General Data Protection Regulation (GDPR) – Personal Data Retention Policy

We recognise that personal data should be retained for no longer than is necessary for the purpose it was obtained.  By disposing of data when it is no longer needed we are reducing the risk that it will become inaccurate, out of date, irrelevant or misappropriated.

There is no specific minimum or maximum period for retaining personal data instead the Data Protection Act / GDPR states that:

Personal data shall not be kept for longer than is necessary for that purpose or those purposes.  This means each department needs to:-

  1. Review for how long you keep personal data.
  2. Consider the purpose or purposes for which you hold information in deciding whether and for how long to retain it.
  3. Securely delete information that is no longer needed and
  4. Update, archive, destroy or securely delete information if it goes out of date.

Concerns about holding personal data

It is recognised that keeping personal data too long can cause the following problems:-

  • An increased risk that the information will go out of date and that outdated information will be used in error to the detriment of all concerned.
  • The data is likely to become inaccurate
  • Even though no longer needed the personal data must still be held securely.
  • Responding to subject access requests for any personal data you hold may be more difficult and time consuming if you are holding more data than you need.

Approach to deciding about retention of data

At regular intervals we are responsible for reviewing the personal data held and deleting anything no longer needed.  Information that does not need to be accessed regularly but which still needs to be retained must be safely archived or put offline.

Retention periods have been established for different categories of information.  The retention periods take into account any professional rules or regulatory requirements that apply.

The responsible Director will ensure that we keep to these retention periods in practice and that there is a documented policy relating to retention periods that is reviewed regularly and updated as necessary.

Every 18 months the responsible Director will contact each department and request that they review the retention periods for the personal data they hold.

Every 24 months a refresher course on Data Protection must be undertaken including reference to retention of data.

What determines how long we hold data for?

Personal data will need to be retained for longer in some cases than in others.  The length of time personal data is retained for must be based on business needs.  A judgement must be made about:

  • What the information is used for
  • Surrounding Circumstances
  • Legal or regulatory requirements
  • Industry practices

Retention Periods:

  • Insurance Records with an (Employers Liability element) – 60 years
  • Liability records (other than Employers Liability) – 12 years
  • Other General Insurance Records – 7 years
  • PI Records – 7 years
  • Personal lines – Motor 7 years
  • Personal Lines – Household 7 years
  • Compulsory Motor Insurance / Road Risks – 12 years
  • Marine Insurance – 7 years
  • Complaints records – Once resolved, 12 months. Subsequently skeleton records on the complaints log will be retained.
  • Claims Records – Once full and final settlement, 5 years. Skeleton information will be retained after that date, which includes settlement amount, brief details of incident, insurer, date of incident and Insured
  • Human Resources Records – 7years following termination of employment.  Prospective employees records will be kept for a maximum period of 6 months
  • Training Records – 6 years from the date employees cease to work for the company
  • Agents records – 6 years from cessation of the agreement.
  • Agents employees records – Once an employee has left an agent their details will be removed from our data bases / e-mail Contacts. Reference may be made to ex-employees in other documents, such a meeting reports/correspondence.
  • Appointed Representatives (which may include personal data) – 3 years from the date the relationship is terminated and / or the contract is amended.
  • Partner Records – Once a partnership or a delegated authority has ceased, full records will be kept for 6 years.  After that date skeleton records about the partner will be archived, excluding any personal data.
  • Partner Employee Records – Once an employee has left a Partner their details will be removed from our data base / e-mail contacts. Reference may be made to ex-employees in other documents, such meeting reports/correspondence.
  • Accounting Records – 6 years
  • Client Money Audits – 6 years

At the end of the retention period.

Our Privacy Notice makes it clear to people what will happen to their information when they no longer have a relationship with us.

We advise individuals that the data will be deleted irretrievably or simply deactivated or archived.  It is noted that the rules around Data Protection apply to data that is archived.

The DPA / GDPR does not provide a definition of delete or deletion.  However, plain English interpretation implies destruction.  With paper records this is easy to comply with through shredding however, with data that is held electronically it is much harder.  It is noted that some data that is held electronically may be deleted but still exist in some format within our systems.  As a firm we need to be absolutely clear about what we mean by deletion and what actually happens to personal data once deleted.  This information is included in our Privacy Notice.

The ICO under the GDPR will adopt a realistic approach in terms of recognising that deleting information is not always a straight forward matter and that it is possible to put data beyond use.

Archiving

Once a paper file is no longer live it should be shredded or archived.

Shared Information

Where personal data has been shared between organisations, once it is no longer necessary to share the information the information must be returned to the organisation that supplied it, without keeping a copy.

In other cases, with agreement, all the organisations involved should delete their copies of the information in line with their data retention policies.

Complete the form below for details of our Cyber/GDPR data breach insurance solution

Fields marked with an * are required

Please answer the following 5 QUESTIONS:

4. Please carefully review the Eligibility Criteria below and advise if you do not agree with ALL of the statements

- Your company has been in operation for more than 24 months
- USA revenues are less than 25% of the overall revenue
- Revenues from online or automated platforms account for less than 25%
- Revenues from credit card transactions account for less than 25%
- If you handle credit card transactions, you are compliant with the data security standard of PCI (the Payment Card Industry Data Security Standard)
- You don’t use SCADA (Supervisory Control & Data Acquisition) or similar process control software
- You have not sustained any losses or has not been subject to any claims in the past 5 years which would be covered under the proposed insurance.
- There are no acts, errors, omissions, circumstances, facts, situations, events, incidents or transactions which you aware of, or ought reasonably to have been aware of, that may give rise to a claim or loss under the proposed insurance.
- All material facts have been disclosed.

Disclaimer

The purpose of this overview is to provide a summary of our interpretation of aspects of the GDPR regulations. This is not an analysis of the law and does not constitute a legal opinion or advice by Insurance2day Insurance Services Ltd. The contents of this overview, or any downloads, should not be relied upon – all companies need to take their own specialist qualified legal advice on any matter that relates to GDPR.