GC processes and stores large amounts of data, including personal data, confidential data and non-confidential data. This data is stored in both hard copy form and cloud-based storage.
Storing data for long periods of time can impact the business in several ways, for example:
- The cost of paper-based archive solutions.
- The cost of cloud-based storage solutions and the legal implications of storing personal data for longer than is required. The UK GDPR states that personal data should not be held for longer than is necessary, and non-compliance can result in fines from the Information Commissioner’s Office (ICO).
A new policy has been put in place that covers the retention and destruction of personal data held within the business: Personal Data Storage Limitation Policy. Please take the time to familiarise yourself with this policy, specifically if you are a Data Lead, Contract Manager, or other Data Owner.
The data we hold may have retention periods defined by the contract it relates to, however not all data we hold is contract specific. To help identify the correct retention period for your data, a GC Group Retention and Destruction Policy is available on Sharepoint. This policy has recently been updated to cover the deletion of redundant, obsolete or trivial (ROT) information which should be periodically destroyed by each department as part of routine housekeeping. Please see the policy for examples of ROT.
If you need further information on how long your documents are required to be retained, please speak to the Contract Manager or your Data Lead.
What do I need to do?
All employees are required to periodically review their OneDrives, shared drives, email and hard copy files (including archive files) and delete/destroy documents that are no longer required.
Please set time aside and ensure regular reviews are conducted of all storage locations.
Things to think about:
- Documents that contain personal data - CVs, client lists, contact lists, photographs – are these required, are they saved elsewhere?
- Email – this should not be used as storage. Documents should be saved in the appropriate folders.
- Email habits - get into the habit of deleting/filing emails. Delete emails which are not important such as the arranging of meetings. Delete accept/decline/tentative responses as soon as received. Don’t copy yourself in to emails you send, this is duplicating storage. Delete any marketing emails from external sources which are not relevant to you or report them as junk, they will be removed from your inbox and put in your junk folder.
- OneDrive – ensure you are not retaining any documents that are no longer needed. For example, CVs from a recruitment drive, these will be held by HR and should not be retained by you.
- Shared drives – is the data held here still required? Do you have multiple draft versions of a document which can now be deleted?
- Contract specific documents – these need to be retained in line with the retention period stated in the contract. If you are unsure, please refer to the contract or check with the relevant contract manager. Ensure all documents are saved in the correct contract folders on SharePoint rather than stored in OneDrives or email.
- Data in archive – review archive lists and destroy boxes that are no longer needed or have reached their destruction date. Ensure data held in archive is clearly labelled and has the correct destruction date and isn’t being held longer than necessary.