Data Retention & Disposal Policy

A free UK-aligned template covering 4 essential clauses. Edit the highlighted fields, sign, and adopt.

1.Purpose and Scope

This policy sets out the principles and arrangements under which [Company] determines how long personal data and business records are retained, and how they are securely disposed of when that retention period ends. The objective is to comply with the storage-limitation principle in Article 5(1)(e) of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, applicable statutory retention rules (HMRC, ACAS, Companies Act 2006, Limitation Act 1980), and reasonable evidential needs for actual or anticipated litigation.

This policy applies to:

• All personal data for which [Company] is data controller or data processor under UK GDPR;
• All employment, financial, contractual, customer, supplier and marketing records — paper or electronic;
• All systems, shared drives, cloud services, archive media and physical filing in which the above records are held;
• All employees, contractors, agency workers and third parties processing data on [Company]'s behalf.

This policy operates in conjunction with [Company]'s Information Security Policy, Data Protection Policy, and Subject Access Request Procedure. Where this policy conflicts with a statutory retention obligation, the statutory obligation prevails and the schedule is updated accordingly.

2.Retention Principles

Retention decisions are made by reference to documented principles, not custom or convenience. The ICO accountability framework requires controllers to evidence that retention periods are justified, applied consistently, and reviewed at appropriate intervals.

2.1 Necessity

Personal data is retained only for as long as necessary for the purposes for which it was collected. Where the original purpose ends and no further lawful basis applies, the data is deleted, anonymised, or transferred to a restricted archive in accordance with the schedule in Section 3.

2.2 Statutory retention rules

Where statute requires retention for a defined period — for example HMRC PAYE regulations (seven years), the Companies Act 2006 (six years for accounting records), the Limitation Act 1980 section 5 (six years for simple contract claims), or sector-specific rules under FCA, Ofcom or the Health and Safety Executive — the statutory period takes precedence over any shorter operational preference.

2.3 Limitation period for claims

Records that may evidence an actual or anticipated legal claim are retained for the relevant limitation period, plus a buffer to allow for late discovery. The default limitation period under English law is six years from the cause of action accruing; longer periods apply to specialty contracts (twelve years) and to claims involving personal injury (three years) or fraud.

2.4 Documented justification

Every retention period in Section 3 has a documented justification — purpose, lawful basis, statutory cite, or limitation-period reference. The schedule is reviewed annually, or sooner when a relevant statute changes. The documented justification is what the ICO accountability framework expects in the event of an audit or complaint.

3.Default Retention Schedule

The following schedule sets the default retention period for the most common categories of records [Company] holds. Where a specific record falls outside these categories, the Data Protection Officer (or equivalent) shall apply the principles in Section 2 and add the new category to the schedule on the next annual review.

3.1 Employment records

• Recruitment files (unsuccessful candidates): 12 months post-decision (in case of discrimination claim).
• HR files (current employees): duration of employment plus 6 years (Limitation Act 1980 s.5).
• Right-to-work documents: 2 years after employment ends (Home Office guidance).
• Payroll, PAYE and pension records: 7 years (HMRC PAYE regulations).
• Occupational health records (general): 6 years post-employment. Records of exposure to hazardous substances are kept for 40 years per COSHH 2002.

3.2 Financial and accounting records

• Statutory accounts and audit files: 6 years (Companies Act 2006 s.388).
• VAT records: 6 years (VAT Act 1994 + HMRC guidance).
• Sales invoices, purchase invoices, expense records: 7 years (HMRC requirement, exceeds Companies Act minimum).
• Bank statements and reconciliations: 7 years.

3.3 Customer, supplier and contractual records

• Customer contracts and supporting correspondence: 6 years post-contract end (Limitation Act simple contracts) or 12 years post-end for contracts executed as a deed.
• Supplier contracts: same as above.
• Customer service tickets, complaints, and resolution records: 6 years post-resolution.
• Marketing consent records: retained for as long as the consent is current, plus 12 months after withdrawal to evidence the lawful basis at the time of processing.

3.4 Operational and security records

• Security incident logs and breach records: 6 years.
• Access logs (authentication, system access): 12 months as a default; longer where required by ISO 27001 controls or sector rules.
• CCTV footage: 30 days unless a specific incident triggers a legal-hold extension.
• Health & safety records (general accidents): 3 years per RIDDOR 2013 guidance; longer for serious incidents and for under-18s.

The full audit-ready policy expands this schedule to 30+ named categories, each with a primary-source statutory cite, the documented justification, and the trigger event from which the retention clock starts. See the upsell block at the end of this document for details.

4.Defensible Deletion

"Defensible deletion" means deletion the controller can document, evidence and defend if challenged. Silent ad-hoc purging creates worse evidential problems than overretention. This section sets out the operational requirements that turn a retention schedule into actual deletion you can defend.

4.1 Schedule-driven, not ad-hoc

Deletion is triggered by the schedule in Section 3, not by individual judgement. The Data Protection Officer reviews scheduled deletions on a [monthly/quarterly] basis and signs off the batch before execution. Ad-hoc deletion of records that fall within the schedule's retention period requires written approval from the DPO and a documented justification.

4.2 Audit trail

For every deletion, [Company] retains a deletion record showing: the category of record, the volume deleted, the deletion method, the date, and the authorising role. The deletion record itself is retained for six years.

4.3 Deletion methods

• Electronic files in cloud storage: logical deletion plus removal from backup snapshots within 90 days, or sooner where the data class warrants it.
• Local files on workstations or servers: secure overwriting per NIST SP 800-88 guidance.
• Encrypted storage: cryptographic erasure (destruction of the encryption key) is acceptable where the cipher is verified.
• Paper records: cross-cut shredding to DIN 66399 Level P-4 minimum.
• Removable media (USB, optical, tape): physical destruction.

4.4 Legal hold (summary)

Where [Company] receives a letter of claim, regulatory information notice (ICO, FCA, HMRC, HSE), Part 31 disclosure obligation, or other formal trigger, scheduled deletion of relevant records is suspended until the hold is lifted by the General Counsel (or equivalent). The full audit-ready policy contains the legal-hold trigger taxonomy, the suspension notification template, the chain-of-custody requirements, and the hold-release procedure — see the upsell block at the end of this document.