Data Security and Privacy – Data Retention Policy

Policy
Data Retention

As a general principle, Care Resolution Ltd will not keep (or otherwise process) any personal data for longer than is necessary. If Care Resolution Ltd no longer requires the personal data once it has finished using it for the purposes for which it was obtained, it will delete the personal data.

Care Resolution Ltd may have legitimate business reasons to retain the personal data for a longer period. This may include, for example, retaining personnel records in case a claim arises relating to personal injury caused by Care Resolution Ltd that does not become apparent until a future date. Care Resolution Ltd should consider the likelihood of this arising when it determines its retention periods – the extent to which medical treatment is provided by Care Resolution Ltd will, for example, affect the likelihood of Care Resolution Ltd needing to rely on records at a later date.

Care Resolution Ltd may be required to retain personal data for a specified period of time to comply with legal or statutory requirements. These may include, for example, requirements imposed by HMRC in respect of financial documents, or guidance issued by the Home Office in respect of the retention of right to work documentation (see “Underpinning Knowledge” section).
Care Resolution Ltd understands that claims may be made under a contract for 6 years from the date of termination of the contract, and that claims may be made under a deed for a period of 12 years from the date of termination of the deed. Care Resolution Ltd may therefore consider keeping contracts and deeds and documents and correspondence relevant to those contracts and deeds for the duration of the contract or deed plus 6 and 12 years respectively.

Care Resolution Ltd will consider how long it needs to retain HR records. Care Resolution Ltd may choose to separate its HR records into different categories of personal data (for example, health and medical information, holiday and absence records, next of kin information, emergency contact details, financial information) and specify different retention periods for each category of personal data. Care Resolution Ltd recognises that determining separate retention periods for each element of personal data may be more likely to comply with GDPR.

Care Resolution Ltd may decide, however, that separating its HR records into different elements is not practical, and that it can determine a sensible period of time for which to keep the HR records in their entirety. The period of time that is appropriate may depend on the likelihood of a claim arising in respect of that employee in the future. If, for example, Care Resolution Ltd is concerned that an employee may suffer personal injury as a result of its employment with Care Resolution Ltd, Care Resolution Ltd may choose to retain its HR records for a significant period of time. If any such claim is unlikely, Care Resolution Ltd may choose to retain its files for 6 or 12 years (depending on whether the arrangement entered into between Care Resolution Ltd and the employee is a contract or a deed).

Care Resolution Ltd will consider for how long it is required to keep records relating to Service Users. In doing so, Care Resolution Ltd will consider the data retention guidelines provided by the NHS, if applicable. Those guidelines can be accessed by using the link in the “Underpinning Knowledge” section.
If the NHS guidelines don’t apply to Care Resolution Ltd, Care Resolution Ltd will determine an appropriate retention policy for Service User personal data. Care Resolution Ltd may choose to retain personal data for at least 6 years from the end of the provision of services to the Service User, in case a claim arises in respect of the services provided.

Irrespective of the retention periods chosen by Care Resolution Ltd, Care Resolution Ltd will ensure that all personal data is kept properly secure and protected for the period in which it is held by Care Resolution Ltd. This applies in particular to special categories of data.

Care Resolution Ltd will record all decisions taken in respect of the retention of personal data. Care Resolution Ltd recognises that if the ICO investigates Care Resolution Ltd’s policies and procedures, a written record of the logic and reasoning behind the retention periods adopted by Care Resolution Ltd will assist Care Resolution Ltd’s position.

Care Resolution Ltd will implement processes for effectively destroying and/or deleting personal data at the end of the relevant retention period. Care Resolution Ltd will consider whether personal data stored on computers, including in emails, is automatically backed up and how to achieve deletion of those backups or ensure that the archived personal data is automatically deleted after a certain period of time. Care Resolution Ltd will consider circulating guidance internally to encourage staff to regularly delete their emails.

Care Resolution Ltd will introduce policies relating to the destruction of hard copies of documents, including by placing the documents in confidential waste bins or shredding them.