Effective file keeping and data management are vital in providing a legally compliant and reputable service.
Data Protection Act 1998
To comply with the principles of the Data Protection Act 1998, records containing personal data must be:
- Disposed of appropriately to ensure that copyrights are not breached and to prevent them falling into the hands of unauthorised personnel.
- Retained for only as long as necessary.
- Retrievable and easily traced.
- Stored appropriately having regard to the sensitivity and confidentiality of the material recorded.
This policy applies equally to paper, electronic media and any other method used to store personal data. The period of retention only commences when the record is closed.
All data and records are stored securely to avoid misuse or loss. All data records are stored in the most convenient and appropriate location having regard to the period of retention required and the frequency with which access will be made to the record. The degree of security required for file storage reflects the sensitivity and confidential nature of the material recorded. Any data file or record which contains personal data of any form is considered confidential in nature. Examples of appropriate storage include password protecting electronic documents and locking paper documents in a secure cupboard or drawer.
Data and records are not be kept for longer than necessary. The Data Protection Act requires that personal data processed for any purpose “shall not be kept for longer than necessary for that purpose”. We regard five years as the maximum period of retention, though a shorter period is sometimes appropriate. No data file or record should be retained for more than 5 years after it is closed unless a good reason can be demonstrated. Reasons for longer retention may include:
- If there is a threat of litigation, records likely to be affected should not be amended or disposed of until the threat has been removed.
- Records are maintained for the purpose of retrospective comparison (e.g. finance).
- Records contain information relevant to legal action which has been started or is in contemplation.
- Records relate to individuals or providers of services who are judged unsatisfactory. The individuals may include employees or volunteers who have been the subject of serious disciplinary action.
- Records should be archived for historical or research.
- Statute requires retention for a longer period.
Destruction and Disposal
All information of a confidential or sensitive nature is securely destroyed when no longer required. The procedure for the destruction of confidential or sensitive records is as follows:
- Electronic files are deleted in such a way that they cannot be retrieved by simply undoing the last action or restoring the item from the Recycle Bin. Destruction of backup copies is also be dealt with.
- Media and equipment is physically destroyed prior to disposal.
- Paper should is shredded if the content is sensitive.