DATA RETENTION POLICY

 

 

THE CONGREGATION OF BON ACCORD FREE CHURCH OF SCOTLAND

 

OF THE FREE CHURCH OF SCOTLAND

 

IN THE PRESBYTERY OF EDINBURGH & PERTH

 

Introduction

This Data Retention Policy outlines how long various categories of personal data are retained by the congregation.  It should be read in conjunction with our Data Protection Policy and our Privacy Notice, copies of both of which are available on the noticeboard in our main downstairs hall, on our website at www.bafreechurch.org.uk and (on request) from our Administrative Assistant via This email address is being protected from spambots. You need JavaScript enabled to view it.  

Congregations process various types of personal information, also called personal data.  Personal data is any information, whether held in hard copy or electronic form, relating to an individual who can be identified, directly or indirectly, from that data.  Processing is anything that is done with that information – it includes the collecting, editing, storing/holding/retaining, disclosing/sharing, viewing, recording, listening, erasing/deleting etc. of personal information. 

Examples of the types of personal information processed by congregations are set out in the Schedule to this policy and include, but are not limited to, membership lists; baptismal records; information relating to employees and volunteers; financial records, including in relation to payroll and Gift Aid administration; information relating to counselling and pastoral care; information regarding individuals attending churches and participating in church events and activities, including children and young people; and information relating to the management of properties, including sales, purchases and leases.

Personal information may be retained by congregations in various ways and places – these include, but are not limited to, minutes of meetings of the Kirk Session and Deacons’ Court; employment contracts; congregational register of individuals working with children and/or protected adults; registration and/or consent forms for church activities; congregational newsletters; and letters and email correspondence.

In certain circumstances it will be necessary and appropriate to retain personal information, either in hard copy or electronic form, depending on the purposes for holding the information.  However, it is not appropriate or practical for congregations to retain all records indefinitely.  Records should only be retained in accordance with data protection principles, which require that personal information is limited to what is relevant and necessary, is accurate, and is kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which it was obtained. Ensuring that personal information is erased or anonymised when no longer required will reduce the risk of it becoming irrelevant, excessive, inaccurate or out of date, and the risk of it being processed in error.  It is therefore important that congregations have in place systems for the timely and secure disposal of documents that are no longer required or that they are no longer entitled to retain.

 

It is permissible to retain personal information beyond when it is required for the original purposes, if such further retention is only for public interest archiving, scientific or historical research, or statistical purposes. Any personal data that congregations need to keep for public interest archiving etc. should be clearly identified by them.

 

Retention of records

Data protection law does not set specific time limits for the retention of different types of personal information. It is up to data controllers to set their own retention periods, which will depend on how long the information is required in relation to the specified purposes for which it is held. 

 

Recommended retention periods are set out in the Schedule to this policy and decisions relating to the retention (and disposal/erasure) of personal information should be taken with reference to the Schedule.  However, congregations should also bear in mind the general rule that they must always be able to justify why they keep personal information in a form that permits the identification of individuals.

 

In all cases where the retention period recommended in the Schedule for specific types or items of personal information has expired, a review should be carried out prior to disposal, and consideration should be given as to the most appropriate method of secure erasure or disposal.

 

Disposal/erasure of records

Documents containing personal information should be disposed of confidentially and securely either by shredding or by using confidential waste bins or sacks.  Such documents may include, but are not limited to, those containing names and contact details, health-related information, information relating to pastoral matters and financial information.

 

Electronic communications including email, Facebook pages, twitter accounts etc. and all information stored digitally should also be reviewed regularly and if no longer required should be closed and/or permanently deleted. It is understood that the word “deletion” can mean different things in relation to electronic data, and that it is not always possible to erase all traces of it.  The key issue is to put the data beyond use.  Therefore, it will normally be sufficient simply to delete the information, with no intention of it ever being used or accessed again by anyone. In addition to deleting personal information from a live system, it should also be deleted from any back-up of the information on that system.

 

 

Retention of records for archiving, research or statistical purposes

 

Personal information can be kept indefinitely if held only for archiving purposes in the public interest; scientific or historical research purposes; or statistical purposes. There must be appropriate safeguards in place to protect individuals - for example, in some cases pseudonymisation may be appropriate.  If retaining personal information for archiving purposes, it must not be used for any other purposes.  In cases where archiving is considered appropriate the Assembly Clerks’ Office should be consulted for advice.

 

 

This Data Retention Policy was adopted on 3 September 2018. The charity trustees will be responsible for the implementation of this Policy in the Congregation.  


 Data Retention Schedule

Record

Retention Period

MEETINGS

 

Minutes of Kirk Session, Deacons’ Court and Finance Committee meetings

Permanent (per 2018 General Assembly)

Minutes of other meetings

6 years

Papers for meetings, including agendas and reports

Delete once there is no longer a need to retain these

 

 

EMPLOYMENT, MEMBERS & VOLUNTEERS

 

Pre-employment (of volunteers and paid workers) enquiries/applications/notes/letters/references

6 months after completion of recruitment (unless data to be retained for a future similar opportunity, in which case 1 year)

 

Advice (emails, letters) from Church solicitor or PVG Lead Signatory

100 years

Confidentiality Agreements

100 years

Covenants of Responsibilities

100 years

Safeguarding Risk Assessments

100 years

Complaints concerning people

100 years

Congregational Register

100 years

Safeguarding Audit for Congregations and Presbyteries

100 years

Transfer Forms

100 years

Employee records including: contracts, time records etc

Duration of employment + 6 years

Volunteer records

Duration of placement + 6 years

Databases for mailing lists/distribution

Reviewed annually - delete or correct out of date information

Miscellaneous contact information

Delete once there is no longer a need to retain such information

Miscellaneous letters and emails

Delete the email/confidentially destroy the letter once no longer required

Payroll and pension payment records

Minimum, 6 years, no maximum

Pension and retirement records

Minimum 6 years beyond final pension payment, no maximum

PROPERTY & LEGAL

 

Environmental studies

Permanent

Insurance claims/ applications

Permanent

Insurance disbursements and denials

Permanent

Insurance contracts and policies (Directors and Officers, General Liability, Property, Workers' Compensation)

Permanent

Leases

6 years after expiry

Property & land documents (including loan and mortgage contracts, title deeds)

Permanent

Warranties

Duration of warranty + 6 years

Documents relating to legal proceedings, potential or actual

Final settlement of matter or conclusion of any formal proceedings + 6 years

Hazardous material exposures

30 years

Injury and Illness Incident Reports (RIDDOR)

5 years

Construction documents

Permanent

Fixed Asset Records

Permanent

Application for charitable and/or tax-exempt status

Permanent

Sales and purchase records

10 years

Resolutions

Permanent

OSCR filings

5 years from date of filing

Contracts

6 years following expiry

 

 

FINANCE

 

Audit and review workpapers

6 years from the end of the period in which the audit or review was concluded

Financial records, including invoices and expenses payable, income records, bank statements and all supporting documentation

6 years from end of year in which transaction made

Annual audit reports and financial statements

Permanent

Annual plans and budgets

2 years

General ledgers

Permanent

Tax records

Minimum 6 years

Gift Aid Declarations

6 years from end of year in which final claim made or until any current enquiries completed

Gift Aid Records

6 years from end of year in which transaction made or until any current enquiries completed

Gift Aid Envelopes

One full month per year for 6 years

Legacies (general)

6 years after estate has been wound up

Legacies which create permanent endowment

Permanent