Policy Code: LHPOL0011Date first issued: 16 February 2024Date last updated: 16 February 2024
Version no: 2.0Document owner: James WhitehouseDate of next review: 16 February 2025

 

THS IS AN UNCONTROLLED COPY. UNCONTROLLED COPIES ARE FOR REFERENCE ONLY AND NOT SUBJECT TO AUTOMATIC UPDATE WHEN A NEW VERSION IS RELEASED. CONTACT THE COMPLIANCE MANAGER FOR UPDATES.

Records Management and Retention Periods

 

  1. PURPOSE

Lightning Health’s business is built around providing our clients with high quality data. There are legal and regulatory requirements for us to retain some of our data, and this policy is intended to ensure our compliance with these requirements and associated timescales. We also retain data to help our business operate and to have information available when we need it. However, we do not need to retain all data indefinitely, and retaining data can expose our company to risks and costs. This policy explains our requirements to retain data and to dispose of data.

 

  1. SCOPE

This policy covers all data that Lightning Health hold or has control over. This includes physical data such as hard copy documents, contracts, and invoices. It also includes electronic data such as emails, electronic documents, data within SharePoint, the Lightning Insights platform, Scoro and HubSpot, as well as audio and video recordings. It applies to both Personal Data and Non-personal Data. This policy applies to all departments and Workers.

 

  1. DEFINITIONS & ABBREVIATIONS
EoFYEnd of Financial Year
Microsoft 365File architecture including SharePoint, OneDrive and Teams
WorkersMeans the individuals who this policy is applicable to and includes the Company; employees, contractors, workers, associates, research participants, professional advisors

 

  1. RESPONSIBILITIES
All Workers·       Must comply with this policy and Record Retention Schedule
Functional Heads·       Identifying the data that we must or should retain, and determining, in collaboration with the other departments, the proper period of retention. Arrange for the proper storage and retrieval of data
Data Protection Officer·       Helping department heads implement the data management programme and related best practices;

·       Planning, developing, and prescribing data disposal policies, systems, standards, and procedures; and

·       Providing guidance, training, monitoring and updating in relation to this policy

 

  1. POLICY

This policy has been developed to ensure that Lightning Health meets the following commitments:

  • We comply with legal and regulatory requirements to retain data
  • We comply with our data protection obligations, in particular, to keep Personal Data no longer than is necessary for the purposes for which it is processed (storage limitation principle)
  • We handle, store and dispose of data responsibly and securely
  • We create and retain data that we need to operate our business effectively, but we do not create or retain data without a good business reason
  • We allocate appropriate resources, roles and responsibilities to data retention
  • We regularly remind employees of their data retention responsibilities

With the above in mind, Lightning Health has reviewed its data, and documented the data we hold and the appropriate retention periods for this data in the attached schedule. Records will be retained for the periods shown in the attached schedule. All retention periods are given in whole years and are from the end of the financial year to which the records relate. Once data has exceeded its retention period it should be disposed of securely.

Data that does not require retention

We do not need to retain all information we generate as a business. Where data is not detailed within the attached schedule, is no longer of value and has no business purpose, it should be disposed of. This includes:

  • Trivial, spam and junk emails
  • Preliminary drafts of letters, memoranda, reports, worksheets, and informal notes that do not represent significant steps or decisions in the preparation of a final report or research
  • Duplicated and superseded data
  • Hard copy documents where an electronic copy exists
  • Reference material not produced by Lightning Health where a copy is available online

 

If you are not actually using a record, you should consider whether you need to retain it.

 

What to do if data is not listed in the Record Retention Schedule.

If data is not listed in the Record Retention Schedule, it is likely that it should be classed as disposable information. However, if you consider that there is an omission in the Data Retention Schedule, or if you are unsure, please contact the appropriate Functional Head or Lightning Health’s Data Protection Officer.

 

Destruction

Functional Heads are responsible for the continuing process of identifying the data that has met its required retention period and supervising its destruction. The destruction of confidential, financial, and Worker-related hard copy data must be conducted by shredding. Non-confidential data may be destroyed by recycling. The destruction of electronic data must be co-ordinated with our IT Support Partner.

 

Procedure

To ensure we retain data in line with our below retention schedule, you must tag within Microsoft 365, the folders/files with the appropriate label. The pre-set labels determine the data type and retention period.

 

It is essential that the pre-set labels are used, as they ensure that data will automatically be deleted or triggered for review depending on the assigned retention period.

 

How to assign retention label to folders/files in Teams App

  1. Navigate to the appropriate channel
  2. Find the folder/files you need to assign a retention to
  3. Select the ‘three dots’ option that appears on that line item
  4. Select ‘Details’
  5. The Properties panel will appear on the right-hand side
  6. Click the ‘Apply label’ field and select the appropriate retention label in accordance with the Data Retention Schedule

 

  1. RELATED DOCUMENTS
PoliciesData Protection (LHPOL0007)

Information Security and Acceptable Use (LHPOL0008)

 

  1. REFERENCES

 

  1. APPENDICES
Appendix 1Data Retention Schedule

 

  1. DOCUMENT HISTORY
VersionEffective date (superseded versions)Summary of changes

 

 

 

Appendix 1

Data Retention Schedule

 

Finance

Data Location Retention PeriodJustification
Payroll, Wages, Bonus, expenses, benefits, client invoices ·       Payroll: Xero

·       Expenses: Microsoft 365 & Email

·       Bonus: Microsoft 365

Xero: Indefinitely

Microsoft 365: 7 years after the financial year of which the records relate

Email: 7 years

HM Treasury guidelines, National Audit Office advice, Companies Act 2006,

Section 12B of the Taxes Management Act 1970 (‘the Taxes Management Act’)

Regulation 97(8) of the PAYE Regulations

PAYE records, HMRC correspondence Microsoft 365 (Within restricted HR area)7 years after the financial year in which employment ends

 

HM Treasury guidelines, National Audit Office advice, Companies Act 2006, The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended
Supplier ContractsMicrosoft 365 (Within restricted Compliance area)Indefinitely (Ongoing contracts are reviewed every 2 years from contract start date, unless specified)Business need
Payment information to Research Participants ·       Microsoft 365 (Within restricted Finance area)

·       TransferWise

·       OFX

Microsoft 365: 7 years after the financial year the payment was made

TransferWise: 7 years

OFX: 7 years

HM Treasury guidelines, National Audit Office advice, Companies Act 2006, Taxes Management Act 1970
Bank details of Research Participants·       Microsoft 365 (Within restricted Stakeholder Engagement area)

·       TransferWise

·       OFX

Microsoft 365: 2 years from last payment

TransferWise: 2 years

OFX: 2 years

Worker Bank Details ·       Microsoft 365 (Within restricted Finance area)

·       Xero

·       Banking provider

Microsoft 365: 7 Years from end of contract

Xero: For the duration the Worker’s contract is still live

Banking provider: For the duration the Worker’s contract is still live

Section 5 of the Limitation Act
Previous Worker Bank Details·       Microsoft 365 (Within restricted Finance area)

·       Xero

·       Banking provider

Microsoft 365: 1 year from end of contract

Xero: 1 year

Banking provider: 1 year

Worker National Insurance/National Identity numbers·       Microsoft 365 (Within restricted Finance area)

·       Email

Microsoft 365: 7 years from end of contract

Email: 7 years

Regulation 97(8) of the Income Tax (Pay As You Earn) Regulations 2003 (‘the PAYE Regulations’)
Pension Contributions, post termination elections, dependants and beneficiaries, changes to contributions, employer contributions/opt out records·       Microsoft 365 (Within restricted Finance area)

 

·       Xero – Payroll

·       Nest – Filing

Microsoft 365 – 7 years after the financial year which employment ends

Xero: Indefinitely

Nest Indefinitely

 

 

Regulations 6 and 8 of the Employers’ Duties Regulations

Section 2.4 of the Employment Practices Code

 

Corporation TaxMicrosoft 365 (Within restricted Finance area)7 yearsSchedule 18(21) of the Finance Act
Company AccountsMicrosoft 365 (Within restricted Finance area)

Xero

Microsoft 365: 7 years

Xero: Indefinitely

1) Section 388(4)(a) of the Companies Act

2) Companies House Guidance

 

ShareholdingsSaul FairholmIndefinite
Audit Records Microsoft 3657 Years1) Section 388(4)(a) of the Companies Act

1) Section 388(4)(b) of the Companies Act

3) Companies House Guidance

Articles of Association Microsoft 365IndefinitelySections 7 and 18 of the Companies Act 2006 (‘the Companies Act’)
Minutes, Agenda and Resolutions of Shareholder MeetingsMicrosoft 365IndefinitelySections 355 and 358 of the Companies Act
Minutes, Agenda and Resolutions of Directors meetings Microsoft 365IndefinitelySection 248 of the Companies Act

 

HR

Data Location Retention PeriodJustification
Recruitment – Right to work/Immigration checks/Visa and Sponsorship data ·       Microsoft 365 (Within restricted HR area)

·       Email

·       Westkin

·       UK Visas and Immigration (online SMS portal)

·       Microsoft 365: 2 years after employee leaves for right to work data for employees. 1 year after expiry date for Company Sponsorship License data

·       Email: 7 years

·       Westkin: 1 year

·       UK Visas and Immigration: Various see UK Government Retention periods for visa case files

Section 6(b) of the Immigration (Restrictions on Employment) Order 2007 (‘the Immigration Order’)

The HM Revenue and Customs (‘HMRC’) Right to Work Guidance (‘the HMRC Right to Work Guidance’)

Section 5 of the Limitation Act

 

Recruitment: Successful Applications

CV, Cover Letter, interview notes, references, right to work documentation  

·       Citrus

·       Microsoft 365 (Human Resources – Individuals named personnel file) – documentation, applications.

 

Citrus: 6 years

Microsoft 365: 6 years from end of employment contract

Section 5 of the Limitation Act 1980 (‘the Limitation Act’)

Page 16 of the Supplementary Guidance

Recruitment -Unsuccessful Applications  Microsoft 365

LinkedIn

 

6 months

 

Article 5(1)(e) UK GDPR

Sections 118 and 123 of the Equality Act 2010 (‘the Equality Act’)

HR – Employee Contracts, contract variationsMicrosoft 365

Citrus HR

 

6 years from end of employment contract

 

Section 5 of the Limitation Act
HR – Employee core record (address, contact details, etc.)

 

Citrus HR6 years from end of employment contractArticle 5(1)(e)  UK GDPR

Sections 2.1.3 and 2.1.4 of the Employment Practices Code

 

HR- Performance Management Citrus HR6 years from end of employment contract

 

Section 5 of the Limitation Act

 

HR – Emergency contact details Citrus HR6 years from end of employment contract

 

Article 5(1)(e)  UK GDPR

Sections 2.1.3 and 2.1.4 of the Employment Practices Code

HR – Employee absence data, annuals leave Citrus HR6 years from end of employment contract

 

Section 9(b) of the Working Time Regulations 1998 (‘the Working Time Regulation’)

Section 5 of the Limitation Act

HR – Employee Attendance Management Data, FIT/Doctors notes, Medical Reports, records of reasonable adjustments

 

Citrus HR40 years for employees exposed to lead, substances hazardous to health, or asbestos

6 years from end of employment contact for all other data

1) Section 10(5) of the Control of Lead at Work Regulations 2002 (‘the Lead Regulation’)

2) Section 11(3) of the Control of Substances Hazardous to Health Regulations 2002 (‘the COSHH Regulations’)

3) Section 22(1)(b) of the Control of Asbestos Regulations 2012 (‘the Asbestos Regulations’)

4) Section 24(2)(c) of the Ionising Radiations Regulations 2017 (‘the 2017 Ionising Regulations’)

5) Section 5 of the Limitation Act 1980

Section 4.3.5 of the Employment Practices Code

HR – Employees grievance, disciplinary data Microsoft 365

 

6 years from end of employment contract

 

Section 5 of the Limitation Act

Page 36 of the Supplementary Guidance

 

Marketing & Business Development

Data Location Retention Period Justification
Prospect data HubSpot6 yearsSection 5 of limitations Act

 

Marketing materials Microsoft 365IndefiniteBusiness Need
Quotations & Proposals Microsoft 365

Scoro

Microsoft 365: 7 Years from end of contract where Prospect becomes a Client

Scoro: 7 years

Section 5 of the Limitation Act

 

Corporate LinkedIn

newsfeed

LinkedIn12 monthsLinkedIn Retention period

 

Research Participant

Data Location Retention Period Justification
Payer & Clinician Records,

Such as name, email, address, biography, job titles, CV – Excel

Name, email, tag – payer clinician therapy area – Monday

Monday

Microsoft Excel

OFX

 

Monday: 7 years from date last payment made to the Payer, clinician/they last participated in research/last contact.

Microsoft Excel: 7 years

OFX: 2 years

Section 5 of limitations Act

 

Payer & Clinician project specific Screener & meeting invite Outlook7 yearsSection 5 of limitations Act

 

Payer & Clinician Non-Disclosure Agreement/ Confidentiality Agreement  Microsoft 365

Docusign

 

Microsoft 365: 7 years from date last payment made to the Payer, clinician/ they last participated in research

Docusign: 7 years

 

Section 5 of limitations Act
Respondent Background form  – career information, biography Microsoft 365

 

7 years from date last payment made to the Payer, clinician/ they last participated in researchSection 5 of limitations Act

 

Potential Payer & Clinician Outreach (who do not ever participate in research) Outlook

Monday

Outlook: 7 years

Monday: 7 years from date last payment

Section 5 of limitations Act

 

Payer & Clinician data on Lightning Insights  platform – name, emails, organisation, job role and biography,  experience Lightning Insights platform7 years from date they last participated in research survey in InsightsSection 5 of limitations Act

 

Payer, Clinician & Patient Advocate questionnaires responses on Lightning Insights platformLightning Insights platform7 years from date they last participated in research survey in Insights

 

Section 5 of limitations Act

 

 

Client Operations/Audit and Compliance

Data Location Retention Period Justification
Core Client Record Scoro7 years from end of contractSection 5 of the Limitation Act

 

Client complaints Microsoft 3657 years from end of contract

 

Section 5 of the Limitation Act

 

Client call records HubSpot7 years from end of contract

 

Section 5 of the Limitation Act

 

Client contracts Microsoft 365Indefinitely

 

Section 5 of the Limitation Act
Data Subject Request RecordsMicrosoft 3656 Years from closure of requestSection 5 of the Limitation Act

 

Consultancy

Data Location Retention Period Justification
Recording of Research participants Interviews Microsoft 365120 daysUK GDPR & DPA 2018
Signed Client SOW/contractMicrosoft 365Indefinitely

 

Client Proposal and Costings- containing RFP, proposal, signed SOW/contract, project win sheetMicrosoft 3657 years after the financial year in which client contract ends, or, if the client contract requires different retention periodHM Treasury guidelines, National Audit Office advice, Companies Act 2006, Taxes Management Act 1970
Meeting records, minutes action points and agendas of client meetings Microsoft 3657 years after the financial year in which client contract ends/ Or Client Contract stipulated

 

Section 5 of limitations Act

 

Personal Data Folder Research Interview/ Advisory Board   Recordings & transcripts with identifiable data 

 

Microsoft 3657 yearsSection 5 of limitations Act

 

Secondary Research Folder Microsoft 3657 years after the financial year in which client contract ends/ Or Client Contract stipulatedSection 5 of limitations Act

 

Primary Research Folder- anonymised transcripts, Excel write up file

Interview discussion guide & background document

 

 

Microsoft 365

 

 

 

 

 

7 years after the financial year in which client contract ends/ Or Client Contract stipulated whichever is longer.

 

 

Section 5 of limitations Act

 

Workshop/ Advisory Board Folder

Research Findings PowerPoint, anonymised transcripts

Payer contracts

Draft final reports

 

 

Microsoft 365

 

7 years after the financial year in which client contract ends/ Or Client Contract stipulatedSection 5 of limitations Act

 

Reporting Folder – Final reportMicrosoft 365

 

Indefinite

 

Corporate memory
Quality & Compliance Folder – AE Reporting, Quality, Compliance & Audit checks Microsoft 365

 

7 years after the financial year in which client contract ends/ Or Client Contract stipulated whichever is longer

 

Section 5 of limitations Act