Data Retention and Erasure

Policy Statement

Aktyvus Sektorius/Eskimi (hereinafter – the Company) recognises and understands that the efficient management of its data and records is necessary to support its core business functions, to comply with its legal, statutory and regulatory obligations, to ensure the protection of personal information and to enable the effective management of the organisation.

Information held for longer than is necessary carries additional risk and cost and can breach data protection rules and principles. The Company only ever retains records and information for legitimate business reasons and use and we comply fully with the data protection laws and guidance.

Effective and adequate records and data management is necessary to:

  • Ensure that the business conducts itself in a structured, efficient and accountable manner

  • Ensure that the business realises best value through improvements in the quality and flow of information and greater coordination of records and storage systems

  • Support core business functions and provide evidence of conduct and the appropriate maintenance of systems, tools, resources and processes

  • Meet legislative, statutory and regulatory requirements

  • Deliver services to, and protect the interests of, employees, clients and stakeholders in a consistent and equitable manner

  • Assist in document policy formation and managerial decision making

  • Provide continuity in the event of a disaster or security breach

  • Protect personal information and data subject rights

  • Avoid inaccurate or misleading data and minimise risks to personal information

  • Erase data in accordance with the legislative and regulatory requirements

Reference Documents


Purpose

The purpose of this policy is to set out the length of time that the Company‘s records should be retained, the processes for disposing of records, how the Company provides a structured and compliant data and records management system. We define 'records' as all documents, regardless of the format; which facilitate business activities, and are thereafter retained to provide evidence of transactions and functions.

Such records may be created, received or maintained in hard copy or in an electronic format with the overall definition of records management being a field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, distribution, storage and disposal of records.

Objectives

A record is information, regardless of media, created, received, and maintained which evidences the development of, and compliance with, regulatory requirements, business practices, legal policies, financial transactions, administrative activities, business decisions or agreed actions. It is the Company‘s objective to implement the necessary record‘s management procedures and systems which assess and manage the following processes: -

  • The creation and capture of records

  • Compliance with legal, regulatory and contractual requirements

  • The storage of records

  • The protection of record integrity and authenticity

  • The use of records and the information contained therein

  • The security of records

  • Access to and disposal of records



Records contain information that are a unique and invaluable resource to the Company and are an important operational asset. A systematic approach to the management of our records is essential to protect and preserve the information contained in them, as well as the individuals such information refers to. Records are also pivotal in the documentation and evidence of all business functions and activities.

The objectives and principles in relation to Data Retention are to:

  • Ensure that the Company conducts itself in an orderly, efficient and accountable manner;

  • Support core business functions and providing evidence of compliant retention, erasure and destruction;

  • Develop and maintain an effective and adequate records management program to ensure effective archiving, review and destruction of information

  • Only retain personal information for as long as is necessary;

  • Comply with the relevant data protection regulation, legislation and any contractual obligations;

  • Ensure the safe and secure disposal of confidential data and information assets;

  • Ensure that records and documents are retained for the legal, contractual and regulatory period stated in accordance with each bodies rules or terms;

  • Ensure that no document is retained for longer than is legally or contractually allowed;

  • Mitigate against risks or breaches in relation to confidential information;

Guidelines and Procedures

It is our intention to ensure that all records and the information contained therein is: -

  • Accurate - records are always reviewed to ensure that they are a full and accurate representation of the transactions, activities or practices that they document;

  • Accessible - records are always made available and accessible when required (with additional security permissions for select staff where applicable to the document content);

  • Complete - records have the content, context and structure required to allow the reconstruction of the activities, practices and transactions that they document;

  • Compliant - records always comply with any record keeping legal and regulatory requirements;

  • Monitored - staff, company and system compliance is regularly monitored to ensure that the objectives and principles are being complied with at all times and that all legal and regulatory requirements are being adhered to.


Retention Periods and Protocols

All records retained during their specified periods are traceable and retrievable. Any file movement, use or access is tracked and logged, including inter-departmental changes. All company and employee information is retained, stored and destroyed in line with legislative and regulatory guidelines.

For all data and records obtained, used and stored within the Company, we:

  • Carry out periodical reviews of the data retained, checking purpose, continued validity, accuracy and requirement to retain

  • Establish periodical reviews of data retained

  • Establish and verify retention periods for the data, with special consideration given in the below areas:

  • the requirements of the Company

  • the type of personal data

  • the purpose of processing

  • lawful basis for processing

  • the categories of data subjects

  • Where it is not possible to define a statutory or legal retention period, as per the GDPR requirement, the Company will identify the criteria by which the period can be determined and provide this to the data subject on request.

Designated Owners

All systems and records have designated owners throughout their lifecycle to ensure accountability and a tiered approach to data retention and destruction. Owners are assigned based on role, business area and level of access to the data required. Data and records are never reviewed, removed, accessed or destroyed without the prior authorisation and knowledge of the designated owner.

Document Classification

We carry out regular Information Audits which enable us to identify, categorise and record all personal information obtained, processed and shared by our company in our capacity as a controller and processor and has been compiled on a central register which includes:

  • What personal data we hold

  • Where it came from

  • Who we share it with

  • Legal basis for processing it

  • What format(s) is it in

  • Who is responsible for it?

  • Retention periods

  • Access level (i.e. full, partial, restricted etc.)

Our information audits and registers enable us to assign classifications to all records and data, thus ensuring that we are aware of the purpose, risks, regulations and requirements for all data types. We utilise 5 main classification types:

  1. Unclassified - information not of value and/or retained for a limited period where classification is not required or necessary

  2. Public - information that is freely obtained from the public and as such, is not classified as being personal or confidential

  3. Internal - information that is solely for internal use and does not process external information or permit external access

  4. Personal - information or a system that processes information that belongs to an individual and is classed as personal under the data protection laws

  5. Confidential - private information or systems that must be secured at the highest level and are afforded access restrictions and high user authentication

The classification is used to decide what access restriction needs to be applied and the level of protection afforded to the record or data.

Storage and Access of Records and Data

Documents are grouped together by category and then in clear date order when stored and/or archived. Documents are always retained in a secure location, with authorised personnel being the only ones to have access. Once the retention period has elapsed, the documents are either reviewed, archived or confidentially destroyed dependant on their purpose, classification and action type.

Expiration of Retention Period

Once a record or data has reached its designated retention period date, the designated owner should refer to the retention register for the action to be taken. Not all data or records are expected to be deleted upon expiration; sometimes it is sufficient to anonymise the data in accordance with the GDPR requirements or to archive records for a further period.

Destruction and Disposal of Records and Data

All information of a confidential or sensitive nature on paper or electronic media must be securely destroyed when it is no longer required. This ensures compliance with the Data Protection laws and the duty of confidentiality we owe to our employees, clients and customers.

The Company is committed to the secure and safe disposal of any confidential waste and information assets in accordance with our contractual and legal obligations and that we do so in an ethical and compliant manner. We confirm that our approach and procedures comply with the laws and provisions made in the General Data Protection Regulation (GDPR) and that staff are trained and advised accordingly on the procedures and controls in place.


Paper Records

Due to the nature of our business, the Company retains paper based personal information and as such, has a duty to ensure that it is disposed of in a secure, confidential and compliant manner.

Employee shredding machines are made available throughout a number of offices.

Electronic and IT Records and Systems

The Company uses numerous systems, computers and technology equipment in the running of our business. From time to time, such assets must be disposed of and due to the information held on these whilst they are active, this disposal is handled in an ethical and secure manner.

The deletion of electronic records must be organised in conjunction with the technical department who will ensure the removal of all data from the medium so that it cannot be reconstructed. When records or data files are identified for disposal, their details must be provided to the designated owner and Data Protection Officer to maintain an effective and up to date register of destroyed records.

Erasure

In specific circumstances, data subjects' have the right to request that their personal data is erased, however the Company recognises that this is not an absolute 'right to be forgotten'. Data subjects only have a right to have personal data erased and to prevent processing if one of the below conditions applies:

Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed

  • When the individual withdraws consent

  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing

  • The personal data was unlawfully processed

  • The personal data must be erased in order to comply with a legal obligation

  • The personal data is processed in relation to the offer of information society services to a child

Where one of the above conditions applies and the Company received a request to erase data, we first ensure that no other legal obligation or legitimate interest applies. If we are confident that the data subject has the right to have their data erased, this is carried out by the Data Protection Officer.

These measures enable us to comply with a data subjects right to erasure, whereby an individual can request the deletion or removal of personal data where there is no compelling reason for its continued processing. Whilst our standard procedures already remove data that is no longer necessary, we still follow a dedicated process for erasure requests to ensure that all rights are complied with and that no data has been retained for longer than is needed.

Where we receive a request to erase and/or remove personal information from a data subject, the below process is followed:

  1. The request is allocated to the Data Protection Officer

  2. The request is reviewed to ensure it complies with one or more of the grounds for erasure:

  1. the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed

  2. the data subject has withdrawn consent on which the processing is based and where there is no other legal ground for the processing

  3. the data subject objects to the processing and there are no overriding legitimate grounds for the processing

  4. the personal data has been unlawfully processed

  5. the personal data must be erased for compliance with a legal obligation

  6. the personal data has been collected in relation to the offer of information society services to a child

  1. If the erasure request complies with one of the above grounds, it is erased within 30 days of the request being received

  2. The Data Protection Officer writes to the data subject and notifies them in writing that the right to erasure has been granted and provides details of the information erased and the date of erasure

  3. Where the Company has made any of the personal data public and erasure is granted, we will take every reasonable step and measure to remove public references, links and copies of data and to contact related controllers and/or processors and inform them of the data subjects request to erase such personal data.

If for any reason, we are unable to act in response to a request for erasure, we always provide a written explanation to the individual and inform them of their right to complain to the Supervisory Authority and to a judicial remedy. Such refusals to erase data include:

  • Exercising the right of freedom of expression and information

  • Compliance with a legal obligation for the performance of a task carried out in the public interest

  • For reasons of public interest in the area of public health

  • For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing

  • For the establishment, exercise or defence of legal claims

Responsibilities

Heads of departments and information asset owners have overall responsibility for the management of records and data generated by their departments' activities, namely to ensure that the records created, received and controlled within the purview of their department, and the systems (electronic or otherwise) and procedures they adopt, are managed in a way which meets the aims of this policy.

Data Protection Officer will be involved in any data retention processes and record of all archiving and destructions must be retained. Individual employees must ensure that the records for which they are responsible are complete and accurate records of their activities, and that they are maintained and disposed of in accordance with the Company protocols.