Data Retention Policy
Scope:
All Space 2B You records are subject to the retention requirements of this policy. The scope of this policy includes any and all Space 2B You information assets and extends to information assets owned by a third party which Space 2B You supports.
Responsibilities:
All staff employed by Space 2B You have specific compliance responsibilities, responsibilities for handling of data is covered as part of Information Governance training during the Space 2B You induction process.
Responsibility for ensuring that audits of data, software and systems occur in line with the Space 2B You Audit schedule is that of the Chief Information Security Officer. Audits are pre-planned as part of the quarterly Business Management System Committee meeting.
The Board of Directors is responsible for retention of records.
Legal, Statutory, and other requirements:
The Board of Directors retain a list of applicable statutory and regulatory requirements relevant to the company’s information systems. Annually, the Board of Directors review this list, updating as appropriate and ensure that any activities undertaken do not contravene any of the regulations and statutes prevailing.
Appropriate staff training and awareness is provided as necessary as described above. The supporting training materials are available through the Space 2B You Knowledge Centre and results of questionnaires undertaken as part of this process are stored in PeopleHR against employee records.
Space 2B You will protect its own and other parties' Intellectual Property through control over access to information and the proper licensing of information and software.
Space 2B You ensures that it has licences for all proprietary software that is installed on Space 2B You information assets and maintains and monitors a software license register.
Space 2B You trains Employees/Staff to recognise and deal appropriately with IPR, and monitors compliance.
Copyright:
Copying (including duplicating and any other variant of the copying concept) of anything (whether document, digital asset, software, or anything else) other than in line with UK copyright law is explicitly forbidden.
Software and other third party copyrighted items may only be obtained through legitimate suppliers, and only on the basis that the software or copyright license terms will be complied with, including as to numbers of users/basis of sale, etc. Space 2B You will maintain a software and copyright asset register together with copies of software licenses, etc. From time to time, internal audits will be carried out to ensure no unlicensed software has been installed and that the maximum number of user licences has not been exceeded.
Space 2B You copyright ownership of documents (including, drawings, charts, etc., owned or originated by Space 2B You, or contributed to or originated by third parties under contract to Space 2B You, including contractors, teleworkers and Employees/Staff during their employment) should be established through contracts.
Organisation Name copyright ownership of software (including code, code contributions, applications, etc., owned or originated by Space 2B You, or contributed to or originated by third parties under contract to Space 2B You, including contractors, teleworkers and staff during their employment) should be established through contracts.
Space 2B You will ensure that it complies with all legal requirements relating to Copyrights.
Any use of unlicensed and improperly obtained software or unauthorised use of proprietary information whether belonging to Space 2B You or a third-party is strictly prohibited and will be treated as a serious disciplinary breach.
Trademarks:
Management will identify where it is appropriate for Space 2B You to register trademarks.
All trademarks, whether or not registered, are listed and these will be managed by the Board of Directors.
The Board of Directors will take appropriate action, including legal action where necessary, to protect its trademarks from infringement.
Data Protection and Privacy:
Space 2B You is committed to compliance with all national and, where appropriate, international laws relating to the protection of personal data and individual privacy.
The Senior Risk Information Officer (SIRO) is Space 2B You’ Data Protection Officer. Personal data is classified as Restricted, and is available only to those who need to deal with it.
The policy applies to all personal data held by Space 2B You, including on wireless notebook computers, and mobile telephones, etc.
All staff will be provided with training to ensure that they understand Space 2B You policy and the procedures it has put into place to implement that policy.
The disciplinary process will be invoked in circumstances where this policy may have been transgressed.
All staff should be aware of the core principles of the General Data Protection Regulation (GDPR).
GDPR:
The GDPR includes the following rights for individuals:
the right to be informed.
the right of access.
the right to rectification.
the right to erasure.
the right to restrict processing.
the right to data portability.
the right to object.
the right not to be subject to automated decision-making including profiling.
Record Retention:
The required retention periods, by record type, are below:
Record Type Retention Period Responsible
HR records 6 years Directors
Finance data 6 years Directors
Client data (patients) 8 years Directors
Incident reports 3 years Directors
Property lease documents 2 years Directors
Third party contracts and
agreements 6 years Directors
Tax records 6 years Directors
Internal audit records 3 years Directors
BMS meeting records 3 years Directors
The Manager/Executive (generic/line) is responsible for destroying data once it has reached the end of the retention period. Destruction must be completed within 90 days of the planned retention period.
Space 2B You uses audit tools for system audits and the Chief Technical Officer (CTO) is responsible for protection of information system audit tools.
Overseas Data Transfers:
Person identifiable information must not be transferred outside of the UK unless appropriate assessment of risk has been undertaken and mitigating controls put in place.
Space 2B You should review the flows of person identifiable information dependent on to understand whether information transferred to external organisations flows outside of the UK.
Information about overseas transfers of information must be included within the organisation’s Data Protection notification to the Information Commissioner.
Decisions on whether to transfer person identifiable information must only be taken by a senior manager that has been authorised to take that decision.
Space 2B You will need to obtain an assurance statement from third parties that process the personal data of their service users or staff overseas. This assurance may be within the contract between the two organisations or within other terms of processing.
The Caldicott Principles:
The Principles were devised by the Caldicott Committee following a review of patient-identifiable information in 1997 and were revised in 2013. They represent best practice for using and sharing identifiable personal information and should be applied whenever a transfer of personal information is being considered.
The Caldicott Principles:
Principle 1 - Justify the purpose(s)
Principle 2 - Don’t use personal confidential data unless it is absolutely necessary.
Principle 3 - Use the minimum necessary personal confidential data.
Principle 4 - Access to personal confidential data should be on a strict need-to-know basis.
Principle 5 - Everyone with access to personal confidential data should be aware of their responsibilities.
Principle 6 - Comply with the law.
Principle 7 - The duty to share information can be as important as the duty to protect patient confidentiality.
Internal Data Destruction:
When no longer needed, Space 2B You media shall be disposed of securely by secure erasure of stored data by the following means:
All information is stored in the cloud and not on Lap Tops or harddrives. Information sotred on Crypto Sticks should be reformated once the expire datas for the information held in the drive have been completed.
HR Records stored on PeopleHR should be audited annually and any records 6 years or older should be removed from the system in line with the retention period detailed earlier in this document.
Internal documentation stored on Microsoft One Drive can be removed after the retention period detailed earlier in this document.
Client data destruction on Power Diary:
Records which have reached their expiry date will be deleted from the database directly by member of the Development Team.
Audit and destruction of client records stored in the Power Diary and Formsite database are the responsibility of the Directors.
Servers which are no longer required should be fully decommissioned in line with NIST 800-88 guidelines for Media Sanitisation. This would generally be done by the hosting provider, however it is Space 2B You’ responsibility to ensure that these guidelines are met.
Contact Details:
If staff members have any concerns, please contact Space 2B You directors Marie-Anne McKee and Alison Joyce.
Telephone:
020 3048 3331 (ext. 301)
Email:
barbara.johnston@space2byou.co.uk
marie-anne.mckee@space2byou.co.uk