Information Retention Policy Template

Home / Services / Virtual CISO / Policies / Information Retention Policy Template

Information Retention Policy
Purpose
Information Retention Policy is part of effective data management, essential for operational efficiency, legal compliance and risk mitigation. By defining clear protocols, the company ensures that data remains secure, accessible, and aligned with industry standards. This policy addresses what data to retain, how to store it, and the duration of retention.
Scope
This policy covers all information assessments present at {{company_name}}.
POLICY
The Company will have supporting policies in place (which may include legal or regulatory requirements) which will define procedures and provide mechanisms (for specific business areas) to ensure that access to information-holding assets is handled within the appropriate laws and codes of practice. Measures will be taken to assess the risks associated with keeping and disposing of records at any particular point in time. All individuals must operate within this policy and procedural framework, and are accountable for their actions.
Responsibilities
Users' Responsibilities:
  • Anyone who may access information-holding assets, either directly or indirectly, is responsible for following all appropriate procedures that relate to that asset.
  • Users are responsible for their actions and should not take any action which is outside the law or in breach of Company policies, procedures, guidelines or codes of conduct.
  • Users should manage their information in accordance to the guidelines for retention published within this policy.
  • Users are responsible for ensuring that all information no longer needing retention is destroyed in accordance with the guidelines published in the Information Disposal Policy.
  • Users are responsible for seeking, where required, authorisation for the destruction of classified information.
Managers’ Responsibilities:
  • To ensure that the duration of retention and the controls used in destruction are proportionate to the sensitivity of the information-holding assets being accessed.
  • To ensure that records that are no longer required to be retained by the business for legal or regulatory requirements are eliminated as early as possible and in an authorised and systematic manner in line with this policy. This reviewing activity must be carried out at least quarterly.
  • To implement and monitor this policy within their areas of responsibility and for ensuring that those for whom they are responsible, including visitors and contractors, are aware of and comply with this policy and its associated guidelines.
  • To ensure that only authorised users are granted access to information-holding assets within their area of responsibility and for the adherence to relevant security policies by all users.
  • To notify and seek guidance from the Information Security Office for all breaches of this policy.
Retention Periods for company information and data
Accounting and Financial Information
Type of Record Relevant Act Period of Retention
Accounting RecordsFSMA3 years
Annual DepreciationFSMA3 years
Application to write off valueFSMAPermanent for lifetime of the company
Cash Book ListFSMA10 years
Cheques and Remittance AdviceFSMA6 years
Consolidated AccountsFSMAPermanent for lifetime of the company
Cost control ledger analysisFSMA6 Years
Disposal of AssetsFSMAPermanent
Income Tax and NI ReturnsFSMA6 Years
Ledger SheetsFSMA10 Years
Purchase RequisitionsFSMA3 Years
Royalty PaymentsFSMAPermanent
TaxationFSMA6 Years to a maximum of 15 Years
VATFSMA3 Years
Wages / SalaryFSMA6 Years
Company and Human Resources Information
Type of Record Relevant Act/Policy Period of Retention
Accident books3 years from date of last entry
Agendas approved minutes and supporting internal and external papersDestroy 7 years after the month in which the decision was made
Annual appraisal/assessment recordsHR PolicyDestroy after 5 years
Annual leave recordsHR PolicyDestroy after 2 years
Application forms, interview notes and reference detailsHR PolicyRetain for duration of employment
Certificate of incorporationPermanent retention
Company registersPermanent retention
Contracts/agreementsDestroy 12 years after conclusion of contract
Director’s minutes signed by the ChairmanPermanent retention
Disciplinary detailsHR PolicyDestroy after 3 years
Legal advice receivedDestroy after duration of action for which advice received plus 7 years.
Legal documentsPermanent retention
Major agreementsPermanent retention for lifetime of the organisation
Management informationDestroy 2 years after 31st March following the month to which the Management information relates
Minutes of Committees or Board meetingsPermanent retention
Register of directors and secretariesPermanent retention
Risk AssessmentsFSMADestroy 7 years after year of creation unless rationale in business terms provided for specified records, to a maximum retention of 15 years
Sickness recordHR PolicyDestroy after 2 years
Statutory sick pay records and certificatesDestroy not less than 3 years after the end of the financial year to which they relate
Statutory maternity pay records and certificatesDestroy not less than 3 years after the end of the financial year to which they relate
TimesheetsRetain for duration of current financial year
Title deeds and property related documentsDestroy 12 years after expiry
Unpaid leave/special leave recordsHR PolicyDestroy 3 years
Personnel file and training recordsHR PolicyDestroy 6 years
Records relating to accident or injury at workHR PolicyReview/destroy 12 years
References givenHR PolicyDestroy 5 years from reference received/end of employment
Summary of record or service (name/position/dates of employment)HR PolicyDestroy 10 years from end of employment
Operational and System Information
Type of Record Relevant Act/Policy Period of Retention
Application log files3 months accessible then archive, destroy after 1 year
Back-up files (not including Cardholder data)Destroy after 1 year
Cryptographic KeysDestroy after 7 years from year replaced
CCTV footage3 months accessible then archive, destroy after 1 year
Customer Credit Card RecordsNever after close of account
Equipment inspection recordsVaries according to equipment
Firewall log files3 months accessible then archive, destroy after 1 year
IDS/IPS log files3 months accessible then archive, destroy after 1 year
Policy recordsFSMADestroy 7 years after year of creation unless rationale in business terms provided for specified records, to a maximum retention of 15 years
Press releasesPermanent retention
Project recordsDestroy project records 7 years from the completion of the project
Project working papersDestroy draft reports, working papers and correspondence 2 years from completion of project
PublicationsPermanent retention
Statement of procedures for decision making from Security teamDestroy 7 years after the version is superseded
Transactional (batched) files including Cardholder data though must be retained in Transactional RecordsDestroy after 1 year
Transactional records not including Cardholder data (Logs Files)Destroy after 1 year
Monitoring
Responsibility for monitoring changes and updates is that of the CEO. Updates are reviewed at the Board meetings as required. With each update an action is assigned by the relevant person to ensure the updates are reflected in Policy / Procedure and communicated as required.
COMPLIANCE
Compliance Measurement
The {{company_name}} Team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exceptions to the policy must be approved by the CEO in advance.
Non-Compliance
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
RELATED STANDARDS, POLICIES AND PROCESSES
Information Retention Policy
Purpose
Information Retention Policy is part of effective data management, essential for operational efficiency, legal compliance and risk mitigation. By defining clear protocols, the company ensures that data remains secure, accessible, and aligned with industry standards. This policy addresses what data to retain, how to store it, and the duration of retention.
Scope
This policy covers all information assessments present at {{company_name}}.
POLICY
The Company will have supporting policies in place (which may include legal or regulatory requirements) which will define procedures and provide mechanisms (for specific business areas) to ensure that access to information-holding assets is handled within the appropriate laws and codes of practice. Measures will be taken to assess the risks associated with keeping and disposing of records at any particular point in time. All individuals must operate within this policy and procedural framework, and are accountable for their actions.
Responsibilities
Users' Responsibilities:
  • Anyone who may access information-holding assets, either directly or indirectly, is responsible for following all appropriate procedures that relate to that asset.
  • Users are responsible for their actions and should not take any action which is outside the law or in breach of Company policies, procedures, guidelines or codes of conduct.
  • Users should manage their information in accordance to the guidelines for retention published within this policy.
  • Users are responsible for ensuring that all information no longer needing retention is destroyed in accordance with the guidelines published in the Information Disposal Policy.
  • Users are responsible for seeking, where required, authorisation for the destruction of classified information.
Managers’ Responsibilities:
  • To ensure that the duration of retention and the controls used in destruction are proportionate to the sensitivity of the information-holding assets being accessed.
  • To ensure that records that are no longer required to be retained by the business for legal or regulatory requirements are eliminated as early as possible and in an authorised and systematic manner in line with this policy. This reviewing activity must be carried out at least quarterly.
  • To implement and monitor this policy within their areas of responsibility and for ensuring that those for whom they are responsible, including visitors and contractors, are aware of and comply with this policy and its associated guidelines.
  • To ensure that only authorised users are granted access to information-holding assets within their area of responsibility and for the adherence to relevant security policies by all users.
  • To notify and seek guidance from the Information Security Office for all breaches of this policy.
Retention Periods for company information and data
Accounting and Financial Information
Type of Record Relevant Act Period of Retention
Accounting RecordsFSMA3 years
Annual DepreciationFSMA3 years
Application to write off valueFSMAPermanent for lifetime of the company
Cash Book ListFSMA10 years
Cheques and Remittance AdviceFSMA6 years
Consolidated AccountsFSMAPermanent for lifetime of the company
Cost control ledger analysisFSMA6 Years
Disposal of AssetsFSMAPermanent
Income Tax and NI ReturnsFSMA6 Years
Ledger SheetsFSMA10 Years
Purchase RequisitionsFSMA3 Years
Royalty PaymentsFSMAPermanent
TaxationFSMA6 Years to a maximum of 15 Years
VATFSMA3 Years
Wages / SalaryFSMA6 Years
Company and Human Resources Information
Type of Record Relevant Act/Policy Period of Retention
Accident books3 years from date of last entry
Agendas approved minutes and supporting internal and external papersDestroy 7 years after the month in which the decision was made
Annual appraisal/assessment recordsHR PolicyDestroy after 5 years
Annual leave recordsHR PolicyDestroy after 2 years
Application forms, interview notes and reference detailsHR PolicyRetain for duration of employment
Certificate of incorporationPermanent retention
Company registersPermanent retention
Contracts/agreementsDestroy 12 years after conclusion of contract
Director’s minutes signed by the ChairmanPermanent retention
Disciplinary detailsHR PolicyDestroy after 3 years
Legal advice receivedDestroy after duration of action for which advice received plus 7 years.
Legal documentsPermanent retention
Major agreementsPermanent retention for lifetime of the organisation
Management informationDestroy 2 years after 31st March following the month to which the Management information relates
Minutes of Committees or Board meetingsPermanent retention
Register of directors and secretariesPermanent retention
Risk AssessmentsFSMADestroy 7 years after year of creation unless rationale in business terms provided for specified records, to a maximum retention of 15 years
Sickness recordHR PolicyDestroy after 2 years
Statutory sick pay records and certificatesDestroy not less than 3 years after the end of the financial year to which they relate
Statutory maternity pay records and certificatesDestroy not less than 3 years after the end of the financial year to which they relate
TimesheetsRetain for duration of current financial year
Title deeds and property related documentsDestroy 12 years after expiry
Unpaid leave/special leave recordsHR PolicyDestroy 3 years
Personnel file and training recordsHR PolicyDestroy 6 years
Records relating to accident or injury at workHR PolicyReview/destroy 12 years
References givenHR PolicyDestroy 5 years from reference received/end of employment
Summary of record or service (name/position/dates of employment)HR PolicyDestroy 10 years from end of employment
Operational and System Information
Type of Record Relevant Act/Policy Period of Retention
Application log files3 months accessible then archive, destroy after 1 year
Back-up files (not including Cardholder data)Destroy after 1 year
Cryptographic KeysDestroy after 7 years from year replaced
CCTV footage3 months accessible then archive, destroy after 1 year
Customer Credit Card RecordsNever after close of account
Equipment inspection recordsVaries according to equipment
Firewall log files3 months accessible then archive, destroy after 1 year
IDS/IPS log files3 months accessible then archive, destroy after 1 year
Policy recordsFSMADestroy 7 years after year of creation unless rationale in business terms provided for specified records, to a maximum retention of 15 years
Press releasesPermanent retention
Project recordsDestroy project records 7 years from the completion of the project
Project working papersDestroy draft reports, working papers and correspondence 2 years from completion of project
PublicationsPermanent retention
Statement of procedures for decision making from Security teamDestroy 7 years after the version is superseded
Transactional (batched) files including Cardholder data though must be retained in Transactional RecordsDestroy after 1 year
Transactional records not including Cardholder data (Logs Files)Destroy after 1 year
Monitoring
Responsibility for monitoring changes and updates is that of the CEO. Updates are reviewed at the Board meetings as required. With each update an action is assigned by the relevant person to ensure the updates are reflected in Policy / Procedure and communicated as required.
COMPLIANCE
Compliance Measurement
The {{company_name}} Team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Exceptions
Any exceptions to the policy must be approved by the CEO in advance.
Non-Compliance
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
RELATED STANDARDS, POLICIES AND PROCESSES