
Classification: Public
This document may be shared publicly outside the organisation without prior confirmation from the owner.
Version | Approved By | Owner | Date Last Updated | Review Frequency | Next Review | Comments |
Contents
Applicable Legal & Regulatory Requirements
Data Deletion in Backups and Archives
Purpose of This Document
This policy details the procedures for retaining and deleting the data collected, processed, and stored by Lara Letting.
Scope
This policy applies to;
- All data that the Lara Letting processes.
- All staff, contractors, suppliers and third parties that use or process Lara Letting data.
Applicable Legal & Regulatory Requirements
The following summarises some of the main requirements that may influence data retention. It is not possible to outline all legislative requirements, which must be assessed and understood by the Data Owners.
- General Data Protection Regulation (GDPR): As Lara Letting processes the personal data of individuals within the European Union (EU) and the UK, it needs to comply with the EU/UK GDPR legislation. The GDPR doesn’t specify exact data retention periods, but it requires that personal data be kept “no longer than is necessary for the purposes for which the personal data are processed”. This principle, known as “storage limitation”, means Lara Letting must have a justifiable reason to hold onto personal data and should periodically review what data it holds.
- UK Data Protection Act 2018: This law applies in the UK and aligns with the GDPR while adding some additional provisions and exemptions. It reiterates the same principle as GDPR about data retention: personal data processed for any purpose should not be kept longer than necessary.
- Financial Regulations: As an organisation that deals with financial data, the Lara Letting must also comply with specific financial regulations. These regulations often require organisations to retain certain financial records for specified periods.
- Employment Laws: In the UK, several laws relate to employee data retention, such as the Employment Rights Act 1996 and Limitation Act 1980. These laws require Lara Letting to retain specific employee data for up to 6 years.
- Contractual Obligations: Contracts with other entities (like partners or service providers) may have clauses that specify data retention periods or practices.
Data Retention Principles
The Principles for Responsible Investment (Lara Letting) believes in a structured and disciplined approach to data retention to ensure we meet the requirements of our operations and our obligations under applicable laws and regulations. As such, several principles must be adhered to;
- Necessity of Retention: Data retained by the Lara Letting is necessary for executing its duties and services. This includes information necessary for our daily operations, to fulfil our contractual and legal obligations, to defend potential legal claims, and for purposes of analysis and business intelligence.
- Timeframe for Retention: The retention period for personal data varies depending on the type of data and the purpose of its processing. Please refer to the table below on retention periods for different data types.
- Privacy Considerations: We are committed to upholding the privacy rights of all individuals whose data we process. Personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage. We use appropriate technical and organisational measures to achieve this level of protection.
- Legal Obligations: Notwithstanding our general principles of data retention, we may retain data where such retention is necessary for compliance with a legal obligation to which we are subject.
- Regular Review: All data held by Lara Letting will be reviewed regularly to ensure its necessity. Any data identified as no longer needed for processing purposes will be deleted.
Backups & Archives of Data
The principles for data retention apply equally to our active data and data stored within backups and archives.
However, there are practical challenges in managing data retention in backups. Backups are typically not designed to delete individual records selectively. They are usually a complete snapshot of data at a particular time. Therefore, the following approaches will be taken.
Backup Retention
Data backups are performed regularly as part of our business continuity and disaster recovery strategy. They are not intended to serve as a method for long-term data storage beyond the required retention period. To balance the operational necessity of backups and our regulatory obligations, all backups will be retained for as long as required following their creation, after which they will be securely deleted.
Archives
Archived data outside the defined retention period must be removed in compliance with this policy. Data archival procedures will be designed to support the removal of individual data records to meet data retention requirements.
Data Deletion in Backups and Archives
Data will be deleted from active systems when it reaches the end of its retention period as defined in our data retention schedule. This data will also be marked for deletion in our backup and archive systems. Due to the nature of these systems, data deletion may not occur immediately but will be completed within the backup or archive retention period.
Responsibilities
The system owners are responsible for ensuring that our backup and archive processes comply with this data retention policy. This includes overseeing the secure deletion of data from backups and archives in line with our data retention schedule.
Review
The processes for managing data within backups and archives will be reviewed at least annually to ensure continued compliance with this policy and any legal or regulatory changes.
Summary of Retention Periods
The following table outlines key types of data within the Lara Letting and their maximum retention periods. Please note that these timescales do not take precedence over any legislative, contractual or regulatory requirements.
Ref | Type of Data | Purpose of Data | Review Period | Retention Period | Comments |
1 | Employee Data | HR management, Payroll | Annually | 7 years after termination of employment | As per tax and employment laws |
2 | Customer Data | Relationship management | Biannually | As long as the business relationship is active, then 5 years | Subject to GDPR |
3 | Financial Records | Accounting, Tax | Annually | 7 years | As per tax laws |
4 | Lara Letting Academy Learners Data | Course management and delivery | Biannually | 5 years after course completion | |
5 | Customer Organisation Data | Customer relationship management | Biannually | As long as the business relationship is active, then 5 years | Subject to GDPR |
6 | General Business Records (Meeting Notes, Presentations) | Record of business operations | Biannually | 3 years | |
7 | Transaction Data | Records of financial transactions | Annually | 2 years | As stated in Lara Letting privacy policy https://www.unpri.org/privacy-policy |
Exception Handling
There may be circumstances when exceptions to this policy are necessary and appropriate. Exceptions may be required for reasons such as regulatory changes, contractual obligations, ongoing or anticipated legal proceedings, or other exceptional circumstances that require extended data retention.
All exceptions must be formally requested and documented. The request should include details of the data elements involved, a clear explanation of the reasons for the exception, and the proposed duration.
All requests for exceptions will be reviewed and approved or denied by the Data Owner. This body will ensure approved exceptions adhere to all applicable laws, regulations, and contractual obligations.
Any data held under an exception will be reviewed at the end of the exception period, when the data may be deleted, or the exception may be renewed following the same approval process.
Exceptions cannot override or supersede any legal, regulatory, or contractual obligations. If there are conflicts between the exceptions and such obligations, the latter will take precedence.
Lara Letting
259 Perth Road
Dundee
DD2 1JP
info@laraletting.co.uk
