There are legal and regulatory requirements for us to retain certain data, usually for a specified amount of time. We also retain data to help our business operate and to have information available when we need it. However, we do not need to retain all data indefinitely, and retaining data can expose us to risk as well as be a cost to our business.

This Policy covers all data that we hold, or have control over, and includes both personal data and non-personal data in both physical form (such as hard copy documents, contracts, notebooks, letters and invoices), and electronic form (such as emails, electronic documents, audio and video recordings and CCTV recordings). In this
Policy we refer to this information and records collectively as “data”.

Through this Policy and our data retention practices, we aim to:

• Comply with the laws, rules, and regulations that govern the Group and Operating Units in the
jurisdictions in which they operate, and with recognised compliance good practices.
• Only keep personal data for as long as is necessary for the purposes for which it is processed (storage limitation principle).
• Handle, store and dispose of data responsibly and securely.
• Create and retain data to operate our business effectively.
• Not create or retain data without good business reason.
• Regularly monitor compliance with this Policy and update this policy when required.

This Policy has been adopted by the Group and will be updated or modified as appropriate.

The Policy will be implemented across all Group Operating Units. All employees must comply with this Policy, the Record Retention Schedule, any communications suspending data disposal and any specific instructions from the Group Company Secretary. Operating Units are encouraged to nominate a Data Lead who is responsible within the business for monitoring the retention and destruction of records held by the Operating Unit and for implementing the procedures which may be required to ensure compliance with this Policy. Upon appointment of the Data Lead, Operating Units should notify the Group Company Secretary of the name & title of the Data Lead.

Formal or official records

Certain data is more important to us and is therefore listed in the Group Data Retention Schedule (See Helpful Documents). This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the running of our business.

Disposable information

Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a formal or official record.

Personal Data

Please note, both formal or official records and disposable information may contain personal data – i.e. data that identifies living individuals.

Formal or official records

Any data that is part of any of the categories listed in the Group Data Retention Schedule (see Helpful Documents) to this Policy, must be retained in accordance with the relevant retention period. A record must not be retained beyond the period indicated in the Group Data Retention Schedule, unless a valid business reason (or notice to preserve documents for contemplated litigation or other special situation) calls for its continued retention.

Disposable information

The Group Data Retention Schedule will not set out retention periods for disposable information. This type of data should only be retained as long as it is needed for business purposes. Once it no longer has any business purpose or value it should be securely disposed of (see Disposal of Data below).

Personal Data

Records containing personal data (see the Data Protection Policy for more details) should only be retained for as long as it is necessary, in light of the purpose for which they were created/collected, and must be destroyed once it is no longer necessary to retain them (the principle of storage limitation). Furthermore, personal data held should be rendered anonymous in so far as this is possible. Further information can be found in the Group Data Protection Policy. Where data is listed in the Group Data Retention Schedule, we have taken into account the principle of storage limitation and balanced this against our requirements to retain the data.

Where data is ‘disposable information’, you must take into account the principle of storage limitation when deciding whether to retain this data.

The Group and each Operating Unit will:
• only collect or use Personal Data for Operating Unit business purposes;
• only process Personal Data in accordance with the Data Protection Laws;
• ensure that individuals whose Personal Data we hold are aware as to the purpose such information will be used for;
• keep Personal Data and information securely, whether it is held electronically or on paper and put in place processes to prevent unauthorised or accidental disclosure or loss;
• restrict access to Personal Data to those who need to know;
• ensure that Personal Data is accurate and up to date;
• delete or destroy Personal Data in accordance with the relevant Data Protection Law and the Group’s Data Retention Policy;
• ensure that individuals who handle Personal Data understand their responsibilities in terms of this Policy and any applicable Data Protection Laws;

The Group and each Operating Unit will not:
• sell or trade Personal Data belonging to the Group or Operating Unit to third party companies such as marketing companies;
• transfer Personal Data without adequate protection.

Storage

Data must be stored in a safe, secure, and accessible manner. Any documents and financial files that are essential to our business operations during an emergency must be duplicated and/or backed up [at least once per week and maintained off site].

Disposal of Data

Subject to Special Circumstances (see below), documents which have been held longer than the record retention periods detailed in the Group Data Retention Schedule must be deleted/destroyed. This includes documents produced in electronic format. The destruction of confidential, financial, and employee-related hard copy data must be conducted by shredding if possible. Non-confidential data may be destroyed by recycling. The destruction of electronic data must be co-ordinated with the IT Department.
The destruction of data must stop immediately upon notification from the legal department or Group Company Secretary that preservation of documents for contemplated litigation is required. Operating Units are encouraged to undertake a regular document purge in order to accord with this Policy.

All employees should note the following general exception to any stated destruction schedule.

If you believe, or the Company Secretary or Legal Department informs you, that certain records are relevant to current litigation or contemplated litigation (that is, a dispute that could result in litigation), government investigation, audit, or other event, you must preserve and not delete, dispose, destroy, or change those records, including emails and other electronic documents, until the Company Secretary or Legal Department determines those records are no longer needed. Preserving documents includes suspending any requirements in the Group Data Retention Schedule and preserving the integrity of the electronic files or other format in which the records are kept.

If you believe this exception may apply, or have any questions regarding whether it may apply, please contact the Legal Department.

If you feel that you or someone else may have breached this Policy, you should report the incident immediately to your supervisor. If employees do not report inappropriate conduct, we may not become aware of a possible breach of this Policy and may not be able to take appropriate corrective action.

No one will be subject to and we do not allow, any form of discipline, reprisal, intimidation, or retaliation for reporting incidents of inappropriate conduct of any kind, pursuing any record destruction claim, or co-operating in related investigations.

Any questions about retention periods relevant to your department should be raised with your Operating Unit’s Data Lead in the first instance. The Data Leads may raise any additional queries with the Legal Department. Any questions about this Policy should be raised with the Group Company Secretary.

Helpful Documents

• Group’s Data Retention Policy
• Group Data Retention Schedule
• Privacy Notice
• Group Code of Business Conduct

Other Contacts

Your Line Manager/Human Resource Manager/local Finance Director/Managing Director
Group Legal Department
Group Company Secretary Tel: +44 (0)121 704 7430
Email: compliance@hsgroup.com