DATA RETENTION POLICY
THE CONGREGATION OF STORNOWAY
OF THE FREE CHURCH OF SCOTLAND
IN THE PRESBYTERY OF THE WESTERN ISLES
Introduction
This Data Retention Policy outlines how long various categories of personal data are retained by the congregation. It should be read in conjunction with our Data Protection Policy and our Privacy Notice, copies of both of which are available on the church noticeboard and/or by asking for a copy to be sent to you from our Youth & Admin Assistant.
Congregations process various types of personal information, also called personal data. Personal data is any information, whether held in hard copy or electronic form, relating to an individual who can be identified, directly or indirectly, from that data. Processing is anything that is done with that information – it includes the collecting, editing, storing/holding/retaining, disclosing/sharing, viewing, recording, listening, erasing/deleting etc. of personal information.
Examples of the types of personal information processed by congregations are set out in the Schedule to this policy and include, but are not limited to, membership lists; baptismal records; information relating to employees and volunteers; financial records, including in relation to payroll and Gift Aid administration; information relating to counselling and pastoral care; information regarding individuals attending churches and participating in church events and activities, including children and young people; and information relating to the management of properties, including sales, purchases and leases.
Personal information may be retained by congregations in various ways and places – these include, but are not limited to, minutes of meetings of the Kirk Session or Deacons’ Court/Finance Committee; employment contracts; congregational register of individuals working with children and/or protected adults; registration and/or consent forms for church activities; congregational newsletters; and letters and email correspondence.
In certain circumstances it will be necessary and appropriate to retain personal information, either in hard copy or electronic form, depending on the purposes for holding the information. However, it is not appropriate or practical for congregations to retain all records indefinitely. Records should only be retained in accordance with data protection principles, which require that personal information is limited to what is relevant and necessary, is accurate, and is kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which it was obtained. Ensuring that personal information is erased or anonymised when no longer required will reduce the risk of it becoming irrelevant, excessive, inaccurate or out of date, and the risk of it being processed in error. It is therefore important that congregations have in place systems for the timely and secure disposal of documents that are no longer required or that they are no longer entitled to retain.
It is permissible to retain personal information beyond when it is required for the original purposes, if such further retention is only for public interest archiving, scientific or historical research, or statistical purposes. Any personal data that congregations need to keep for public interest archiving etc. should be clearly identified by them.
Retention of records
Data protection law does not set specific time limits for the retention of different types of personal information. It is up to data controllers to set their own retention periods, which will depend on how long the information is required in relation to the specified purposes for which it is held.
Suggested retention periods set out in the Schedule to this policy, and decisions relating to the retention (and disposal/erasure) of personal information should be taken with reference to the Schedule. However, congregations should also bear in mind the general rule that they must always be able to justify why they keep personal information in a form that permits the identification of individuals.
In all cases where the retention period recommended in the Schedule for specific types or items of personal information has expired, a review should be carried out prior to disposal, and consideration should be given as to the most appropriate method of secure erasure or disposal.
Disposal/erasure of records
Documents containing personal information should be disposed of confidentially and securely either by shredding or by using confidential waste bins or sacks. Such documents may include, but are not limited to, those containing names and contact details, health-related information, information relating to pastoral matters and financial information.
Electronic communications including email, Facebook pages, twitter accounts etc. and all information stored digitally should also be reviewed regularly and if no longer required should be closed and/or permanently deleted. It is understood that the word “deletion” can mean different things in relation to electronic data, and that it is not always possible to erase all traces of it. The key issue is to put the data beyond use. Therefore, it will normally be sufficient simply to delete the information, with no intention of it ever being used or accessed again by anyone. In addition to deleing personal information from a live system, it should also be deleted from any back-up of the information on that system.
Retention of records for archiving, research or statistical purposes
Personal information can be kept indefinitely if held only for archiving purposes in the public interest; scientific or historical research purposes; or statistical purposes. There must be appropriate safeguards in place to protect individuals - for example, in some cases pseudonymisation may be appropriate. If retaining personal information for archiving purposes, it must not be used for any other purposes. In cases where archiving is considered appropriate the Assembly Clerks’ Office should be consulted for advice.
This Data Retention Policy was adopted on 25 May 2018. The charity trustees will be responsible for the implementation of this Policy in the Congregation.
Data Retention Schedule
|
Record |
Retention Period |
|
MEETINGS |
|
|
Minutes of Kirk Session, Deacons Court and Finance Committee meetings |
Permanent (Per 2018 General Assembly) |
|
Minutes of other meetings |
6 years |
|
Papers for meetings, including agendas and reports |
Delete once there is no longer a need to retain these |
|
|
|
|
EMPLOYMENT, MEMBERS & VOLUNTEERS |
|
|
Pre-employment (of volunteers and paid workers) enquiries/applications/notes/letters/references |
6 months after completion of recruitment (unless data to be retained for a future similar opportunity, in which case 1 year)
|
|
Advice (emails, letters) from Church solicitor or PVG Lead Signatory |
100 years |
|
Confidentiality Agreements |
100 years |
|
Covenants of Responsibilities |
100 years |
|
Safeguarding Risk Assessments |
100 years |
|
Complaints concerning people |
100 years |
|
Congregational Register |
100 years |
|
Safeguarding Audit for Congregations and Presbyteries |
100 years |
|
Transfer Forms |
100 years |
|
Employee records including: contracts, time records etc |
Duration of employment + 6 years |
|
Volunteer records |
Duration of placement + 6 years |
|
Databases for mailing lists/distribution |
Reviewed annually - delete or correct out of date information |
|
Miscellaneous contact information |
Delete once there is no longer a need to retain such information |
|
Miscellaneous letters and emails |
Delete the email/confidentially destroy the letter once no longer required |
|
Payroll and pension payment records |
Minimum, 6 years, no maximum |
|
Pension and retirement records |
Minimum 6 years beyond final pension payment, no maximum |
|
PROPERTY & LEGAL |
|
|
Environmental studies |
Permanent |
|
Insurance claims/ applications |
Permanent |
|
Insurance disbursements and denials |
Permanent |
|
Insurance contracts and policies (Directors and Officers, General Liability, Property, Workers' Compensation) |
Permanent |
|
Leases |
6 years after expiration |
|
Property & land documents (including loan and mortgage contracts, title deeds) |
Permanent |
|
Warranties |
Duration of warranty + 6 years |
|
Documents relating to legal proceedings, potential or actual |
Final settlement of matter or conclusion of any formal proceedings + 6 years |
|
Hazardous material exposures |
30 years |
|
Injury and Illness Incident Reports (RIDDOR) |
5 years |
|
Construction documents |
Permanent |
|
Fixed Asset Records |
Permanent |
|
Application for charitable and/or tax-exempt status |
Permanent |
|
Sales and purchase records |
10 years |
|
Resolutions |
Permanent |
|
OSCR filings |
5 years from date of filing |
|
Contracts |
6 years following expiration |
|
|
|
|
FINANCE |
|
|
Audit and review workpapers |
6 years from the end of the period in which the audit or review was concluded |
|
Financial records, including invoices and expenses payable, income records, bank statements and all supporting documentation |
6 years from end of year in which transaction made |
|
Annual audit reports and financial statements |
Permanent |
|
Annual plans and budgets |
2 years |
|
General ledgers |
Permanent |
|
Tax records |
Minimum 6 years |
|
Gift Aid Declarations |
6 years from end of year in which final claim made or until any current enquiries completed |
|
Gift Aid Records |
6 years from end of year in which transaction made or until any current enquiries completed |
|
Gift Aid Envelopes |
One full month per year for 6 years |
|
Legacies (general) |
6 years after estate has been wound up |
|
Legacies which create permanent endowment |
Permanent |
