Guidance

DWP Information Management Standard

Updated 4 March 2026

This is version 1 effective from 2 February 2026

This DWP Information Management Standard is part of a suite of standards, designed to promote consistency across the Department for Work and Pensions (DWP), and supplier base with regards to the implementation and management of security controls. For the purposes of this standard, the term DWP and Department are used interchangeably.  

Security standards and policies considered appropriate for public viewing are published on DWP procurement: security policies and standards  

Technical security standards cross-refer to each other where needed, so can be confidently used together. They contain both mandatory and advisory elements, described in consistent language (see table below).  

Table 1 – Terms

Term	Intention
must	denotes a requirement: a mandatory element.
should	denotes a recommendation: an advisory element.
may	denotes approval.
might	denotes a possibility.
can	denotes both capability and possibility.
is/are	denotes a description.

Overview

The DWP Information Management Policy and this standard ensure we follow the information lifecycle governing how we create, store, use, and dispose of information to meet business requirements and legal obligations.

The Corporate, Customer and Human Resources (HR) Retention Schedules tell you which documents and information you need to keep, for how long, and where to keep them.

Scope

This standard applies to all information, regardless of the format, for example electronic or paper.

Definitions

Users

This is the collective term used to describe all those who have access to the Department’s information and information systems as outlined in the scope of the DWP Information Management Policy. 

Staff

All DWP employees whether permanent or temporary, including contractors, partners, and service providers. 

Information

All information of whatever nature, however conveyed and in whatever form, including in writing, orally, by demonstration, electronically and in a tangible, visual or machine-readable medium.

Records

As defined in ISO 15489 (Standard) as information created, received, and maintained as evidence and information by an organisation or person in pursuance of legal obligations or in the transaction of business. 

Personal data

Means any information which relates to a living individual who can be identified from it, or who can be identified when that data is combined with other information.      

Disposal

The process of carrying out decisions on information/records that are no longer needed. This includes secure destruction of information/records and transfer of key records to an approved archive for long-term preservation.

General Information Management Principles

This standard and the principles outlined within, have been developed to provide a consistent approach to managing information and records throughout their whole lifecycle to achieve DWP’s efficient management of records for the effective delivery of its services, to document its principal activities and to maintain the corporate memory.

1. Users must follow this standard to help DWP comply with its legal and regulatory obligations.

2. Users must follow DWP Disclosing personal data procedures when disclosing data to third parties.

3. Only the minimum amount of information must be created, stored and used for business purposes.

4. There must be clear ownership of all information throughout the lifecycle.

5. Documents stored in SharePoint or OneDrive must have a retention label applied to manage disposal.

6. Users must follow the DWP File Naming and Version Control.

7. Individual and shared email mailboxes must not be used to archive or store non-active team emails or any employee or customer personal data.

8. Individual and shared email mailboxes must be regularly cleansed, and corporate information moved to SharePoint.

Customer Records

Definitions  

Customer Record

These include any document or information related to a claimant or customer used to administer pensions, welfare, or Child Maintenance, including those used to prevent or detect fraud. 

Corporate Record containing customer Information

Customer’s personal data used solely for managing workflow or caseload (e.g. Lists, spreadsheets for reports, trackers).

Live Interest

Where DWP has a current and active need to use the customer record. This includes the period during which a customer’s claim or case is active and also for additional DWP purposes such as fraud or overpayments see Customer Records Retention Schedule.

Supporting Records

Documents or information that influence benefit or Child Maintenance case decisions, and may be needed for appeals, fraud investigations, or payment assessments.

Non-Supporting (Ephemeral) Records

General documents that do not impact a claim (e.g. enquiries, templates, cover sheets). These are not retained as supporting evidence. 

What Retention Period applies?

Please see Customer Records Retention Schedule.

Customer Records standard retention is:

• Supporting Customer Records – 24 months
• Ephemeral records – 4 weeks

Customer Record Principles

1. Customer Records (and data) MUST only be stored in approved departmental IT systems, such as Personal Independence Payment Computer System, or Universal Credit Build. Evidence (forms, PDFs etc.) must only be stored on recognised DWP evidence storage systems such as the Enterprise Content Management System (ECMS).

2. Customer’s personal data must not be retained for longer than is necessary. Once there is no valid business reason to keep the data, it must be securely and permanently deleted or anonymised.

3. Corporate records containing customer information may be stored in SharePoint as Information Assets, subject to inclusion in the Information Asset Inventory.

4. Customer Records must not be stored in SharePoint unless there is clear business justification that has been assessed and signed off by a Grade 6 or above. The records must be stored with appropriate access controls and retention labels. If the information is retained longer than 3 months users must record it on the Information Asset Inventory.

5. Users must decide if information is supporting or ephemeral, as defined in the customer records definitions section, and ensure that only supporting information is retained for longer than four weeks.

6. Retention periods must be applied to all claim-related information, regardless of whether the claim is successful or unsuccessful.

7. Duplicate information must not be retained under any circumstances. Only the authoritative version of a record should be maintained.

8. Supporting records and all paper documents that have been scanned or uploaded into electronic systems must be destroyed within 4 weeks of scanning or uploading with two exceptions:

a) For  Child Maintenance Group (CMG), hardcopy documents must be retained for 6 weeks.

b) For Disability Living Allowance (DLA) Child Centre and International Pensions Centre (IPC), hardcopy documents must be retained for  16 weeks.

9. Documents or information stored in electronic systems must not be printed, unless required to support an appeal or prosecution and access to the relevant system is not available.

10. Where information or record exposure to unauthorised parties could constitute a risk-of-harm or risk-to-life consideration should be given to raising a request to make citizen data a special customer record to enhance access monitoring and protection.

Clerical and Paper Customer Records

11. Wholly Clerical customer records, including Armed Forces Independence Payment (AFIP), must be retained locally.

12. Industrial Injuries Schemes (IIS) and Incapacity Benefit (IB) supporting records and Non-Associated post (NAP) must be sent to Remote Stores.

13. Non-supporting or ephemeral records must not be sent to Remote Stores under any circumstances.

Destruction of Customer Records  

14. Data protection legislation does not specify retention periods and is not the basis for disposal decisions. Retention periods are determined based on business need and, in some cases, legal requirements relating to the specific purpose of the information.  The disposal of customer records and information must be carried out in accordance with the DWP Information Management Policy (IMP).

15. Only approved standard responses must be used when responding to public enquiries about record destruction. Use Standard Letter 1 if destruction followed the IMP, and Standard Letter 2 if it did not, including cases of accidental or partial destruction.

16. You must not keep Customer Records ‘just in case’ they may be needed at some point in the future.

 Destruction Embargoes

17. Temporary destruction embargoes or easements to standard retention periods may be applied to Customer Records based on legal or business requirements. These may apply to records regardless of format.

18. To request an embargo or easement, the designated request form must be completed and submitted to DWP Knowledge Information and Records Management.

19. The embargo process flow must be followed when applying or managing a destruction embargo.

 Interests    

20. If any case has the following live interests, they must be retained until the end of that interest. At the end of the interest the retention periods detailed in the customer records retention schedule then apply.

• Fraud - including active investigations.

• Overpayments and Debt Management - including civil proceedings, Recovery from Estates and Compensation Recovery.

• Appeals - including Mandatory Reconsiderations. 

• Customer feedback or complaints being dealt with by Independent Case Examiner (ICE) cases & Parliamentary Health and Service Ombudsman (PHSO) Cases only. 

• Criminal Cases Review Commission cases

HR Records

Definitions

HR records

These include all HR and staff related documents and Information.

Line Manager

A person with direct managerial responsibility for a particular employee.

What Retention Period applies?

Please see HR Records Retention Schedule.

Handling HR Records

1. DWP is committed to handling and accessing HR Records responsibly and in full compliance with data protection laws. These procedures apply to all formats of personal data, including electronic and paper records.

Responsibilities

2. All users must ensure that HR records are handled securely and processed in a lawful, fair, and transparent way. Users are responsible for protecting the privacy, security, and correct classification of any personal data they hold.

3. If you have access to employees’ personal data in your job, you are personally responsible for ensuring that it is kept secure, that it is only shared with those people who have authority to use it, and that it is destroyed at the correct time.

4. Misuse of personal employee information or a failure to treat it securely is a disciplinary offence. On some occasions it may be a criminal offence under the DPA and UK GDPR. Any breach of these protocols will be taken seriously, the penalty for which can be dismissal.

General

5. All Line Managers responsible for processing or keeping personal data about other employees must adhere to the DWP Information Management Policy, this standard and the HR Retention Schedule.

6. Only access the employee records you need for your job. Don’t view or use personal data for any other reason.

7. To protect employee personal data, DWP HR processes must never store or process name, date of birth, and National Insurance Number together. Any exceptional need must be approved in writing by a senior civil servant in the relevant directorate, who will ensure secure handling and timely destruction of the information.

8. OneDrive must be used to store employee personal data related to activities as an employee of DWP, as a member of a team, and any charitable activity authorised by DWP. For example, documents including your flexi sheets, People Performance and Community 10,000. Unless point 14 applies.

9. Users must only process digital HR records on IT equipment provided by DWP.

10. In exceptional circumstances employees may apply to have either or both their home address and telephone number removed from the SOP (Single Operating Platform) system or to be set as an employee type ‘protected’. To have a record protected please contact Employee Services.

Creating HR Records

11. DWP creates, processes and keeps personal data about its employees for a variety of reasons, for example, to administer pay and to operate its attendance management policy – for more information see DWP Employee Privacy Notice.

12. Information must be:

a) Accurate and Factual

b) Relevant and necessary

c) Stored, managed and deleted appropriately throughout the information lifecycle.

Storing HR Records

13. Any HR records or employee information held electronically must be stored in an approved DWP IT system, such as OneDrive and/or SOP. Personal data which needs to be shared (in line with data minimisation principles) should be shared by granting access to files or folders in OneDrive, with all permissions subject to regular review to ensure only those with a legitimate business need retain access.

14. HR Records must not be stored in SharePoint unless there is clear business justification that has been assessed and signed off by a Grade 6 or above. The records must be stored with appropriate access controls and retention labels. If the information is retained longer than 3 months users must record it on the IAI.

15. If an employee leaves the department for any reason, as the final Line Manager, you must continue to store the information held electronically in line with the HR retention schedule. Any documentation to be retained for 85 years, not currently held digitally on SOP must be sent to Employee services as soon as it is identified. The local copy should then be securely destroyed.

16. When there is a change of Line Manager, staff data held in OneDrive by the outgoing Line Manager must be securely transferred to the new Line Manager to ensure continuity and compliance with data management policies.

17. Staff can request rectification of HR personal data. For further information see DWP Employee Privacy Notice.

Using and Sharing HR records

18. Employees can request access to their personal data via a Right of Access Request (RAR) through the Shared Services Data Protection Team.

19. In line with DWP HR Records Retention Schedule, Line Managers may retain specific HR personal data locally where there is a clear and documented business continuity need. However, managers must ensure that only data required for operational purposes is retained, and that it is stored securely and reviewed regularly.

Disposing of HR Records

20. Personal data must not be kept for longer than is necessary. DWP is responsible for deciding how long personal data is kept on the basis of business need.

Corporate Records and Key Corporate Records

DWP is legally required under the Public Records Act to keep accurate records of how it operates. Records are created each year that are of such importance to the fundamental operation of the department, they may need to be retained for permanent preservation, and these records must be available for public scrutiny and legal purposes.  

Definitions

Corporate records

These include all documents and data created by you in day-to-day business (e.g. Meeting papers, business plans, Risk management documents), including any finance and procurement records. 

Key Corporate Record

These are high value corporate content documents that record significant decisions, actions, or policies.  

Registered files

Are the means by which DWP controls, protects and maintains its Key Corporate records throughout the information lifecycle. 

Electronic Registered Filing in SharePoint (ERFIS)

Is DWP’s storage solution used to control and manage its key corporate records (registered filing).

Corporate Record Box

Are used by exception to store bulky paper records that would otherwise be held in a registered file, for example finance, legal, estates and procurement documents.

The Corporate Records Retention Schedule sets out the different types of records commonly found in DWP, where such records should be stored, and for how long. 

Your role in managing Corporate Records  

1. Everyone in DWP creates corporate records— this could range from local team plans, or meeting notes to changes in legislation or policy. Other examples for finance include local team purchases and central finance spending. These are all examples of corporate records.

2. All users are responsible for:

a) Keeping accurate records of their work

b) Managing Corporate Records correctly

3. Corporate records can be in any format—email, paper, digital files, audio, etc. It’s the content, not the format, which defines a corporate record or a Key Corporate Record.

4. Corporate Records must be stored in DWP approved storage repositories only.

5. Corporate records which are deemed to be an asset, and that we keep for three months or longer, must be recorded on the Information Asset Inventory (IAI), information that is stored in a registered file does not need to be recorded on the IAI this is recorded on your registry file list.

What is a Key Corporate Record?

6. A Key Corporate record is any information of high value that:

a) Provides evidence of a significant business activity – e.g. key decisions, spending, contracts, policy, legal or department planning. 

b) Ensures legal compliance – helping DWP respond to: 

• Freedom of Information (FOI) requests
• Public inquiries
• Legal challenges
• Judicial Reviews

7. Users must use their business area’s expertise (engaging with line management as needed) to determine what is of high value and a Key Corporate Record (registered filing) in their teams and business areas. The What is a Record? page will help you decide what is a Key Corporate record.

8. Key Corporate Records (registered filing) must only be stored in SharePoint using ERFIS, unless an exception is agreed with DWP Knowledge Information and Records Management.

9. To protect the integrity of DWP’s information, Key Corporate Records must be transferred from your SharePoint business as usual (BAU) library, into your ERFIS registered File library.

This ensures they are:

• Secure
• Easy to find
• Legally compliant

Your BAU library is for the storage of your day to day corporate records. The ERFIS registered filing library is for the storage of key corporate records only.

10. The destruction of any information held in a registered file can only be authorised by the Departmental Records Officer (DRO) and under no circumstances can these records be destroyed/deleted locally.

11. Users must manage registered files in line with the registered file guidance.

12. Registered files may need to be retained for permanent preservation with The National Archives in compliance with the requirements of the Public Records Act.

File/Folder Naming

1.) File Naming

The file name or title should be a meaningful but concise description of the information contained in the document.

There are some technical restrictions on file names.

2.) Folder Names

If you choose to use a folder structure to manage your information, folders should be meaningfully named using a subject or function rather than around the people in the team e.g. ‘Communications’ etc and not ‘Joe’s Files’ etc.  

There are some technical restrictions with the use of folders.

Version Control  

1.) Automatic version control

SharePoint has an automatic version control, it keeps a historical log of what changes were made, the date and time of each change, and the user who made the change. This can be used to keep a complete and comprehensive history of the document and meets the requirement for Key Corporate records (Registered filing).

2.) Manual version control

If there is a business need to use a more traditional version control, then this can be applied by business users as and when required.

Contact us

If you hold information and are unsure which retention period applies, or have any questions regarding the Information Management Policy, this Information Management Standard, or the retention schedules, please contact us data.protectionofficer@dwp.gov.uk