Data Handling & Retention Guidelines


We have set out how our organisation classifies the information we process, and how users should handle that information, in section 1 of our Information Security Policy. The Information Security Policy is the primary policy we use to communicate our requirements for the secure use of devices, workspaces, and information to all users of our information systems and assets. However, when data is first collected or created, it may not be immediately clear how the data should be classified, or who the owner of the data may be. This may result in information being inadvertently shared, or even deleted where it should be retained, which is of particular concern when processing personal data.

To minimise the risk of inappropriate collection or sharing, accidental loss or destruction, or unauthorised access in these types of scenarios, our organisation has set out best practice principles to help guide our users in the protection of information throughout its lifecycle.


This document applies to all information that we process as part of our work-related activities. Where there is overlap between the data classification and handling requirements set out in the Information Security Policy and this document, the Information Security Policy shall take precedence.


All employees, contractors, and other relevant third-parties shall understand and follow this document when determining how data should be collected, handled, and retained. For the purposes of this document, instructions directed at employees shall also apply to contractors, and other relevant third-parties, and shall be collectively referred to as “users”. Where discussing the classification and handling of information, users with overall responsibility for the data shall be referred to as the “data owner”.


These Data Handling & Retention Guidelines shall be communicated to all employees and agency staff as part of our employee induction programme, and periodically following any changes to the available guidance and compliance requirements. All contractors and other relevant third-parties shall be provided with a copy of this document as part of the process for contracting services, and shall be re-issued with updated versions periodically following any changes to the guidelines.

Disciplinary Process

It is understood that this document and the guidance set out in it may not cover every scenario that arises, or be applicable to every type of data that we handle. However, employees, contractors, or other relevant third-parties performing activities which clearly disregard the guidelines set out in this document shall be subject to the disciplinary process documented in the Company Manual, or the applicable service contract. 


Management are committed to the continual improvement of our Data Handling & Retention Guidelines, and shall review this document on an annual basis, or whenever an independent review reveals a change in legal and/or regulatory requirements. The Management Review shall determine if this policy continues to meet the requirements of our organisation.

Management also endeavours to plan our business operations so that our information is not misused, either intentionally or unintentionally. This is done by identifying and assigning separate duties throughout our critical business activities to guard against misuses such as illegal transfers, or other errors in data processing activities, etc. Where a user identifies potential conflicts or misuse of information due to improper planning and assignment of duties, users should raise their concern immediately with their line manager, or the ISMS Manager. 

1. Data Handling Principles

To ensure that the data we process is handled and protected appropriately, it is important for all users and data owners to know and understand best practice principles for data processing. Our organisation uses the data privacy principles set out in the General Data Protection Regulation (GDPR) as the core principles for the handling of all information we process, regardless of data type or classification. This section sets out these core principles, and how our organisation expects users and data owners to adhere to them in their day-to-day activities.

1.1 Limit Use of the Data

This principle is frequently referred to as “purpose limitation”. Information is usually collected for a purpose, and understanding that purpose will assist in identifying the correct controls for handling and retaining it, such as who should have access to it, where it should be stored, how long it should be kept for, etc. Where information is taken and used for a different purpose than what it was collected for, users could expose the data to risks such as unauthorised access, misuse, or non-compliance with legal or regulatory considerations.

For personal data, the data can only be used for a different purpose when permitted by law. For example, where customer contact data has been collected for the purpose of providing product support, it would not be compatible or lawful for that contact data to be used in a digital marketing campaign unless the customer provided their explicit consent to do so.

 Users and data owners should always consult with the ISMS Manager and/or Data Protection Lead when considering using data for a purpose other than what it was originally collected for.

 1.2 Have a Genuine Reason

Processing information when there is no defined business case for it can expose our organisation to unnecessary data breaches, or legal and regulatory penalties. Where information is collected simply because it seems like it may be useful at the time, it may result in a lack of defined controls or ownership of the data, and an increased level of risk due to inappropriate storage and/or protection.

For personal data, processing without an appropriate legal basis is unlawful. For example, an employer would have no legal basis for sharing employee data with a private research organisation studying workforce demographics, even though the data would be legitimately interesting to the private research organisation, and the employer may receive payment for sharing the data. This is because employees would likely have no knowledge of the private research organisation’s activities, and the employer would have no lawful reason to share the employee data for the purposes of private research. The employees’ information could only be processed lawfully by the private research organisation where the organisation has received explicit consent directly from the employees, or where the employer sufficiently anonymises the data so that it is no longer considered personal data.

The GDPR currently sets out the following legal bases for the processing of personal data:

  • Consent
  • Performance of a contract
  • Legal obligation
  • Protection of vital interests
  • Public interest/exercise of official authority
  • Legitimate interest

In addition to the above, there are situations in which lawful processing may take place on the following bases:

  • Further processing
  • Law enforcement purposes

When initiating and developing projects that involve the collection of information, data owners should always consult with the ISMS Manager and/or Data Protection Lead to ensure there is a valid legal basis or business case for processing the information. 

1.3 Use Data Fairly

Even where information has been collected and processed for a genuine reason, the processing activity may produce unfair results, or unfairly or negatively impact individuals. This could expose our organisation to potential reputational damage, or loss of trust, and being legally correct in this instance may not be beneficial.

Data owners should always consider the needs and expectations of all interested parties when considering how to use information. In particular, when working on projects that involve the collection and processing of personal data, data owners shall always ensure that: 

  • Any impacts on the rights and freedoms of individuals are fully assessed and justifiable, and that the results of assessments are confirmed with the Data Protection Lead.
  • The information provided to individuals is not misleading, possibly resulting in them being surprised or confused about the processing activity.

1.4 Be Open & Honest

Unless required to maintain strict confidentiality for certain information processing activities, transparency about why and how we use information creates trust and confidence in our colleagues, customers, business partners, employees, suppliers, and other interested parties. A data owner or user who is not open and honest about what data they are collecting and how they are using it may expose the organisation to unnecessary data breach, legal and regulatory penalties, or even cause harm to individuals. Whether being honest about the applications used, where data is stored, or who it is shared with, data owners and users should ensure they clearly communicate this information to line managers and/or relevant team members so that the data can be appropriately handled and protected.

For personal data, individuals have the legal right to be informed about the use of their personal data. Data owners shall consult with the Data Protection Lead to ensure that information about the use of personal data is clearly and appropriately communicated to individuals in line with applicable data protection law.

1.5 Only Use What’s Necessary

This principle is known as “data minimisation”, and supports the principle of data protection by design and by default. Where we don’t absolutely need the data to carry out a required task or meet a business objective, then we shouldn’t collect it, as limiting what we process automatically minimises our organisation’s exposure to data breach, misuse of data, and legal and regulatory penalties. Quite simply, if we don’t have it, then we can’t lose or expose it.

For personal data, our organisation is legally obligated to collect only what is absolutely necessary to achieve the objective of the processing activity. For example, where a web-service provider needs only a verified email address and username to authorise a user’s access to their application, it would be unnecessary to ask a user for information about their gender, location, address, or age for the purposes of authenticating their account. The additional identity data would not only be irrelevant, with no genuine reason to collect and retain it, but in the event of a data breach, a malicious attacker would have a lot more information about users. This information could then allow a malicious attacker to more effectively target a user for scams, fraud, or possible identity theft.

When initiating and developing projects that involve the collection and processing of data, data owners should ensure they only collect and use what they need.

1.6 Keep Data Accurate

Whether using data for research and analysis, or maintaining customer or employee records, data that is inaccurate or out of date can negatively impact business decisions and operational activities, as well as our employees, customers, suppliers, and other interested parties. In the case of personal data, individuals have a legal right to expect their personal information to be kept accurate and available. This means that data owners should identify and document appropriate procedures for maintaining the accuracy and integrity of the information used, and ensure they are clearly communicated to users who may work with the data. Users should ensure they adhere to the procedures, and appropriately maintain the accuracy of the information they work with.

1.7 Don’t Store Data Longer Than Necessary

From having to convert data into formats suitable for archiving, to maintaining legacy equipment to be able to retrieve the information, storing data for long periods of time can not only introduce business costs and operational difficulties, but where data is kept for longer than necessary, it also exposes our organisation to increased risk of data breaches, and legal and regulatory penalties. For personal data, our organisation is legally obligated to securely dispose of the data once it has fulfilled its purpose.

Using the legal, regulatory, and contractual considerations identified in section 1 of the Information Security Policy and our Critical Asset Register, data owners shall identify appropriate retention periods for the data we process, record these periods to section 2 of this document for reference, and ensure appropriate procedures are implemented to delete information when retention periods are met. Where necessary, data owners should also document and communicate data removal procedures to users who may work with the data to ensure continuous compliance with retention requirements.

1.8 Keep Data Safe & Secure

Regardless of whether the information we collect or create has been classified or assigned a data owner, ensuring that it is protected by default will minimise the risk of unauthorised and potentially illegal access, loss, corruption, reproduction, illegal transfer, or destruction. As mentioned earlier in these guidelines, our Information Security Policy is the primary policy we use to communicate our requirements for the secure use of devices, workspaces, and information to all users of our information systems and assets. Data owners and users shall adhere to our Information Security Policy, and treat all information as confidential unless specifically labelled otherwise. This will ensure there is always a minimum level of protection applied to the information we process.

1.8.1 Technically masking data

In addition to the requirements for proper handling and use of information and information assets as set out in our Information Security Policy, our organisation may be obligated to comply with contractual, legal, or regulatory requirements to technically restrict access to data by using approved techniques to mask it. It may also be necessary to mask data due to the level of risk associated with the inappropriate use or access of the information. Some technical mechanisms that can be used to mask data may include, but are not limited to: 

  • Encryption – using an approved encryption standard to encrypt the data. Only persons with permission to access the decryption key can decrypt and view the information.
  • Substitution – using a lookup file to substitute existing information with information that looks similar, but isn’t accurate. For example, a credit card number may be substituted with a set of numbers that are in the same format as the credit card number, but are not the actual number of the credit card.
  • Shuffling – moving data around within the same data field so that the original data isn’t immediately identifiable. For example, shuffling the numbers of a credit card number into a different order.
  • Masking out – making parts of the information unreadable based on the level of access required. For example, payment systems may mask out all but the last four digits of credit card numbers visible to individuals managing customer accounts, while the system can still access the entire number in order to process payments.
  • Pseudonymisation – similar to substitution, this is usually used in the context of personal data, and involves replacing some information about a person with pseudonyms or randomised data so that the person can’t be directly identified.
  • Anonymisation – removing all identifiable information about an individual so that none of the data can be recombined to either directly or indirectly identify them. Where personal data has been completely anonymised, it would no longer be considered personally identifiable information, and may no longer require data masking.

Data owners shall use the legal and regulatory considerations identified in section 1 of the Information Security Policy and the Critical Asset Register to identify any requirements to mask data, and work with administrators to ensure appropriate masking techniques are identified and implemented, taking into consideration the policies for access control, network protection, and cryptographic controls set out in the Information Systems Security Policy.

 1.8.2 Preventing data leakage

Even where data owners and users adhere to the requirements set out in our Information Security Policy, the daily use, copying, sharing, and transmission of data may result in unintended loss, leakage, or even malicious exfiltration. Where working with sensitive information, it may be necessary to implement additional technical mechanisms to prevent unintended copying and sharing of information. Some technical mechanisms may include, but are not limited to:

  • Technically preventing the copying and pasting of sensitive information in databases and other information systems.
  • Implementation of network controls such as jump servers, which control and track connections to information systems storing sensitive information.
  • Email data loss prevention (DLP) systems which track and quarantine emails containing sensitive information. Emails containing sensitive information would be held in quarantine until approved for release, where appropriate.
  • Endpoint DLP software which monitors the use and storage of information on user devices and other information assets. The software may technically prevent use of removable media, or the moving and saving of data to unapproved locations.
  • Network DLP solutions which monitor sensitive information being transmitted across a network.
  • Cloud DLP solutions which monitor and encrypt sensitive information stored and transferred using cloud-based services. These solutions may be configured to block the use of unapproved services, or upload of unencrypted data.

Data owners shall determine the risks associated with the loss of the sensitive information, and work with administrators to ensure suitable mechanisms for preventing data leakage are identified and implemented, where appropriate.

1.9 Keep Track of Data

Necessary security controls and retention procedures cannot be applied to data that is not appropriately identified and tracked. For personal data, this is referred to as the principle of “accountability”, and depending on the size of the organisation and nature of the processing activities, may require the creation and maintenance of records of processing. Failure to keep track of the information we handle may expose our organisation to increased risk of data breaches, and legal and regulatory penalties.

Our organisation keeps track of the information that we handle by identifying, recording, and managing our information assets in line with our ISO 27001-aligned information security management system (ISMS), as documented in our ISMS Manual. The legal and regulatory requirements applicable to these information assets are recorded to our Critical Asset Register, and also used to maintain the legal and regulatory considerations documented in section 1 of our Information Security Policy. Data owners shall ensure the necessary retention periods set out in these legal and regulatory requirements are identified and recorded to section 2 of this document.

Where changes to existing information assets occur, or where new information assets are identified, data owners shall review and update the below section, as appropriate.

2. Data Retention Requirements

As mentioned in section 1.7 above, data that we collect and use must only be retained as long as necessary. Data retention requirements may be set out in laws and regulations, determined by our customers in contracts, or even set by data owners based on our organisation’s own business requirements.

Data owners shall use the applicable laws, regulations, contracts, and other considerations identified in our Critical Asset Register, and section 1 of our Information Security Policy, to identify expected retention periods for the information we process, and document these in the table below.


Data Type Retention Period Guidance Associated Critical Asset Data Owner
Company VAT records 6 years Google Drive, Zoho, revenue online system Chief Finance Officer
CRO filings Indefinite Google Drive, Zoho Companies registration

online system

Chief Finance


Customer Data Terms of Service; 

Data Processing Agreement 

Terms of Service; 

Data Processing Agreement 

Application production environment COO on behalf of the customer
Corporate website analytics data Retain for a reasonable period to analyse marketing effectiveness and trends. GDPR; business requirements of the sales and

marketing teams

Corporate website; Zoho analytics Chief Revenue Officer
Employee working time information 3 years Revenue, Work  Relations Commission Zoho, Xero,

  Revenue online system

Chief People Officer
Personal Information of applicants that are unsuccessful 6 months GDPR; HR Manual Zoho Recruit Chief People Officer
Payroll details and Payslips 6 years Revenue, Work  Relations Commission Zoho, Xero, Gusto, SimplePay, Google Drive Chief People Officer
Parental Leave  8 years Revenue, Work 

  Relations Commission

Zoho, Xero, Revenue online system Chief People Officer
Written Terms of Employment 3 years Revenue, Work  Relations Commission Zoho, Xero, Revenue online system Chief People Officer
Support Tickets 2 years Business requirements of the Sales and Operations teams Zoho Desk COO
Leads and prospect information Terms of Service; Data Processing Agreement  For as long as

the data remains relevant or until the individual requests their data to be

deleted (subject to consent and privacy laws)

Zoho CRM Chief Revenue


CCTV footage from cameras at local offices. 3 years GDPR; HR Manual CCTV systems at the local offices COO