DATA RETENTION POLICY
Introduction
This is the Data Retention Policy of HeadBox Solutions. HeadBox is a registered company in England and Wales, company number 09410663. The registered address of HeadBox is 168 Shoreditch High Street, London, United Kingdom, E1 6RA.
The purpose of this policy is to specify HeadBox’s guidelines and policies for retaining different types of data and for how long.
Important definitions
‘We’ means HeadBox Solutions Limited
‘ICO’ is the Information Commissioner’s Office, the body responsible for enforcing data protection legislation within the UK and the regulatory authority for the purposes of the GDPR
‘Personal data’ means any information about an identified or identifiable person. Some categories of personal data are recognised as being particularly sensitive (“special category data”).
‘Processing’ means all aspects of handling personal data, for example collecting, recording, keeping, storing, sharing, archiving, deleting and destroying it.
‘Data Controller’ means anyone (a person, people, public authority, agency or any other body) which, on its own or with others, decides the purposes and methods of processing personal data. We are a data controller insofar as we process personal data in the ways described in this policy.
‘Data processor’ means anyone who processes personal data under the data controller’s instructions, for example a service provider. We act as a data processor in certain circumstances.
‘Subject Access Request’ is a request for personal data that an organisation may hold about an individual. This request can be extended to include the deletion, rectification and restriction of processing.
Legislation and guidance
This policy meets the requirements of the UK General Data Protection Regulations (UK GDPR) and the provisions of the Data Protection Act 2018 (DPA 2018). It is based on guidance published by the Information Commissioner’s Office (ICO) on storage limitation.
This policy upholds the requirement that personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. As part of this requirement HeadBox:
Scope
This policy covers all data in the possession or control of HeadBox, regardless of the medium in or on which those data are held. Where statute or regulation departs from the requirements of this policy, HeadBox will comply with the relevant statute or regulation. This policy may be updated from time to time.
The UK GDPR and Data Protection Act 2018 do not specify time limits for different types of data and allow organisations to set appropriate retention periods based on the purposes for processing. The tables in the Data retention schedule below are intended to establish standard retention periods for different categories of personal data. There may be cause for discretion where, for example, early deletion is possible as the data is no longer needed, or it is deemed necessary to keep the data for longer due to a risk of litigation or a request from an outside body.
Lawful basis for processing
Where personal data is processed using the lawful basis of legitimate interest or consent, the data subject has a number of rights that they can exercise over this data, such as delete or rectify. Communications with these data subjects will need to clearly sign post them to their ability to withdraw this consent or challenge the legitimate interest that has been assessed, this is commonly known as ‘opt out’. Where appropriate, the data subject should be informed every 2 years of the consent or legitimate interest being used to process their data with an option to update this preference. A formal retention period for data processing based on consent has not been defined in this policy and is assumed as permanent until the data subject exercises their rights to cease the processing activity.
Disposal of records
Where data is no longer needed, it will be anonymised or securely destroyed. This applies to paper records, electronic information and biometric information. For example, we will shred or incinerate paper-based records, and overwrite or delete electronic files. We may also use a third party to safely dispose of records on HeadBox’s behalf. If we do so, we will require the third party to provide sufficient guarantees that it complies with data protection law.
Data retention schedule
The following retention periods are established into the categories of data subject types held within HeadBox, these are as follows:
Bookers
Venues
Corporate clients
Employees (past, present and future)
The retention period is applicable at the point where the relationship has finished, for example where a customer’s service has been provided.
Bookers’ data
|
Data Process |
Data Type |
Retention |
Justification |
|
Relationship Management |
Personal data |
5 Years after last booking |
Required for enquiries on purchases |
|
Payments and credit processing |
Transaction data |
6 Years after the end of the tax year for that purchase (7 years) |
HMRC Tax Audit |
|
Prospect customers – enquiries |
Personal data |
3 years post last interaction with individual |
To maintain a record of them and their interactions with HeadBox to answer any queries or concerns |
|
Premises visitors, including staff |
Personal data |
2 months post last entry |
To retain access logs for health and safety and crime prevention |
Venues’ data
|
Data Process |
Data Type |
Retention |
Justification |
|
Relationship Management |
Personal data |
5 Years after last booking |
Required for enquiries on purchases |
|
Payments and credit processing |
Transaction data |
6 Years after the end of the tax year for that purchase (7 years) |
HMRC Tax Audit |
|
Prospect customers – enquiries |
Personal data |
3 years post last interaction with individual |
To maintain a record of them and their interactions with HeadBox to answer any queries or concerns |
|
Premises visitors, including staff |
Personal data |
2 months post last entry |
To retain access logs for health and safety and crime prevention |
Corporate clients
|
Data Process |
Data Type |
Retention |
Justification |
|
Relationship Management |
Personal data |
5 Years after last booking |
Required for enquiries on purchases |
|
Payments and credit processing |
Transaction data |
6 Years after the end of the tax year for that purchase (7 years) |
HMRC Tax Audit |
|
Prospect customers – enquiries |
Personal data |
3 years post last interaction with individual |
To maintain a record of them and their interactions with HeadBox to answer any queries or concerns |
|
Premises visitors, including staff |
Personal data |
2 months post last entry |
To retain access logs for health and safety and crime prevention |
Employees (past, present and future)
|
Data Process |
Data Type |
Retention |
Justification |
|
Income tax and NI records |
Personal data |
3 years from the end of financial year to which they relate |
The Income Tax (Employments) Regulations 1993 (SI 1993/744) as amended, for example by The Income Tax (Employments) (Amendment No. 6) Regulations 1996 (SI 1996/2631) |
|
Payroll wage/salary records (also overtime, bonuses, expenses) |
Personal data |
6 years from the end of the tax year to which they relate |
Taxes Management Act 1970 |
|
Retirement Benefits Schemes – records of notifiable events, for example, relating to incapacity |
Personal data |
6 years from the end of the scheme year in which the event took place |
The Retirement Benefits Schemes (Information Powers) Regulations 1995 (SI 1995/3103) |
|
Personnel records, including working time, maternity records and training records |
Personal and Sensitive data (special category) |
6 years after the employee has left |
To defend against tribunals or county or high court claim |
|
Recruitment records |
Personal data |
6 months after the candidate has not been successful |
To defend against tribunals or county or high court claim |
|
Emails and personal data volumes |
Personal and Sensitive data (special category) |
6 months after the employee has left |
To answer queries that are contained in these data sources |
Failure to comply
Incompetence, misconduct and/or performance issues will be addressed through standard HR policies.