Data Retention Policy
Guidelines
The Institute is committed to the following guidelines and staff and trustees are required to follow them:
- All data and records will be stored in accordance with the security requirements of the Data Protection Legislation and in the most convenient and appropriate location having regard to the period of retention required and the frequency with which access will be made to the record.
- Data and records which are active should be stored in the most appropriate place for their purpose commensurate with security requirements.
- Data and records which are no longer active, due to their age or subject, should be stored in the most appropriate place for their purpose or destroyed.
- The degree of security required for file storage will reflect the sensitivity and confidential nature of any material recorded.
- Any data file or record which contains personal data of any form can be considered as confidential in nature.
- Data and records should not be kept for longer than is necessary. This principle finds statutory form in the Data Protection Legislation, which requires that personal data processed for any purpose “shall not be kept for longer than is necessary for that purpose”.
- The personal data retained by the Institute is reviewed on an annual basis in order to ensure compliance with the terms of this policy. Data which is no longer required must be disposed of securely, using specialist companies to do this work for us if necessary. Special care must be given to disposing of data stored in electronic media.
- When updating, rectifying, erasing, deleting or destroying personal data we will ensure that data held in all locations (including back-up storage) and in all forms is dealt with appropriately and a consistent and accurate record of personal data is maintained.
In assessing how long to keep data, the Institute takes into account its need to meet any legal and regulatory obligations, and the legitimate interests of the Institute. These reasons vary from one piece of information to another.
Supporters and donors
Our relationship with our supporters and donors is generally long term, so we keep their personal information for as long as we need it to maintain that relationship or it is otherwise necessary.
If a supporter unsubscribes from our emails or informs us that they no longer wish to receive our paper mailings they are removed from the mailing list. A list of unsubscribed email addresses may be kept to ensure that we do not send emails to those who no longer wish to receive them.
Subject to the previous paragraph, if no financial relationship exists with a supporter, their records will be anonymised one year after leaving our postal or email lists. This gives room for correcting mistakes e.g. moving house. However, records will be immediately anonymised if the person requests it. If a financial relationship exists with a supporter, records will be anonymised after eight years of leaving our mailing list, in case of a query for tax purposes.
We keep information relating to donations and gift aid for seven years (irrespective of whether the donor is signed up to our mailings) as we have a legal obligation to provide information to HMRC on Gift Aided donations.
Occasionally, we instigate the removal of a person from our mailing list, for example because the person has been persistently unreasonable in their communications with Institute staff. If this happens, we keep a record of the action we have taken to enable us better to protect our staff in the future.
Legal work
For professional reasons, records relating to advice given by us are retained for seven year before being destroyed. But when we do destroy those records, we keep a record of the name of the contact and a brief summary of the nature of the enquiry. This helps inform any future actions should the person contact us again. It may also inform statistical analysis of our work.
If a case is adopted by the Legal Defence Fund for funding and is public, we keep key records and documents beyond seven years to inform any future public comment we may make about the case. However, we take steps wherever possible to “thin” the file to remove non-essential personal information.
If no advice was offered in response to an enquiry for help, we keep a record of the enquiry and the reason for it not being taken further. If any documents were provided by the enquirer to inform our decision making, once the enquiry is closed we do not keep material beyond what is necessary to support our reasons. Any retained records are kept for seven years.
Before files are destroyed, they are reviewed and checked to ensure that any documents which should be sent to the client are removed and returned.
Job applicants
If a person has applied to work for us, their personal data will only be used for the purposes of recruitment and processing their application. Applicant information is kept for six months after completion of the recruitment process.
Other parties
Paper records of correspondence and other interactions with those who contact us are kept for seven years and then securely destroyed.
We may retain an electronic record of past contact with those who are not (current) supporters. This helps us to understand how and why people have contacted us and informs future planning. Where practicable, we anonymise that data so it does not disclose any personally identifiable information.
Data subject rights
Where a data subject exercises their right to object to us processing their data where we do so on the basis of legitimate interest, we will take all reasonable steps to destroy references to the data subject which we hold (unless we can demonstrate compelling legitimate grounds for processing which overrides the interest, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims).