11 October 2013
Businesses today hold a wide array of records which they should ensure they retain in accordance with best practice and applicable legislation. Although this may be a significant administrative burden, it is not something which businesses can choose to ignore and putting appropriate measures in place will greatly assist in the long run.
Businesses should be mindful of their responsibilities not just in relation to their employees but in relation to the documents they hold on behalf of themselves and of others. Examples of where businesses should consider reviewing their processes are set out below.
Employee records: In respect of employee records, the ICO has published guidance on the issues an employer should take into consideration when deciding what information they should retain on their employees and for how long they should retain it for.
· Taking into account professional guidelines and performing a risk analysis
· Appointing a member of staff to be responsible for retaining employment records
· Ensure that information is not kept beyond the standard retention time
· Consider establishing an online system which will flag information which is due for deletion
When reviewing record retention policies, employers should also be mindful of their data protection obligations, particularly in respect of the fifth principle of the Data Protection Act 1998 which provides that data should not be kept for longer than is necessary for the purpose it was collected for. Although no time limits are provided under the legislation, the ICO considers it good practice to regularly review the personal data which is held and to delete data which is no longer required.
Company Secretarial Documents: The Companies Act 2006 mandates certain time limits for the retention of company documents, board minutes, for example, must be retained for at least ten years as is the case with member’s resolutions whereas directors service contracts need only be maintained for one year after termination. The legislation also obliges companies to maintain adequate accounting records which are sufficient to show the company’s transactions. While, under the Companies Act 2006 private companies must maintain their accounting records for three years, and public companies must maintain their accounting records for at least six years, businesses should be aware that these are minimum periods only. HMRC specifies for example, that for Corporation Tax purposes, adequate accounts must be kept for at least six years from the end of the Corporation Tax accounting period (which, in certain circumstances needs to be extended).
Internal Correspondence: Businesses should ensure they have appropriate document retention and destruction policies in place in the event of claims being brought against them. In relation to potential litigation claims, businesses should highlight the need for company employees to be regularly reminded about writing in a style which does not harm a company’s reputation. Safety issues, for example, which were highlighted and subsequently ignored can be brought to light during a discovery exercise and emails in particular, can never be entirely deleted. Businesses should ensure that they have systems in place for indexing, storing and retrieving data and more importantly that they ensure that all documents retained or destroyed are done so in accordance with that policy to avoid any claims of wrongdoing. When reviewing or drafting their policies on record retention, businesses should also be aware of the provisions of the Limitations (Northern Ireland) Order 1989 which stipulates the time limits within which claims can be brought. Businesses could be putting themselves at risk if documentation has been destroyed prior to the expiry of the relevant limitation period.