1. Policy Statement

This Policy sets out the obligations of KNAVCPA. (hereinafter referred to as the “Company”) regarding retention of  data collected, held, and processed by the Company.

The company defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

The Company only ever retains records and information for legitimate or legal business reasons and always complies fully with data protection laws, guidance and best practice.

  1. Purpose

This Policy sets out the type(s) of  data held by the Company, the period(s) for which that data is to be retained, the criteria for establishing and reviewing such period(s), and when and how it is to be deleted or otherwise disposed of.

  1. SCOPE

This policy applies to all persons within the Company (meaning permanent, fixed term, temporary staff and sub-contractors engaged with the Company). Adherence to this policy is mandatory and non-compliance could lead to disciplinary or contractual action.

  1. RESPONSIBILITIES
  • The   Accounts manager is responsible for retention of financial (accounting, tax) and related records.
  • The Head of HR is responsible for retention of all HR records.
  • The Head of HR is responsible for retention of all Health and Safety records.
  • The Head of HR is responsible for retention of all other statutory and regulatory records.
  • The Head of Systems is responsible for storage of data in line with this procedure.
  • The Management Representative is responsible for ensuring that retained records are included in business continuity and disaster recovery plans.

 

  1. GUIDELINES & PROCEDURES

The Company retains data records efficiently and systematically, in a manner consistent with the requirements and regulatory Codes of Practice on Records Management. This policy is widely disseminated to ensure a standardized approach to data retention and records management.

 

Records will be retained to provide information about, and evidence of the Company’s transactions, customers, employment and activities. Retention schedules will govern the period that records will be retained and can be found in the Record Retention Periods document

5.1 Retention Period Protocols

All company and employee information is retained, stored and destroyed in line with legislative and regulatory guidelines.

For all data and records obtained, used and stored within the Company, we:

  • Carry out periodical reviews of the data retained, checking purpose, continued validity, accuracy and requirement to retain
  •     Establish periodical reviews of data retained
  •     Establish and verify retention periods for the data, with special consideration given in the below areas:
  • the requirements of the Company
  • the type of personal data
  • the purpose of processing
  • lawful basis for processing
  • the categories of data subjects
    • Have processes in place to ensure that records pending audit, litigation or investigation are not destroyed or altered

 

5.2 Information Asset Owners

All systems and the records they contain have Information Asset Owners (IAO) throughout their lifecycle to ensure accountability and a tiered approach to data retention and destruction. Owners are assigned based on role, business area and level of access to the data required. The IAO is recorded on the Retention Register and is fully accessible to all employees. Data and records are never reviewed, removed, accessed or destroyed without the prior authorisation and knowledge of the Information Asset Owner.

5.3 Suspension of Record Disposal for Litigation or Claims

If the Company is served with any legal request for records or information, any employee becomes the subject of an audit or investigation or we are notified of the commencement of any litigation against our Company, we will suspend the disposal of any scheduled records until we are able to determine the requirement for any such records as part of a legal requirement.

5.4 Storage & Access of Records and Data

Documents are always retained in a secure location, with authorised personnel being the only ones to have access. Once the retention period has elapsed, the documents are reviewed, archived or confidentially destroyed dependant on their purpose.

5.5 Expiration of Retention Period

Once a record or data has reached its designated retention period date, the IAO should refer to the retention register for the action to be taken.

5.6 Destruction and Disposal Of Records & Data

All information of a confidential or sensitive nature on paper or electronic media must be securely destroyed when it is no longer required. This ensures compliance with the Data Protection laws and the duty of confidentiality we owe to our employees, clients and customers.

The Company is committed to the secure and safe disposal of any confidential waste and information assets in accordance with our contractual and legal obligations and that we do so in an ethical and compliant manner. We confirm that our approach and procedures comply with the laws and provisions made in the  ISO 27001:2013 requirements  and that staff are trained and advised accordingly on the procedures and controls in place.

5.6.1 Paper Records

Due to the nature of our business, the Company retains paper based personal information and as such, has a duty to ensure that it is disposed of in a secure, confidential and compliant manner. The Company utilizes a shredder to dispose of all paper materials.

Employee shredding machines are made available.

 

5.6.2 Electronic & IT Records and Systems

The Company uses numerous systems, computers and technology equipment in the running of our business. From time to time, such assets must be disposed of and due to the information held on these whilst they are active, this disposal is handled in an ethical and secure manner.

The deletion of electronic records must be organized in conjunction with the IT Department who will ensure the removal of all data from the medium so that it cannot be reconstructed.

Only the IT Department can authorize the disposal of any IT equipment and they must accept and authorize such assets from the department personally. IT equipment follows a fully auditable disposal process involving a combination of secure electronic and physical destruction methods to permanently erase data records prior to disposal of the asset.

In all disposal instances, the IT Department must complete a disposal form and confirm successful deletion and destruction of each asset. This must also include a valid certificate of disposal from the service provider removing the formatted or shredded asset. Once disposal has occurred, the IT Department is responsible for liaising with the information Asset Owner and updating the Information Asset Register for the asset that has been removed.

It is the explicit responsibility of the asset owner and IT Department to ensure that all relevant data has been sufficiently removed from the IT device before requesting disposal.

 

5.6.3 Internal Correspondence and General Memoranda

Unless otherwise stated in this policy or the retention periods register, correspondence and internal memoranda should be retained for the same period as the document to which they pertain or support (i.e. where a memo pertains to a contract or personal file, the relevant retention period and filing should be observed).

Where correspondence or memoranda that do not pertain to any documents having already be assigned a retention period, they should be deleted or shredded once the purpose and usefulness of the content ceases.

 

6.ERASURE

In specific circumstances, data subjects’ have the right to request that their personal data is erased, however the Company recognise that this is not an absolute ‘right to be forgotten’. Data subjects only have a right to have l data erased and to prevent processing if one of the below conditions applies:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
  • When the individual withdraws consent
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
  • The personal data was unlawfully processed
  • The personal data must be erased in order to comply with a legal obligation

 

  1. COMPLIANCE AND MONITORING

 

The Company is committed to ensuring the continued compliance with this policy and any associated legislation and undertake regular audits and monitoring of our records, their management, archiving and retention. Information asset owners  are tasked with ensuring the continued compliance and review of records and data within their remit.

  1. RETENTION PERIODS

As stated above, and as required by law, the Company shall not retain any data for any longer than is necessary in light of the purpose(s) for which that data is collected, held, and processed.

  1. Policy Statement

This Policy sets out the obligations of KNAVCPA. (hereinafter referred to as the “Company”) regarding retention of  data collected, held, and processed by the Company.

The company defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

The Company only ever retains records and information for legitimate or legal business reasons and always complies fully with data protection laws, guidance and best practice.

  1. Purpose

This Policy sets out the type(s) of  data held by the Company, the period(s) for which that data is to be retained, the criteria for establishing and reviewing such period(s), and when and how it is to be deleted or otherwise disposed of.

  1. SCOPE

This policy applies to all persons within the Company (meaning permanent, fixed term, temporary staff and sub-contractors engaged with the Company). Adherence to this policy is mandatory and non-compliance could lead to disciplinary or contractual action.

  1. RESPONSIBILITIES
  • The   Accounts manager is responsible for retention of financial (accounting, tax) and related records.
  • The Head of HR is responsible for retention of all HR records.
  • The Head of HR is responsible for retention of all Health and Safety records.
  • The Head of HR is responsible for retention of all other statutory and regulatory records.
  • The Head of Systems is responsible for storage of data in line with this procedure.
  • The Management Representative is responsible for ensuring that retained records are included in business continuity and disaster recovery plans.

 

  1. GUIDELINES & PROCEDURES

The Company retains data records efficiently and systematically, in a manner consistent with the requirements and regulatory Codes of Practice on Records Management. This policy is widely disseminated to ensure a standardized approach to data retention and records management.

Records will be retained to provide information about, and evidence of the Company’s transactions, customers, employment and activities. Retention schedules will govern the period that records will be retained and can be found in the Record Retention Periods document

5.1 Retention Period Protocols

All company and employee information is retained, stored and destroyed in line with legislative and regulatory guidelines.

For all data and records obtained, used and stored within the Company, we:

  • Carry out periodical reviews of the data retained, checking purpose, continued validity, accuracy and requirement to retain
  •     Establish periodical reviews of data retained
  •     Establish and verify retention periods for the data, with special consideration given in the below areas:
  • the requirements of the Company
  • the type of personal data
  • the purpose of processing
  • lawful basis for processing
  • the categories of data subjects
    • Have processes in place to ensure that records pending audit, litigation or investigation are not destroyed or altered

 

5.2 Information Asset Owners

All systems and the records they contain have Information Asset Owners (IAO) throughout their lifecycle to ensure accountability and a tiered approach to data retention and destruction. Owners are assigned based on role, business area and level of access to the data required. The IAO is recorded on the Retention Register and is fully accessible to all employees. Data and records are never reviewed, removed, accessed or destroyed without the prior authorisation and knowledge of the Information Asset Owner.

5.3 Suspension of Record Disposal for Litigation or Claims

If the Company is served with any legal request for records or information, any employee becomes the subject of an audit or investigation or we are notified of the commencement of any litigation against our Company, we will suspend the disposal of any scheduled records until we are able to determine the requirement for any such records as part of a legal requirement.

5.4 Storage & Access of Records and Data

Documents are always retained in a secure location, with authorised personnel being the only ones to have access. Once the retention period has elapsed, the documents are reviewed, archived or confidentially destroyed dependant on their purpose.

5.5 Expiration of Retention Period

Once a record or data has reached its designated retention period date, the IAO should refer to the retention register for the action to be taken.

5.6 Destruction and Disposal Of Records & Data

All information of a confidential or sensitive nature on paper or electronic media must be securely destroyed when it is no longer required. This ensures compliance with the Data Protection laws and the duty of confidentiality we owe to our employees, clients and customers.

The Company is committed to the secure and safe disposal of any confidential waste and information assets in accordance with our contractual and legal obligations and that we do so in an ethical and compliant manner. We confirm that our approach and procedures comply with the laws and provisions made in the  ISO 27001:2013 requirements  and that staff are trained and advised accordingly on the procedures and controls in place.

 

5.6.1 Paper Records

Due to the nature of our business, the Company retains paper based personal information and as such, has a duty to ensure that it is disposed of in a secure, confidential and compliant manner. The Company utilizes a shredder to dispose of all paper materials.

Employee shredding machines are made available.

5.6.2 Electronic & IT Records and Systems

The Company uses numerous systems, computers and technology equipment in the running of our business. From time to time, such assets must be disposed of and due to the information held on these whilst they are active, this disposal is handled in an ethical and secure manner.

The deletion of electronic records must be organized in conjunction with the IT Department who will ensure the removal of all data from the medium so that it cannot be reconstructed.

Only the IT Department can authorize the disposal of any IT equipment and they must accept and authorize such assets from the department personally. IT equipment follows a fully auditable disposal process involving a combination of secure electronic and physical destruction methods to permanently erase data records prior to disposal of the asset.

In all disposal instances, the IT Department must complete a disposal form and confirm successful deletion and destruction of each asset. This must also include a valid certificate of disposal from the service provider removing the formatted or shredded asset. Once disposal has occurred, the IT Department is responsible for liaising with the information Asset Owner and updating the Information Asset Register for the asset that has been removed.

It is the explicit responsibility of the asset owner and IT Department to ensure that all relevant data has been sufficiently removed from the IT device before requesting disposal.

 

5.6.3 Internal Correspondence and General Memoranda

Unless otherwise stated in this policy or the retention periods register, correspondence and internal memoranda should be retained for the same period as the document to which they pertain or support (i.e. where a memo pertains to a contract or personal file, the relevant retention period and filing should be observed).

Where correspondence or memoranda that do not pertain to any documents having already be assigned a retention period, they should be deleted or shredded once the purpose and usefulness of the content ceases.

 

6.ERASURE

In specific circumstances, data subjects’ have the right to request that their personal data is erased, however the Company recognise that this is not an absolute ‘right to be forgotten’. Data subjects only have a right to have l data erased and to prevent processing if one of the below conditions applies:

 

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
  • When the individual withdraws consent
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
  • The personal data was unlawfully processed
  • The personal data must be erased in order to comply with a legal obligation

 

  1. COMPLIANCE AND MONITORING

 

The Company is committed to ensuring the continued compliance with this policy and any associated legislation and undertake regular audits and monitoring of our records, their management, archiving and retention. Information asset owners  are tasked with ensuring the continued compliance and review of records and data within their remit.

  1. RETENTION PERIODS

As stated above, and as required by law, the Company shall not retain any data for any longer than is necessary in light of the purpose(s) for which that data is collected, held, and processed.

  1. Policy Statement

This Policy sets out the obligations of KNAVCPA. (hereinafter referred to as the “Company”) regarding retention of  data collected, held, and processed by the Company.

The company defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

The Company only ever retains records and information for legitimate or legal business reasons and always complies fully with data protection laws, guidance and best practice.

  1. Purpose

This Policy sets out the type(s) of  data held by the Company, the period(s) for which that data is to be retained, the criteria for establishing and reviewing such period(s), and when and how it is to be deleted or otherwise disposed of.

 

  1. SCOPE

This policy applies to all persons within the Company (meaning permanent, fixed term, temporary staff and sub-contractors engaged with the Company). Adherence to this policy is mandatory and non-compliance could lead to disciplinary or contractual action.

 

  1. RESPONSIBILITIES
  • The   Accounts manager is responsible for retention of financial (accounting, tax) and related records.
  • The Head of HR is responsible for retention of all HR records.
  • The Head of HR is responsible for retention of all Health and Safety records.
  • The Head of HR is responsible for retention of all other statutory and regulatory records.
  • The Head of Systems is responsible for storage of data in line with this procedure.
  • The Management Representative is responsible for ensuring that retained records are included in business continuity and disaster recovery plans.
  1. GUIDELINES & PROCEDURES

The Company retains data records efficiently and systematically, in a manner consistent with the requirements and regulatory Codes of Practice on Records Management. This policy is widely disseminated to ensure a standardized approach to data retention and records management.

 

Records will be retained to provide information about, and evidence of the Company’s transactions, customers, employment and activities. Retention schedules will govern the period that records will be retained and can be found in the Record Retention Periods document

5.1 Retention Period Protocols

All company and employee information is retained, stored and destroyed in line with legislative and regulatory guidelines.

For all data and records obtained, used and stored within the Company, we:

  • Carry out periodical reviews of the data retained, checking purpose, continued validity, accuracy and requirement to retain
  •     Establish periodical reviews of data retained
  •     Establish and verify retention periods for the data, with special consideration given in the below areas:
  • the requirements of the Company
  • the type of personal data
  • the purpose of processing
  • lawful basis for processing
  • the categories of data subjects
    • Have processes in place to ensure that records pending audit, litigation or investigation are not destroyed or altered

 

5.2 Information Asset Owners

All systems and the records they contain have Information Asset Owners (IAO) throughout their lifecycle to ensure accountability and a tiered approach to data retention and destruction. Owners are assigned based on role, business area and level of access to the data required. The IAO is recorded on the Retention Register and is fully accessible to all employees. Data and records are never reviewed, removed, accessed or destroyed without the prior authorisation and knowledge of the Information Asset Owner.

5.3 Suspension of Record Disposal for Litigation or Claims

If the Company is served with any legal request for records or information, any employee becomes the subject of an audit or investigation or we are notified of the commencement of any litigation against our Company, we will suspend the disposal of any scheduled records until we are able to determine the requirement for any such records as part of a legal requirement.

 

5.4 Storage & Access of Records and Data

Documents are always retained in a secure location, with authorised personnel being the only ones to have access. Once the retention period has elapsed, the documents are reviewed, archived or confidentially destroyed dependant on their purpose.

5.5 Expiration of Retention Period

Once a record or data has reached its designated retention period date, the IAO should refer to the retention register for the action to be taken.

5.6 Destruction and Disposal Of Records & Data

All information of a confidential or sensitive nature on paper or electronic media must be securely destroyed when it is no longer required. This ensures compliance with the Data Protection laws and the duty of confidentiality we owe to our employees, clients and customers.

The Company is committed to the secure and safe disposal of any confidential waste and information assets in accordance with our contractual and legal obligations and that we do so in an ethical and compliant manner. We confirm that our approach and procedures comply with the laws and provisions made in the  ISO 27001:2013 requirements  and that staff are trained and advised accordingly on the procedures and controls in place.

5.6.1 Paper Records

Due to the nature of our business, the Company retains paper based personal information and as such, has a duty to ensure that it is disposed of in a secure, confidential and compliant manner. The Company utilizes a shredder to dispose of all paper materials.

Employee shredding machines are made available.

 

5.6.2 Electronic & IT Records and Systems

The Company uses numerous systems, computers and technology equipment in the running of our business. From time to time, such assets must be disposed of and due to the information held on these whilst they are active, this disposal is handled in an ethical and secure manner.

The deletion of electronic records must be organized in conjunction with the IT Department who will ensure the removal of all data from the medium so that it cannot be reconstructed.

Only the IT Department can authorize the disposal of any IT equipment and they must accept and authorize such assets from the department personally. IT equipment follows a fully auditable disposal process involving a combination of secure electronic and physical destruction methods to permanently erase data records prior to disposal of the asset.

In all disposal instances, the IT Department must complete a disposal form and confirm successful deletion and destruction of each asset. This must also include a valid certificate of disposal from the service provider removing the formatted or shredded asset. Once disposal has occurred, the IT Department is responsible for liaising with the information Asset Owner and updating the Information Asset Register for the asset that has been removed.

It is the explicit responsibility of the asset owner and IT Department to ensure that all relevant data has been sufficiently removed from the IT device before requesting disposal.

 

5.6.3 Internal Correspondence and General Memoranda

Unless otherwise stated in this policy or the retention periods register, correspondence and internal memoranda should be retained for the same period as the document to which they pertain or support (i.e. where a memo pertains to a contract or personal file, the relevant retention period and filing should be observed).

Where correspondence or memoranda that do not pertain to any documents having already be assigned a retention period, they should be deleted or shredded once the purpose and usefulness of the content ceases.

 

6.ERASURE

In specific circumstances, data subjects’ have the right to request that their personal data is erased, however the Company recognise that this is not an absolute ‘right to be forgotten’. Data subjects only have a right to have l data erased and to prevent processing if one of the below conditions applies:

 

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
  • When the individual withdraws consent
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
  • The personal data was unlawfully processed
  • The personal data must be erased in order to comply with a legal obligation
  1. COMPLIANCE AND MONITORING

The Company is committed to ensuring the continued compliance with this policy and any associated legislation and undertake regular audits and monitoring of our records, their management, archiving and retention. Information asset owners  are tasked with ensuring the continued compliance and review of records and data within their remit.

 

  1. RETENTION PERIODS

As stated above, and as required by law, the Company shall not retain any data for any longer than is necessary in light of the purpose(s) for which that data is collected, held, and processed.

 

This site and the collected data is governed as per our Privacy Policy and adheres to GDPR and CCPA guidelines