Policy statement

Data Retention Policy

Policy Statement

In the course of business, Digital Space Group Limited collects and stores a broad range of information. This policy explains why we need to retain and delete information and the processes involved. It is followed by an Information Retention and Deletion Schedule, setting out the retention periods for Digital Space information.



The purpose of this policy is to formulate an internal schedule for the retention and eventual destruction of data records.

We have duties under legislation and/or regulations to retain information for certain periods of time, for example under anti-money laundering regulations or health and safety legislation. We also have other retention obligations to our insurers, regulators, accreditation bodies and customers. Balanced against this, the General Data Protection Regulation (‘GDPR’) only permits us to retain personal data for as long as is necessary for the purpose for which it was collected.

The accidental or intentional destruction of these records during their specified retention periods, or the retention of personal data for longer than those periods, could result in serious consequences for Digital Space and/or its employees, including criminal charges or significant fines (up to the greater of €20m or 4% of annual global turnover in the case of personal data). Failure to follow this policy could lead to disciplinary action.



  • Information: Can include both hard copy documents and electronic information. It may be stored at work premises, on electronic devices or stored online or in the It includes information belonging to or controlled by Digital Space which is stored by third parties such as suppliers, consultants or IT service providers. Some examples of where information may be located are:
    • Electronic files
    • Emails
    • Voicemails
    • Letters and other correspondence
    • Handwritten notes
    • Appointment books and calendars
    • Audio and video recordings
    • Contracts
    • Invoices
    • Memory in mobile phones and other devices
    • Websites such as Facebook, Twitter, Instagram
    • Instant messenger conversations such as Skype, WhatsApp
    • Performance reviews
    • Computer programs

  • Confidential Information: Could be business sensitive information relating to company finances, commercial agreements or product specifications, or it could be data about We may also hold third party information which is confidential.
  • Personal data: Some information which we store will be personal data. Storage of personal data is regulated by the GDPR. It includes any information which identifies an individual or relates to an identifiable It can include identifying someone by reference to an identifier such as a name, address, email address, ID number, location or an online identifier such as an IP address. Information relating to an identifiable individual’s physical, psychological, economic, cultural or social identity is also personal data. All personal data shall be treated as also being confidential information.
  • Special Category Personal Data: Some types of personal data are especially sensitive. These special categories of personal data include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning health, sexual orientation or sex Genetic or biometric data (such as fingerprint or retinal scan data) is also special category personal data. Criminal convictions and offences data is not special category data but its processing is restricted and it is similarly sensitive in nature. Due to the potential sensitivity of this data there are increased risks involved should it be lost or retained for longer than required.




This policy defines Digital Space’s established protocol regarding the retention and subsequent deletion of data.




Managers within the relevant departments that are responsible for data must ensure compliance with the Data Retention Schedule. They must ensure that retained data is appropriately protected from unauthorised access, as detailed in the Access Control Policy available on the Intranet or on Sharepoint.

Individuals responsible for the retention of data are additionally responsible for its destruction following the retention period.

The Chief Operating Officer (‘COO’) is responsible for ensuring compliance with Data Protection Legislation and with this policy. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the COO at compliance@digitialspace.co.uk.

The COO is the owner of this document and is responsible for ensuring that it is reviewed. An annual review will be performed to determine whether retention of data is adequate and appropriate. Subsequent disposal will not take place until a review has taken place. The relevant managers must ensure disposal is appropriate to the media involved.


Information Retention


Legal, regulatory requirements or agreed industry practices are captured in the Data Retention Schedule, which provides a more granular view of the policy.

Information must only be retained for the amount of time indicated in the Data Retention Schedule. A record must not be retained beyond the period indicated in the Data Retention Schedule, unless a valid business reason (or ongoing/anticipated litigation or other special situation) calls for its continued retention. If you are unsure whether to retain a certain record or if you believe information should be retained for longer than the period stated in the Schedule, contact the COO.

Retention of data will be in accordance with the Information Security Policy.

Information Deletion


Deleting information which is no longer required is of benefit to Digital Space and is also required by legislation. One of the principles of the GDPR is data minimisation– only collecting and processing the personal data necessary for the purpose for that collection and processing. Personal data should only be kept for as long as is necessary for the purpose for which it was collected. Minimising the amount of information we retain reduces the amount of information which can be lost in a cyberattack. Individuals also have the right to access the personal data we hold about them. The more personal data we store unnecessarily, the more burdensome it is to respond to these requests.

Deletion of data will comply with the following relevant documents:

  • Data Protection and Privacy Policy
  • Acceptable Use Policy
  • Secure Disposal or Re-Use of Equipment Policy



Information Destruction


The destruction of hard copy personal data and confidential, financial, and personnel-related records must be conducted by shredding.


Non-confidential records may be destroyed by recycling.

The destruction of electronic records must be coordinated with the Technical Director. Destruction of data will comply with the following relevant documents:

  • Data Protection and Privacy Policy
  • Acceptable Use Policy
  • Secure Disposal or Re-Use of Equipment



Third Party Data


Information we hold which is controlled by third parties will be deleted in accordance with the agreement in place with that third party.


Information under our control which is held by third parties on our behalf must be destroyed in line with this policy unless the agreement in place with that third-party states they have the right to retain data. The contracts in place with third parties will include provisions requiring the deletion and destruction of information.


Deletion and destruction of data will comply with the following relevant documents:

  • Data Protection and Privacy Policy
  • Acceptable Use Policy
  • Secure Disposal or Re-Use of Equipment

Reporting Policy Infringement

Digital Space is committed to enforcing this policy. The effectiveness of Digital Space’s efforts, however, depends largely on employees. If you feel that you do not understand this policy or you or someone else may have infringed this policy, you should report the incident immediately to your supervisor. If you are not comfortable bringing the matter up with your immediate supervisor, or do not believe the supervisor has dealt with the matter properly, you should raise the matter with the COO. If employees do not report inappropriate conduct, Digital Space may not become aware of a possible infringement of this policy and may not be able to take appropriate remedial action.


Data Retention Schedule


Customer/Supplier Data


Area (Owner) Examples Include Retention Policy






Core Information (Product Team

/Commercial Team / Finance)

·     Account Information – Name / Address / Payment Terms & Type etc.

·     Sensitive Account Information – Account Access Answer / Customer Portal Password

·     Contact Information – Individuals and their contact details

·     Listing of all Services(Live and Historic)

Retained for the life of an account and for 7 years after an accounts closure’

·     Records of orders

And any other records which relate to a customer















Retained for the life of an account and for 7 years after an accounts closure




Financial Information (Finance)

·     Direct Debit Details

·     Invoices – Manual & Standard

·     Sales Ledger Transactions

·     Payment Status

·     Journal Entries

·     Record of Invoices and Services contributing towards them

Customer Notes (Client Operations Director) ·     Tickets / Notes / Tasks (including attachments)

·     Incidents (including attachments)

·     Sales & Marketing Activity





Customer Usage (Client Operations Director)

·     Broadband Usage Logs

·     Mobile Usage Logs

·     Fixed Line Usage Logs

·     Internet Telephony Usage Logs

·     Email Usage Logs

·     Internet Access Usage Logs

·     And any other usage records





Retained for 2 years following date of usage


PCI (Commercial Director)



PCI Logs

System, event and audit logs are retained for 3 year and are immediately available for analysis.

CCTV (Head of Facilities)




CCTV images are retained for 30-90 days dependent on the camera location, and are immediately available for analysis.



Internal Data


Area (Owner) Description Retention Policy








HR Records (HR Director)


Recruitment records:

·     completed online application forms or CVs;

·     equal opportunities monitoring forms;

·     assessment exercises or tests;

·     notes from interviews and shortlisting exercises;

·     pre-employment verification of details provided by the successful candidate, for example, checking qualifications and taking up references. (These may be transferred to a successful candidate’s employment file.









12 months after the conclusion of the recruitment process



Personnel records:

·     qualifications/references;

·     consents for the processing of special categories of personal data;

·     annual leave records;

·     annual assessment reports;

·     disciplinary procedures;

·     grievance procedures;

·     death benefit nomination and revocation forms; and

·     resignation, termination and retirement.

Contracts of employment, written particulars of employment and any alterations to the terms and conditions if applicable.









6 years from the date an employee leaves the employment of Digital Space

HR Records

(HR Director)

Medical records and details of biological
tests under the Control of Lead at Work
Medical records as specified by the
Control of Substances Hazardous to Health Regulations (COSHH) 40 years from the date of the last entry
Medical records containing details of
employees exposed to asbestos
Medical records under the Control of
Asbestos at Work Regulations
Until the person
Medical records under the Ionising reaches 75 years of
Radiations Regulations 1999 age, but in any event
for at least 50 years
12 years from the end
Retirement Benefits Schemes – records of the scheme year in
of notifiable events, for example, relating which the event took
to incapacity place



Records of tests and examinations of control systems and protective equipment under the Control of Substances Hazardous to Health Regulations (COSHH)  

5 years from the date on which the tests were carried out


HR Records (HR Director)


Medical examination certificates

4 years from the date of issue




Accident books, accident records/reports

3 years from the date of the last entry (or, if the accident involves a child/ young adult, then until that person reaches the age of 21). (See below for accidents involving chemicals or asbestos)

Statutory Maternity certificates (Mat B1s) or other medical evidence

3 years after the end of the tax year in which the maternity period ends

Statutory Sick Pay certificates, self- certificates

3 years after the end of the tax year to which they relate

Records relating to working time

2 years from date on which they were made

Records relating to children and young adults

Until the child/young adult reaches the age of 21




Finance records (Group Financial Controller)

Wage/salary records (also overtime, bonuses, expenses)  

6 years



Accounting records

3 years for private companies, 6 years for public limited companies

Income tax and NI returns, income tax records and correspondence with HMRC

Not less than 3 years after the end of the financial year to which they relate



Statutory Maternity Pay records, calculations

3 years after the end of the tax year in which the maternity period ends

Statutory Sick Pay records, calculations

3 years after the end of the tax year to which they relate


National minimum wage records

3 years after the end of the pay reference period following the period that the records cover

Staff Usage


Internal files

Retained for life of business
Email boxes Kept 7 years following employee leave date