Records Management Policy
Updated 6 September 2024
© Crown copyright 2024
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/slcs-data-retention-policy/records-management-policy
1. Introduction
1.1 Purpose
1.1.1 This Records Management Policy (the “Policy”) sets out the Student Loans Company Limited’s (“SLC,” “we,” “us” and/or “our”) commitment to achieving standards in Records Management in line with best practice. It provides the framework within which employees manage our information. Specific standards, procedures and guidance ensure that records are managed and controlled effectively, and commensurate with legal, operational and information needs and in line with Stakeholder expectations.
1.1.2 This Policy enables SLC to establish good practices around the handling of records, promoting a culture of awareness and improvement.
1.1.3 Records Management is vital to the delivery of SLC services, supporting delivery in an orderly, efficient and accountable manner. Effective Records Management enables SLC to have the right information at the right time to make the right decisions. Information including records within SLC are an important corporate asset.
1.1.4 This Policy aims to ensure that records, whatever form they take, are accurate, reliable, ordered, complete, useful, up to date and accessible where needed to:
- carry out SLC business; support SLC to achieve its business objectives and priorities and make informed decisions;
- comply with relevant legislation; and
- support corporate memory.
1.2 Risk Appetite Alignment
1.2.1 The requirements outlined within this Policy support mitigation of the following risk categories:
| Level 1 Risk Category | Level 2 Risk Categories |
| Security | Retention and disposal: risk of SLC data or information being compromised due to it being available or unavailable resulting in a retention or disposal issue. |
1.2.2 Compliance with the Policy’s requirements ensures that SLC continues to operate within Risk Appetite which is:
- Overall, Cautious in relation to the retention and disposal of information and data, ensuring that SLC’s internal policies and procedures align to regulatory and legislative requirements and are complied with in practice.
1.3 Scope
1.3.1 This Policy, together with the associated standards and processes, applies to the management of all documents and records, in all electronic or physical formats, created or received by SLC in the conduct of its business activities.
1.4 Roles and Responsibilities
All employees have a responsibility to ensure that SLC’s records are managed in line with best practice and SLC policies and procedures. Different employees have different roles in relation to governing and managing records within SLC’s Records Management Framework. These include:
- Data Protection Officer
- Information Risk Owner (designated Accountable record owner)
- Information Asset Owner (designated Responsible record owner)
- All other employees
- Third Parties
1.5 Statutory and Regulatory Environment
1.5.1 The legal and regulatory framework for Records Management is outlined below and includes: Legislation regulated by the ICO: - The Data Protection Act 2018 and the General Data Protection Regulation (GDPR) - The Freedom of Information Act 2000 (FOIA) - Privacy and Electronic Communication Regulations 2003 - The Environmental Information Regulations 2004 (EIR)
Other related legislation: - The Public Records Act 1958
Related guidance and codes of good practice: - Section 46 Code of Practice (FOIA/EIR) – Part 1: Records Management - BS ISO15489 – Records Management - The National Archives Code of Practice on Records Management
2. Definitions and Policy Principles
2.1 What is records management?
2.1.1 Records Management is the systematic control and organisation of all types of records so that SLC have ready access to the information needed to meet strategic work objectives and legal responsibilities. All employees need to be able to find information when they need it and to store and share information so that it is available, where appropriate, for others to use.
2.2 Key Drivers for Records Management
2.2.1 Good Records Management is essential to ensure SLC can comply with its legislative responsibilities and act as a driver for business efficiency. Effective management of records and information means: - obtaining information legally, fairly and only as needed, including personal, corporate and copyright information and making sure it is good quality and fit for purpose; - organising information so SLC can locate it when it is needed; - sharing and publishing information using an appropriate medium to support effective collaboration and dissemination; - managing personal information about individuals responsibly and according to the law; - keeping good records that account for SLC actions and decisions; - disposing of information promptly when it is no longer needed; - responding promptly and courteously to public requests for information (including Freedom of Information (FOI) requests); and/or - ensuring that material of historical significance is identified and transferred to the appropriate National Archive as appropriate.
2.2.2 Poor records and information management creates risks for SLC, such as: - poor decisions based on inaccurate or incomplete information; - inconsistent or poor levels of service; - financial or legal loss if information required as evidence is not available or cannot be relied upon; - non-compliance with statutory or other regulatory requirements; - failure to handle confidential information with an appropriate level of security and the possibility of unauthorised access or disposal taking place; - failure to protect information that is vital to the continued functioning of SLC, leading to inadequate business continuity planning; unnecessary costs caused by storing records and other information for longer than they are needed; - employee time wasted searching for records; and/or - loss of reputation as a result of all the above, with damaging effects on public and stakeholder trust.
2.3 Definition of a Record
2.3.1 Records can be defined as “information created, received and maintained as evidence by an organisation or person in pursuance of legal obligations or in the transaction of business” (ISO 15489). In SLC, a record is defined as:
“any piece of information (document, email or other artefact) created or received and maintained by the organisation in the course of its business and is kept as evidence of an activity or transaction for the purposes of corporate memory (whether it is relevant for a short or long time or kept permanently by the organisation).”
2.3.2 Records are an essential resource and contain information which is unique and invaluable. They can be used as an audit trail as they provide evidence/proof of a specific activity.
2.3.3 Records come in electronic (including video and audio materials) and paper format. All types must be managed appropriately in terms of storage, accessibility and disposal.
3. Records Retention
3.1.1 SLC needs to ensure that it maintains appropriate provisions and controls around the retention of information. Retention must be defined in accordance with legal and/or business requirements. Appendix 1: Retention Table contains maximum or minimum retention periods for the main categories of information held.
4. Related Documents
4.1.1 This Policy forms an essential part of SLC’s overall policy framework and should be read in accordance with relevant related documents, including:
| Document Description |
| Data Protection Policy |
| Freedom of Information Policy |
Appendix 1 Retention Table
The table below contains maximum or minimum retention periods for the main categories of information held by SLC. SLC retains some historic data due to limitations of legacy record keeping systems. Such data is held in according to SLC’s Information Security Policy and data will be deleted where appropriate as part of legacy system decommissioning.
Employee Data (Permanent & Fixed Term)
| Activity/Information | Description | Start of Retention | Retention Period |
|---|---|---|---|
| Unsuccessful Recruitment Candidates | Personal Information | Last action on the applicant file | 2 years |
| Application Forms & Supporting Documentation | Last action on the applicant file | 2 Years | |
| Recruitment Vetting & Criminal Convictions | Last action on applicant file | 12 Months | |
| Identification Documents | Last action on the applicant file | 3 Months | |
| Successful Recruitment Candidates | Personal Information | Last action on the applicant file | 6 Years |
| Application Forms & Supporting Documentation | Last action on the applicant file | 2 Years | |
| Recruitment Vetting & Criminal Convictions | End of Employment | 6 Years | |
| Identification Documents (including Identification Documents of Foreign Nationals (ensuing from obligations to retain copies of documents used to perform immigration checks)). | End of Employment | 6 Years | |
| Employee Records | Employee Personal Details | End of Employment | 6 Years |
| 3rd Party Emergency Contact Details provided by employee | End of Employment | 6 Years | |
| Bank Account Details | End of Employment | 6 Years | |
| Additional Personal Details (e.g., Religion, Ethnicity, Disabilities, Gender Identity) | End of Employment | 6 Years | |
| Employment File | Written Particulars of Employment | End of Employment | 6 Years |
| Personal Payroll History/Salary records (including record of pay, performance pay, overtime pay, allowances, pay enhancements, other taxable allowances, payment for untaken leave, reduced pay, maternity leave) | The end of the assessment tax/period to which the payments relate | 6 Years | |
| Pensions Records | Date of Birth | 100 Years | |
| Expenses Records | The end of the assessment tax/period to which the payments relate | 100 Years | |
| Appraisals/Assessments | End of Employment | 6 Years | |
| Annual Leave Records | End of Employment | 6 Years | |
| Unpaid Leave Periods (Records of Maternity, Paternity, Adoption or Sick Leave) | Date of Birth | 100 Years | |
| Statutory Maternity Pay Document | The end of the tax year in which the maternity pay period ends | 6 Years | |
| Complete Sickness Absences Record showing dates and causes of sick leave | End of Employment | 6 Years | |
| Medical/Self Certificates | End of Employment | 6 Years | |
| Health Referrals (including medical reports from doctors/consultants) | End of Employment | 6 Years | |
| Health & Safety Records | End of Employment | 6 Years | |
| Health & Safety Records | The end of financial year to which the records relate | 6 Years | |
| Death Benefit Nomination & Revocation Forms | From Leaving Employment | 6 Years | |
| Staff Security Vetting Records | From Leaving Employment | 6 Years | |
| Employee Training Records | From Leaving Employment | 6 Years | |
| Employee Grievance Records | From Leaving Employment | 6 Years | |
| Working Time Records | The end of the financial year to which the records relate Employment | 6 Years | |
| Employee Discipline Records | From Leaving Employment | 6 Years | |
| Job History | From Leaving Employment | 6 Years | |
| Redeployment, Redundancy & TUPE | From Leaving Employment | 6 Years | |
| Contingent Workers | Contingent Worker Record (name, address, contact details) | From Leaving Employment | 6 Years |
| Operational Records | HR Operational Records | Last Modified Date | 2 Years |
Customer Data
| Applications (Where applications are lapsed/abandoned, or no funding is provided) | - Applicant Record - Customer Funding & Previous Study Record - Customer Application - Health Information - Eligibility/Entitlement - Customer Account - Engagement & Supporting Information - Customer Information Provided to/from 3rd Parties - Parent/Guardian/Partner/Associated Party Information & Supporting Documentation for Applicants - Voluntary Statistical Data - Payment & Fraud Investigations |
Between 12 and 24 months from either the: -Start date of the Academic Year -Start date of the last year of the course -End date of the entire course |
6 or 12 months depending on the type of funding, product and status of the Application. No Application or Customer data will be deleted where: - The Customer is identified as a suspected or confirmed fraud case - The Customer is on the Financial Sanctions list - The Customer has any open, Compliant, or a Stage 1 or 2 Complaint which was closed in the last 2 years - Any complaints that have gone to the Independent Assessor which have been closed in the last 10 years - The Customer has any open Appeal, or a Stage 1 or Stage 2 Appeal which was closed in the last 2 years - Any Appeal that have gone to the Independent Assessor which have been closed in the last 10 years - Any financial transaction has been recorded for that Customer which can’t be attributed to a specific Application, SAAS have not completed a reconciliation exercise for Fee Loans for that Academic Year. The Complaints and Appeals exceptions will also include; Instances of Court proceedings where the Customer may not have come directly to SLC first (e.g. pre-action Protocols and Judicial Reviews), Instances where the Customer has escalated their Complaint/Appeal to an Independent Assessor or on to the relevant Ombudsman. If the Customer has no Applications, they will be deleted where: - Student (only) – The Student registered on SLC 12 (or more) months ago. - Sponsor – the Sponsor was ‘unattached’ from any Applications 24 (or more) months ago. |
| Activity/Information | Description | Retention Period | ||||
|---|---|---|---|---|---|---|
| Customer Record – Repayable Funding | - Core Customer Record - Customer Funding & Previous Study Record - Customer Application Record(s) - Health Information - Eligibility/Entitlement Assessment - Customer Account, Engagement & Supporting Information - Customer Information Provided to/from 3rd Parties - Financial Transactions & Payment Information (Customer Specific) - Loan Sales Records (Customer Specific) - Repayment/Deferment/Write-off Artefacts - Operational Artefacts - Voluntary Statistical Data - Payment & Fraud Investigations - Customer Reporting - Lifetime Elements Retained in Core Record |
Certain customer data is currently retained on an indefinite basis within SLC. SLC has other obligations to ensure that customer data is retained in line with a range of regulatory and business requirements. In certain circumstances SLC is required to keep data for a minimum length of time (e.g., financial information) and/or even the lifetime of the customer. For example: - student support legislation obliges SLC to take into account any previous supported study to accurately determine an individual’s entitlement to student support for any further study; and - student finance eligibility criteria requires that there are no arrears with any previous student loans. |
||||
| Customer Record – Mortgage Style Loans | - Core Customer Record - Customer Application(s) - Financial Transactions & Payment Information (Customer Specific) - Deferments - Engagement with MSL Owners - Operational Artefacts - Repayment/Write-Off Records |
As above | ||||
| Customer Record – Non-Repayable Funding (Grants – Disabled Student Allowance/Grants for Dependents) | - Core Customer Record - Customer Funding & Previous Study Record - Customer Application(s) - Health Information - Eligibility/Entitlement Assessment - Customer Account, Engagement & Supporting Information - Customer Information Provided to/from 3rd Parties - Financial Transactions & Payment Information (Customer Specific) - Service Provisions for Customers - Operational Artefacts - Voluntary Statistical Data - Payment & Fraud Investigations |
As above | ||||
| Correspondence | - Customer Specific External Correspondence (Apply to Pay Phase of Customer Lifecycle) - Customer Specific External Correspondence (Repay Phase of Customer Lifecycle) -Customer Specific Internal Correspondence (Apply to Pay Phase of Customer Lifecycle) -Customer Specific Internal Correspondence (Repay Phase of Customer Lifecycle) |
As above | ||||
| Parent/Guardian/Partner/Associated Party/Additional Contacts Information | - Parent/Guardian/Partner (Sponsor) Core Record - Parent/Guardian/Partner (Sponsor) Financial Information - Parent/Guardian/Partner (Sponsor) Dependents - Parent/Guardian/Partner (Sponsor) Declaration - Consent to Share - Power of Attorney - Additional Contacts - Operational Artefacts |
As above | ||||
| Appeals | - Appeals Case Files - Operational Artefacts |
As above | ||||
| Customer Complaints, Research & Feedback | - Complaints & Feedback Case Files -Operational Artefacts - Customer Research (Customer Specific) - Customer Research (Unattributable/Anonymous) - Operational Artefacts |
As above | Counter Fraud | - Counter Fraud Case Files - Operational Artefacts |
As above |
Corporate Management and Governance
| Activity/Information | Description | Start of Retention | Retention Period |
|---|---|---|---|
| Statutory Books, Registers and Constitutional Records | - Incorporation documents - Companies House Correspondence Companies House Filings Company Books and Registers |
Date of most recent document | Permanent (Life of Company) |
| Statutory Books, Registers and Constitutional Records | - Gifts and Hospitality Register | End of Financial Year | 10 Years |
| SLC Board | - Board Effectiveness – various working papers | Date of most recent document | 10 Years |
| SLC Board | - Board Schedule | Date of most recent document | 5 Years |
| SLC Board | - Board Minutes of Meetings | Date of last action | Permanent |
| SLC Board | - Board Reporting Protocols | Date of most recent document | 5 Years |
| Board Member Information | Board Member Details including: - Letters of appointment and delegations -Contact Details - Letters of Indemnity - Register of Interests - Induction Paperwork - Various files & advice - Skills & Assessment |
After end of appointment/employment | 5 Years |
| Operational and Business Administration | - Policies and Procedures - Policy Specifications |
When updated/superseded | Superceded Permanent |
| Operational and Business Administration | Operational Business Information (General administrative records, routine administrative correspondence (not related to customer, contract or legal matters) | Date of most recent document | 2 years |
| Operational and Business Administration | All other Corporate Management and Governance Records | Date of most recent document or last action in most cases | Date of most recent document or last action in most cases |
| Planning and Performance | - Corporate and Business Plans - Annual Report and Accounts - Performance Reports - Management Information |
Financial Year End | 7 Years |
| Audit | Audit Reports and Report Papers | From issue date | 6 Years |
| Audit | Interim Audit Reports, Correspondence and Internal Audit Guides | From issue /correspondence date | 3 Years |
| Projects | - General projects - Financial documents br> - Policy project documentation - Initiation documents - Project proposals - Plans and specifications - Draft reports and working papers - All related project correspondence |
Completion of Project / date of last paper | 6 Years Major projects determined by their natur e can be retained for longer up to 25 years |
| Legal Affairs | Provision of legal advice not specific to an individual case (etc. Legal advice given to SLC concerning legislation or proposals for new legislation affecting its conduct and business) Includes legal advice for projects, contracts, policy and in relation to a dispute. |
Date of advice | 7 Years |
| Procurements and Contracts | Tenders, Contracts and Agreements | End of Contract | 6 Years |
| Procurements and Contracts | Settlement Agreements with ex-employees | Date of Agreement | 6 Years |
| Procurements and Contracts | Non-Disclosure Agreements | Date Non-Disclosure Agreement ceases to have effect (NB – may be indefinite) | 6 Years |
| Litigation | - Employment Tribunal Records - Civil Court Litigation |
Date file closed (which will not be earlier than appeal deadline) | 6 Years |
| Intellectual Property | Branding and intellectual property (including trade/service marks) | Date modified | Life of Company |
| Commercial Property | All documents relating to SLC’s property portfolio | Date deed is superseded in full or terminated | 6 Years |
| Commercial Property | Land and Buildings Transaction Tax (LBTT) Returns to Revenue Scotland | Date relevant lease ceases to apply | 6 Years |
|
Access to Information (Information about Freedom of Information, Data Subject Access Requests and the Publication Scheme) |
Procedures for handling FOI requests and other documents regarding implementation of FOI; Procedure and Policy, case file records which lead to the development or precedent or best practice. Case file records detailing FOI requests and responses, consideration of exemptions, and subject internal reviews and appeals. Each case record is likely to contain personal data as defined in UK data protection legislation. Specifically, each record is likely to contain: - the name, address, and other contact information of the applicant - personal details provided by the applicant when making his/her request - where a fee has been paid, bank account and other payment details - all personal data will be handled with care and in accordance with UK data protection legislation. Access to personal data will be strictly controlled. |
From date of release | 6 Years |
|
Access to Information (Information about Freedom of Information, Data Subject Access Requests and the Publication Scheme) |
Data Protection “Rights of Data Subject” records – to include Subject Access and Data Portability requests, requests for erasure, rectification, restriction, objection. Includes initial request, response, related correspondence and other supporting documentation | Completion of Request | 6 Years |
|
Access to Information (Information about Freedom of Information, Data Subject Access Requests and the Publication Scheme) |
Statistical data about number of FOI requests and Data Subject Access requests. Includes the timeliness of responses, outcomes, internal reviews and appeals and management information | Current Year | 10 Years |
|
Access to Information (Information about Freedom of Information, Data Subject Access Requests and the Publication Scheme) |
Statistical data about number of FOI requests and Data Subject Access requests. Includes the timeliness of responses, outcomes, internal reviews and appeals and management information | Current Year | 10 Years |
|
Access to Information (Information about Freedom of Information, Data Subject Access Requests and the Publication Scheme) |
Details of what access decisions have been taken about SLC records and redacted versions of documents that were released | Current Year | 10 Years |
|
Access to Information (Information about Freedom of Information, Data Subject Access Requests and the Publication Scheme) |
Information subject to a FOI request but scheduled for destruction | Last date of correspondence | 6 Months |
|
Access to Information (Information about Freedom of Information, Data Subject Access Requests and the Publication Scheme) |
Publication Scheme published on the SLC website | When updated/superseded | 5 Years |
| Risk Management | Audit Risk Committee Risk Report and Dashboard. | Date superseded | 5 Years |
| Risk Management | Database containing all of SLCs historic and current Corporate Risks and issues | End Date | 6 Years |
| Business Continuity | - Business Impact Analysis - Business Continuity Plans - Post-exercise / post incident reports - Supplier review |
At the start of each year | 5 Years |
| Print and Mail Services | - Memorandum of Understandings - Service Level Agreements - Licence Agreements |
At the start of each agreement and refreshed annually | Permanent |
| Health and Safety | Risk Assessment documents for all sites listing hazards or hazardous events and the actions and controls in place to manage these | Updated annually or if/when a change is required | 6 Years |
| Health and Safety | Health & Safety Committee Meeting Minutes | Quarterly when document created | 5 Years |
| Partner Services and External Engagement | Includes documentation but not limited to minutes of meetings, agendas, presentations, data capture forms, satisfaction surveys, all communications, performance review reports, analytical data, service agreements and contracts, audit reports, guidance, factsheets, web service/online content. | Creation of document / when updated or superseded | When no longer required / Superseded |
| Public Relations and Press | Press Cuttings and Press Releases | From publish date | 2 Years |
| Public Relations and Press | Emails with journalists to inform reporting of media stories | From release date | 2 Years then Archived |
| Public Relations and Press | Correspondence with the media | From date of correspondence | Permanent |
| Public Relations and Press | Information and guides | When updated/superseded | Permanent |
| Internal Communications | Staff communications | When administrative use ends | 3 Years |
| Internal Communications | Intranet pages | From publish date | When no longer required |
| Images, Templates and Corporate Identify | Images of various SLC offices, staff and events | From publish date | When no longer required |
| Images, Templates and Corporate Identify | Corporate identity material, logos and stationery | When updated/superseded | Permanent |
| Online Content | All Web Content | When updated/superseded | Permanent |
| Online Content | Social Media including messaging that goes out through various communication channels, links to websites | From publish date | Permanent |
| Online Content | Campaigns and Materials including web adverts and emails | Conclusion of campaign | 3 Years |
| Online Content | Plans for Delivery (including web content and delivery) | When updated/superseded | Permanent |
| Online Content | Guides and Facts Sheets – for all domiciles downloadable from web channels | When updated/superseded | Permanent |
| Online Content | Films – animated explainers, piece to camera of colleagues | From publish date | Permanent |
| Publications, Presentations and Correspondence | Guides distributed domiciles e.g., Universities | When updated/superseded | Permanent |
| Publications, Presentations and Correspondence | Presentations for practitioners to teach students about Student Finance | When updated/superseded | Permanent |
| Publications, Presentations and Correspondence | System generated letters and emails sent to customers | When updated/superseded | Permanent |
| Marketing Analysis | Information identifying customer needs and all other marketing materials for analysis | When updated/superseded | Permanent |
|
Governance and Compliance (SLC Compliance Framework, Security Assurance Management, Data Protection Management, Records Management, Data Governance and Knowledge Management) |
Reference Materials | Current Year | 6 Years |
|
Governance and Compliance (SLC Compliance Framework, Security Assurance Management, Data Protection Management, Records Management, Data Governance and Knowledge Management) |
General Compliance Artefacts | When updated or superseded | 6 Years |
|
Governance and Compliance (SLC Compliance Framework, Security Assurance Management, Data Protection Management, Records Management, Data Governance and Knowledge Management) |
Compliance Framework Populated Artefacts | From start of control framework cycle | 6 Years |
|
Governance and Compliance (SLC Compliance Framework, Security Assurance Management, Data Protection Management, Records Management, Data Governance and Knowledge Management) |
Security Assurance Management Populated Artefacts and compliance records | Last modified/processed date | Lifetime of the system/process |
|
Governance and Compliance (SLC Compliance Framework, Security Assurance Management, Data Protection Management, Records Management, Data Governance and Knowledge Management) |
Populated Artefacts and Compliance Records (Data Protection, Records Management, Data Governance, Knowledge Management) | Last modified/processed date | 10 Years |
|
Governance and Compliance (SLC Compliance Framework, Security Assurance Management, Data Protection Management, Records Management, Data Governance and Knowledge Management) |
- Privacy Notices - Notification to the ICO br> -Records Retention Schedules |
When updated/superseded | Permanent |
|
Governance and Compliance (SLC Compliance Framework, Security Assurance Management, Data Protection Management, Records Management, Data Governance and Knowledge Management) |
- Privacy Notices - Notification to the ICO -Records Retention Schedules |
When updated/superseded | Permanent |
|
Governance and Compliance (SLC Compliance Framework, Security Assurance Management, Data Protection Management, Records Management, Data Governance and Knowledge Management) |
Data Governance Risk Registers | When updated/superseded | 6 Years |
|
Governance and Compliance (SLC Compliance Framework, Security Assurance Management, Data Protection Management, Records Management, Data Governance and Knowledge Management) |
Statistics and Management Information including information packs and dashboards | Last modified/processed date | 6 Years |
| Independent Assessor (IA) | Complaint Case Files | Date case assigned to an IA | 10 Years |
| Independent Assessor (IA) | Ombudsman Reports | Date case assigned to an IA | 10 Years |
| Independent Assessor (IA) | Customer Recordings | Date case assigned to an IA | 10 Years |
| Independent Assessor (IA) | Annual Reports | Date of report | 6 Years |
| Independent Assessor (IA) | Contact Information | Date of IA assigned to role | 11 Years |
Financial Management
| Activity/Information | Description | Start of Retention | Retention Period | |
|---|---|---|---|---|
| Accounting Records | - Bank Account Records - Financial Statements and Summaries - Management and Project Account Forecast Reports |
End of the financial year to which the records relate. | 6 + 1 Year |
| Transaction Records | Record of cheques drawn for payment | End of the financial year to which the records relate. | 6 + 1 Year |
| Transaction Records | General and subsidiary ledgers | End of the financial year to which the records relate. | 6 + 1 Year |
| Transaction Records | Financial transactions – retained up to the maximum lifetime of a loan | End of the financial year to which the records relate. | 40 + 6 Years |
| Transaction Records | Financial transactions – for potential audit requests and historical reconciliation differences | End of the financial year to which the records relate. | 6 + 1 Year |
| Transaction Records | Operational Records | Last modified or processed date | 2 Years |
| Transaction Records | Sanction Records | When added to Sanctions List | Indefinite – until removed from Sanctions List |
| Transaction Records | Money Laundering Reporting Officer (MRLO) forms and Investigation log | When referral email to MRLO received | 5 Years then review |
| Transaction Records | Financial Transactions – containing Loan Pack ID | End of the financial year to which the records relate | Indefinite |
| Employee Financial Records | Payroll Records | End of the financial year to which the records relate | 6 + 1 Year |
| Assets and Equipment | Assets and Equipment Registers | End of the financial year to which the records relate | 6 + 1 Year |
| Procurement | - Contracts - Tenders - |
Expiration of contract in most cases | 6 + 1 Year |
Information and Technology Management
| Activity/Information | Description | Start of Retention | Retention Period | |
|---|---|---|---|---|
| Information Security Management | - Incident Management Register - Incident Management Case Records - Incident Management Data Breach Detection Records |
- Last Action on File - From Closure of Case - Last Action on File |
6 Years | |
| Information Security Management | - Management information - Service level data sheets - Data Security Team operational reports - Issues, monthly trend and common trends |
When updated/superseded | 3 Years | |
| Information Security Management | Data Security Work Instructions | When updated/superseded | 4 Years | |
| Information Security Management | Data Transfer Authorisations | Last modified date | 6 Years | |
| Information Security Management | Third Party Reviews | Last modified date | 6 Years | |
| Information Security Management | Network and system access logs | Date of access | Up to 3 Years | |
| Technology Change and Integration | Artefacts created and retained for project delivery and in conjunction with business services alongside project lifecycle | Date of issue or completion of project | 6 Years | |
| Infrastructure and Operation | Disaster Recovery and Backups | Date of last update for each document | 6 Years | |
| Architecture | - Architectural Design Papers - Architectural Level Papers |
When updated or superseded | Indefinitely | |
| Technology Operations | - Compliance Tracker Documents - Performance Initiative Documents - Executive Reports - Service Review Packs - Planning Materials - Policy and Process Documentation - Process Trackers |
When updated or superseded | Indefinitely | |
| Technology Operations | - Demand and Capacity Reporting - Technology Group Spot Awards |
End of Year | 6 Years | |
| Software Delivery | - Software Delivery Documentation - Project Documentation - Test Scripts and Results - Audit Histories - Defect Records |
Last modified date of a document or on retiral of system | 6 Years or Lifetime of a system | |
| System User Training and Support | - Learning - Process Maps |
When updated or superseded | 2 Years |