Data Retention Policy

The purpose of this policy is to create a framework to ensure sensitive information data is regularly reviewed and disposed of when they are no longer needed.

Scope

The scope of this policy covers the retention of all data held by Scottish Investment Operations. Moreover, this also applies to any third-party contractors or vendors that may hold information on Scottish Investment Operations in order to conduct business with and for the company. This includes payment information, customers’ data and employees’ data.

The information contained in this policy represents the actions taken by Scottish Investment Operations concerning all data, and its storage or deletion.

Storage

All data and records should be stored securely to avoid misuse or loss. All data will be stored in the most convenient and appropriate location relating to the period of retention required and the frequency with which access will be made to the record.

The degree of security required for file storage will reflect the sensitivity and confidential nature of any material recorded. Any data file or record which contains personal data of any form can be considered as confidential in nature. Examples of appropriate storage include password protected electronic documents and locking paper documents in a secure cupboard or drawer.

 

Retention

There should be a documented business case to store any personal data. Data and records should not be kept for longer than is necessary to fulfil the original purpose.

Scottish Investment Operations store data for the minimum possible period and the retention period is specific to each customer. However, no data file or record should be retained for more than three years after it is processed unless a good reason can be demonstrated. Reasons for longer retention may include:

·        If there is a threat of litigation, records likely to be affected should not be amended or disposed of until the threat has been removed

·        Records are maintained for the purpose of retrospective comparison (e.g. finance)

·        Records contain information relevant to legal action which has been started or is in contemplation

·        Records relate to individuals or providers of services who are judged unsatisfactory. The individuals may include employees or volunteers who have been the subject of serious disciplinary action

·        Records should be archived for historical or research.

·         Statute requires retention for a longer period

Destruction, Disposal and Deletion

All information of a confidential or sensitive nature must be securely destroyed when no longer required and a register of the disposal of such records maintained.