1.0 Introduction

In the course of carrying out its various functions, Appleby’s creates and holds a wide range of recorded information. Data need to be properly retained to enable Appleby’s to meet its business needs, legal requirements, to evidence events or agreements in the event of allegations or disputes and to ensure that any data of historic value are preserved.

Appleby’s Solicitors Limited (Trading as ‘Appleby’s Solicitors’) registered under company registration England and Wales number 06793199 is committed to complying with the law and regulations in all our business activities, including applicable Data Protection Laws.

We are committed to using all appropriate technical and organisational measures to ensure the protection of both customer and employee personal data.

The untimely destruction of Data could affect:

  • the conduct of Appleby’s business and its reputation;
  • the ability of Appleby’s to defend legal actions against it;
  • Appleby’s ability to comply with statutory obligations;

Conversely, the permanent retention of Data is undesirable, inappropriate and unlawful under the GDPR. Disposal is necessary to free up storage space, reduce administrative burden (not least the process of offsite storage) and to ensure that Appleby’s does not unlawfully retain Data for longer than necessary (particularly those containing personal data).

This policy, therefore; supports Appleby’s in demonstrating public accountability through the proper retention of data and by demonstrating that disposal decisions are taken with proper authority and in accordance with due process. It also sets out the expected behaviours of our employees, contractors and third parties in relation to the retention, storage destruction of all data held within the business (including personal data).  This policy should be read in conjunction with our Data Protection policy.

2.0 Purpose

The purpose of this policy is to set out the length of time that Appleby’s data should be retained and the processes for disposing of data at the end of the retention period.

The policy helps to ensure that Appleby’s operates within the applicable regulatory framework set out at Annex C.

3.0 Scope

The policy covers all personal data that is defined by GDPR as:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

With regard to Appleby’s processes, it is likely that such data covers areas including:

  1. All client matters (client files and records)
  2. All staff related matters (HR)
  3. Third party suppliers and subcontractor related matters

Definitions

Personal Data Any information (including opinions and intentions) which relates to an identified or identifiable natural person.
Identifiable natural person Anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as name, and identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Controller A natural or legal person, Public Authority, Agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
Data Subject The identified or identifiable natural person to which the data refers.
Process, processed, processing Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means.  Operations performed may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Protection The process of safeguarding Personal Data from unauthorised or unlawful disclosure, access, alteration, Processing, transfer or destruction.
Data Protection Authority An independent Public Authority responsible for monitoring the application of the relevant Data Protection regulations – in the UK this is the ICO.
Data Processors A natural or legal Person, Public Authority, Agency or other body which Processes Personal Data on behalf of a Data Controller.
Consent Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
Special Categories of Data Personal Data pertaining to or revealing racial or ethnic origin, political opinions, religious beliefs, data concerning health or sex life and sexual orientation, genetic data or biometric data.
Third Country Any country not recognised as having an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.
Personal Data Breach A breach of security leading to the accidental or unlawful; destruction, loss, alteration, unauthorised disclosure of, of access to, Personal Data transmitted, stored or otherwise Processed.
Encryption The process of converting information or data into code, to prevent unauthorised access.
GDPR The General Data Protection Regulation

4.0 Application

The policy applies equally to all employees on a substantive or fixed term contract and to associated persons who work for Appleby’s such as agency staff, contractors and others employed under a contract of service.Departmental Heads and the Data Protection Officer (Graham Balmforth) is responsible for ensuring that this policy is applied within their Departments. The DPO has lead responsibility for Data management within Appleby’s.

5.0 Minimum Retention Period

Unless any data has been marked for ‘permanent preservation’ it should only be retained for a limited period of time. Data that are marked for ‘permanent preservation’ should only be held by Appleby’s for a total of 16 years before being destroyed or otherwise reviewed for data transfer.

A mandatory minimum retention period is not provided for personal data as given the range and diversity of data held by the firm such a period would not be consistent throughout the firm and could lead to confusion.

Periods specified in the data protection policy are as follows:
The Firm has a duty to retain some staff and applicant personal data for a period of time following their departure from the firm, mainly for statutory reasons, but also for other purposes such as being able to provide references and confirmation of service dates and duties, ethnicity monitoring or for financial reasons, for example relating to pensions and taxation.

In all cases retention of this staff data will not exceed the maximum period for which the data should be held to account for these statutory impositions. In all cases no data will be held for longer than 15 years.

With reference to client data, and data held on client files regarding personal injury; clinical negligence, industrial disease or other tortious liability claims; either paper or electronic, no data will be held for a period exceeding 6 years following administrative closure (as opposed to file closure or matter conclusion). The regulatory imposition for other actions involving professional services for example wills and probate and conveyancing will be held for a maximum of 15 years in paper form and 6 years in electronic.

All paper held data will be destroyed by reference to a schedule maintained by the firm and controlled by the DPO which details the archive and destruction date. All paper data will be destroyed by high security graded mechanical cross shredding and bleached pulp recycling of the shredded material.

Electronic data will be destroyed by deletion and overwriting / defragmentation software.

6.0 Disposition

The DPO is responsible for ensuring that the various classes of data held are periodically reviewed (annually at the Data Review) to determine whether any retention periods applying to Data within the firm require adjustment and whether new categories of data have arisen which require classification for disposition.  Once the retention period has expired, the Data must be reviewed and a ‘disposition action’ agreed upon.  A ‘disposition action’ is either:

  • the destruction of the Data;
  • the retention of the Data for a further period within Appleby’s;
  • the transfer of the Data away from Appleby’s control if appropriate (return to SRA / Law Society / National Archive).

Each of these options is described further below.A review of the data should take place as soon as possible but within 14 days after the expiry of the retention period. With regard to client files and medical records the schedule sets out the maximum time for retention and no review beyond confirming that this time has elapsed is necessary. With regard to staff and supplier data a review should be recorded by the DPO that the data is no longer required and that the data may be subject to a disposition regarding destruction etc.Such a disposition decision must be reached having regard to:

  • on-going business and accountability needs (including audit);
  • current applicable legislation;
  • whether the Data has any long-term historical or research value;
  • best practice or guiding legislation in the applicable professional field (for example human resources);
  • costs associated with continued storage versus costs of destruction;
  • the legal, political and reputational risks associated with keeping, destroying or losing control over the Data.
  • Decisions must not be made with the intent of denying access or destroying evidence.

The agreed disposal decision must be recorded on a data disposition form (which will form part of the Lexcel closure risk assessment in the case of client files, however, will be set out as DDF for other data.  The form will be available from the shared drive and will contain the following:

  • Description of the Data;
  • The medium on which it is held eg CD, paper file etc;
  • The department which created or held the Data;
  • The date of the creation of the Data and the date of review;
  • The disposition decision
  • If there has been a disposal decision then the method of disposal;
  • A summary of the reasons for the decision;
  • The titles of the officers consulted;
  • The signature of the person authorising disposal (DPO).

Completed forms will be held by DPO

7.0 Destruction

IMPORTANT! No destruction of a Data should take place without assurance that:

  • the Data is no longer required by any part of the business;
  • no work is outstanding by any part of the business;
  • no litigation or investigation is current or pending
  • there are no current or pending FOIA or DPA access requests which affect the Data.

Destruction of Paper Data

Destruction should be carried out in a way that preserves the confidentiality of the data. Non-confidential data i.e. data that is clearly in the ‘public domain’ can be placed in ordinary rubbish bins or recycling bins.

Confidential Data however, should be placed in the shredded “letterbox bins” and thereafter placed in cloth rubbish sacks for collection by an approved disposal firm. All cloth sacking that is removed from the letterbox bins will be stored in the Data room by the DPO. All copies including security copies, preservation copies and backup copies should be destroyed at the same time in the same manner.

Shredding by an authorised agent will be via the cross shredding method and retained paper will then be burnt.

Destruction of electronic data

All electronic Data will need to be either physically destroyed (and a record of destruction certified) or wiped to the current Government standard. Deletion of the files is not sufficient. Destruction will be overseen by the DPO- physical destruction of data held in HDD or SDD will be conducted by DPO (or overseen by).

Suspending the destruction date

If a claim, audit, investigation, or litigation has been asserted or filed by or against LBS Legal or is reasonably foreseeable, we have an obligation to retain all relevant records, including those that otherwise would be scheduled for destruction under the records retention schedule.

Further Retention within Appleby’s

The data may be retained for a further period if it has on-going business value or if there is specific legislation which requires it to be held for a further period. In any event no data of any kind will be retained longer than is reasonable or necessary according to its type and purpose.

The National Archives has produced transfer application forms and detailed guidance as to the preparation of Data for transfer to The National Archives. The Lord Chancellor’s Code of Practice on the Management of Data also contains guidance as to the FOIA aspects of transferring Data to The National Archives where appropriate.

8.0 Further Information

This policy should be read in conjunction with:   Appleby’s’ Data Protection Policy and the Office Procedure Manual. Any queries about this policy or about data management within Appleby’s should be directed to the DPO Mr Graham Balmforth.

9.0 REVIEW

This policy was made on 14th May 2018 and will be reviewed on or about 1st May 2019 (~Data policy Review Date) in combination with the Principal Solicitor and the Chief Cashier or by COLP and COFA should those positions be held elsewhere.

10.Training

All employees will have their responsibilities under this policy outlined to them as part of their induction training.  All employee will complete an annual refresher of this training.