998 including:
-registration of work and rest periods -working time opt-out forms |
2 years from the date on which the record was made and no longer than 6 months after the termination of employment in any event | Working Time Regulations 1998, SI 1998/1833, reg 9 |
Redundancy records | 7 years from date of redundancy | LA 1980, s 5 |
Annual leave records | 7 years after the end of each tax year | LA 1980, s 5 |
Parental leave records | 7 years after the end of each tax year | LA 1980, s 5 |
Sickness records | 7 years after the end of each tax year | LA 1980, s 5 |
Records of return-to-work meetings following sickness, maternity etc | 7 years after the end of each tax year | LA 1980, s 5 |
Occupational Health Records and Reports | 7 years after employment termination | |
Equal opportunities monitoring records | Indefinitely in anonymised format and stored in an unstructured way | |
Post employment reference requests | 6 years from termination of mployment |
Payroll and pension records
Record | Recommended retention period | Justification |
Records for the purposes of tax returns including wage or salary records, records of overtime, bonuses and expenses | 7 years from the financial year end in which the payments were made | Taxes Management Act 1970, s 12B |
Records demonstrating compliance with national minimum wage requirements, including hours worked | 6 years beginning with the day upon which the pay reference period immediately following that to which they relate ends | National Minimum Wage Act 1998, s 9 |
Employee income tax and National Insurance returns and associated HMRC correspondence | 3 years after the end of tax year to which they relate | Income Tax (Pay as You Earn) Regulations 2003, SI 2003/2682, reg 97 |
Statutory sick pay (SSP) records | 3 years after the end of the tax year to which they relate | The requirement to maintain SSP records for 3 years after the end of the tax year to which they relate was revoked in 2014, but an employer may still be required by HMRC to produce such records as are in his possession or power which contain, or may contain, information relevant to satisfy HMRC that statutory sick pay has been and is being paid.
The Statutory Sick Pay (General) Regulations 1982, SI 1982/894, reg 13(A)
|
Wage or salary records (including overtime, bonuses and expenses) and payments to consultants and independent contractors | 7 years | Taxes Management Act 1970, s 43 |
Statutory maternity, paternity and shared parental pay records, calculations, certificates or other evidence | 3 years after the end of the tax year in which the period of statutory pay ends | Statutory Maternity Pay (General) Regulations 1986, SI 1986/1960, reg 26 (and other corresponding legislation) |
Pensions records | 6 years from termination of employment | |
Auto-enrolment opt-outs | 6 years from termination of employment or until employee auto-enrols | |
Loans | 6 years after repayment | |
Health & safety records
Record | Recommended retention period | Justification |
Records of reportable injuries, diseases or dangerous occurrences —reportable incidents —reportable diagnoses —injury arising out of accident at work (including Nelsons accident book). |
4 years from the date of the entry in the record | The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR 2013), SI 2013/1471, reg 12 |
Employee risk assessments | 6 years from termination of employment |
Schedule 3
Marketing & BD
Record | Recommended Retention Period | Justification |
CRM (client relationship management) records including of former, current and potential clients | Former – See Matter File retention periods
Current – See Matter File retention periods Potential – 7 years from last contact |
Business |
Direct marketing information relating to a current client | At point where client unsubscribes | Business |
Direct marketing information relating to a potential customer | At point where potential client unsubscribes | Business |
Information recorded on marketing suppression lists, i.e. individuals who have notified us they do not wish to receive marketing communications | Individual entries on the suppression list must be deleted 50 years from the date the marketing opt-out request was received | Evidential and business |
Website cookie data for targeted advertising | In accordance with website cookie policy | Evidential and business |