Inadequate records management can:
- Decrease customer service;
- Hinder fast and convenient access to management information; and
- Render the business less able to defend itself against claims and legal process. It can even in some instances render the officers of the business liable to prosecution.
Every business is different and, in making use of these guidelines, please note that that is all they are. You should make reference to other primary and professional sources including your business regulators, legal and professional advisers, HMRC and Companies House because the law and practice in this increasingly complex area is ever changing. The growth of electronic communications and the resulting concern to protect personal information and business IPR and data from abuse will continue to keep the legislators busy over coming years. This trend is likely to increase with the growing use of Cloud technologies for data management and storing. If in any doubt, contact your professional advisers and the primary sources for advice and information.
In this information age, your business will benefit from establishing a data maintenance, security, storage/retention and destruction policy that is clear, practical and sets guidelines for the following:
- Compliance with legal and regulatory requirements including for your “Company Records” as defined by the Companies Act section 1134
- Secure storage in appropriate and non-perishable storage media
- Proper and secure destruction
- Ease of recall from storage
- Periods of retention, being no less than the minimum required by applicable law (if any)
- Monitoring all of the above.
If you are a small organisation, or work in a small legal department, you are unlikely to be able to spend much time or money on this issue. However you should be able to reduce your exposure to legal risk by thinking about the following points:
Get your IT department on board with the concept that electronic storage is not just about cost. Get them to engage with you at an early stage when they are looking to introduce new systems or software that will keep records so you can input any concerns or legal requirements up front (see particularly the information set out in section 2 in relation to secure storage in appropriate media that is kept under review).
Encourage the use of a standard filing system. For instance if documents are kept on a central server if everyone uses the same type of filing methodology it will help when finding documents again in a hurry - particularly if a staff member is absent or has left.
Remind your staff that the proper management of your documents and data is everyone’s responsibility and not just a legal problem.
Retention should not just be focused upon future events. Nothing should be put away in storage that is not ready and organised for immediate reference should the need arise.
1. Legal and Regulatory Requirements
There is an ever growing amount of legislation applicable to setting minimum requirements for the retention of business data and documentation.
Please note however that the concern of your business should not just be to meet the mandatory requirements set by the law. For very good reasons, you may be well advised to retain certain data and documents for rather longer than the law makes necessary.
The following table gives examples of the retention periods most likely to concern businesses in general. There will be additional requirements of specific businesses under their own regulatory and ethical codes – for example financial services – FSA. Please take care to ensure you have referred to all other relevant and applicable regulations.
TABLE - A guide to typical retention periods:
Type of data | Period of retention | Regulatory or Legal Reference |
Company formation | Indefinite | Companies Act 2006 |
Company record | 10 years | As defined by section 1134 Companies Act 2006 (See below) |
Data Protection Act 1998 - personal information | No longer than necessary | Data Protection Principle No.5 - Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. |
Insurance certificates | 40 years | The Employers’ Liability (Compulsory Insurance) Regulations 1998 |
Concerning latent damage | 3 – 15 years | Latent Damage Act 1986 |
Concerning legal actions/claims | 1 – 30 years | Limitation Act 1980 and Consumer Protection Act 1987 |
Personnel records (pay, accidents, health, retirement benefits)
| up to 40 years. Some personnel records must be maintained up to an age of 75. Many should not be kept too long (Data Protection Principle No 5). | Various – refer to the Employment Practices Code, the Chartered Institute of Personnel and Development and cross reference to the Data Protection Act 1998, standard of necessity set out in Principle Number 5.. |
Value added tax records | 6 years | VAT Records and Accounts HMRC |
Wages and salary | 6 years | Taxes and Management Act 1970 |
N.B. This Table is only able to give examples that will be relevant to businesses in general.
"Company records" are defined in section 1134 of the Companies Act 2006(2006 Act) as any register, index, accounting records, agreement, memorandum, minutes or other document required by the Companies Acts to be kept by a company and any register of its debenture holders.
Company records may be kept in hard copy or electronic form and can be arranged as the directors think fit. If they are in electronic form, they must be capable of being reproduced in hard copy (section 1135). The company must take precautions against falsification of the records (section 1138).
Records of directors' meetings
All companies must keep minutes of directors' meetings for ten years from the date of the meeting and if they do not, every officer who is in default will commit an offence (section 248).
Records of members' resolutions and meetings
Every company must keep:
Copies of members' resolutions passed otherwise than at general meetings (which would include all written resolutions); minutes of general meetings; and details of decisions provided by a sole member under section 357 for ten years from the date of the resolution, decision or meeting and if it does not, every officer who is in default will commit an offence (section 355).
Section 358 of the 2006 Act requires the company to keep the records referred to in section 355 available for inspection at its registered office for ten years (or at an alternative place specified in regulations made under section 1136. if this interests you, please seek further advice and information).
Members of the company can inspect those records free of charge and can require a copy for the fee prescribed by the Companies (Company Records) Regulations 2008 (SI 2008/3006).
2. Secure Storage in Appropriate and Non-Perishable Storage Media
For hard copy records that contain personal data (particularly customer data) or confidential information, secure storage is critical.
If you use external storage contractors then you may want to insist that records can only go for storage with an appropriate indexing system and destruction date on them. Otherwise, large volumes can quickly accumulate leading to excessive storage costs and potentially increased costs in litigation disclosure.
You should also maintain a detailed log of what is sent for offsite storage and by ‘detailed’ the index will need a specific item, matter or even document list. Do not rely on generic descriptions such as ‘general’ or ‘miscellaneous’.
Choose contractors who value the importance of detail.
Companies are likely to hold relevant records in a number of different formats so it is important to retain access to and to secure all relevant systems even if no longer in current use.
As already suggested, regulators are increasingly interested in electronic retention and you are well advised to develop a policy and resources to deal particularly with the issues electronic data poses.
Log access to systems and limit the export of data to discs or laptops to limit damage in the event of a loss.
Electronic desk top files records are easy to forget about but management of these records can be improved by reviewing your use of document management systems and by encouraging intelligent use of these.
Review your back-up procedures with your IT contractors.
Scanning is an increasingly attractive option for storage of records as electronic storage costs decrease. It can also be attractive for speed of operation or customer service where your business is dependant upon large quantities of hard copy papers that may need to be retrieved.
In the UK, in the absence of originals, scanned documents can be admitted in evidence although the origin and integrity of the scanned image must be established to enable the court to allow it and decide what evidential weight to attach to it. This can be done by producing the policy and audit documents for storing documents and the controls which are in place as part of the scanning system (whether this is done in-house or outsourced).
The British Standards Institute has produced a Code of Practice for the Legal Admissibility and Evidential Weight of Information Stored Electronically (BSI BPI 0008:2004), which is an industry-wide benchmark of best practice in relation to the procedures and documentation required for the audit of systems producing images that may be used in court. This does not guarantee admissibility – its author describes it as a "risk reduction” exercise.
Scanning and destruction is not suitable for every document. For example, documents held by you but not belonging to you (such as property deeds, stamped documents, important original documents, or originals regulators require you to keep) may not be suitable. Each class of documents should be considered on its own merits.
Technology today will not necessarily stand up for very long term use. If your business wishes to scan documents needed in the long term then you may want to require that they are checked for readability after a certain period (for example 10 years) and that documents are printed off if the system to view them is being decommissioned.
3. Proper and Secure Destruction
Secure destruction is critical. Note the guidance contained in section 2 above. Enforcement action by the Information Commissioner often relates to the improper destruction of hard copy customer records.
4. Ease of Recall from Storage
Please note the guidance given at section 2 above particularly in relation to detailed listing and logging of data sent into storage, retaining access to all storage systems, including electronic systems and choosing external service providers for whom detail matters.
5. Periods of Retention Being No Less Than The Minimum Required By Applicable Law (If Any)
The legal or regulatory retention requirements may often be shorter than good advice and best practice should suggest for your business. The above table indicated examples of the legal minimums required. Your business will need to consider whether these are sufficient in your best interests. Consider the following approach:
Divide your records into categories, based on the legal requirements that may apply to them.
Always comply with the legal and/or regulatory minimums in respect of each category of data – (see table above for examples).
Identify the most frequently occurring retention period for each category and consider whether this should be the default retention period. However consider if this is long enough to protect the company from potential exposure to legal risk and if the answer is no, consider what longer period would be appropriate.
Do keep in mind data protection requirements.
The Data Protection Act 1998 provides that in relation to information to which it applies it should be retained ‘no longer than necessary’ for the purposes for which the information was originally collected. So give thought to how you can justify from the point of view of risk management or business needs what is necessary if you want to keep data much longer than the legal minimum. This is particularly important in relation to employment records as to which the following additional guidelines are apposite:
Adhere to standardised and consistent retention times.
Base the retention times on business need taking into account relevant professional guidelines and a risk analysis approach.
Assess who in the organisation is responsible for the retention of employment records.
Make sure no one retains information beyond the standard retention times unless there is a sound business reason for doing so.
If possible establish a computerised system which flags information retained for more than a certain time as due for review or deletion.
Anonymise any information about workers and former workers where practicable. Where statistical information only is required, anonymised records should be sufficient.
Consider when retention periods should start to run from and whether these can be set in advance and adopt consistency.
Determine those matters to which the chosen ‘default’ should not apply where you have good reason to keep the data for a longer or shorter period of time.
Take a proportionate, balanced and consistent approach.
The Institute of Chartered Secretaries and Administrators has produced "The ICSA Guide to Document Retention" (author Andrew C Hamer, ISBN: 1860722261). This is a very well regarded source and has recently been updated with a new edition due for publication in November 2011, ISBN: 9781860724732.
October 2011
Girlings Corporate and Commercial Team
© Girlings Solicitors 2011 save as acknowledged.
Please read Reliance on information posted in our Terms of Website Use - see Legal section - before relying on this commentary.