Record Retention + Data Management Policy

Record Retention and Data Management Policy

Food Hygiene Compliance Ltd
Email: foodhygienecompliance@outlook.com
Updated: 5 March 2025

1. Purpose

The purpose of this Record Retention and Data Management Policy (“the Policy”) is to define how Food Hygiene Compliance Ltd (“the Company”) creates, stores, manages, and disposes of business records and personal data in compliance with legal, regulatory, and operational requirements.

Proper retention and destruction of records ensures:

• Protection of confidential business and client information
• Compliance with UK GDPR and other      legislation
• Efficient management of data and resources
• Transparency and accountability in company operations

2. Scope

This Policy applies to:

• All employees, auditors, subcontractors, and directors of Food Hygiene Compliance Ltd
• All records in physical, electronic, or digital form (including emails,      reports, photos, templates, financial and personnel data)
• All systems, devices, or cloud storage used by the Company

3. Legal and Regulatory Framework

The Company complies with the following relevant legislation and standards:

• UK GDPR and the Data Protection Act 2018
• Companies Act 2006 (corporate record‑keeping)
• Health and Safety at Work etc. Act 1974 and associated      regulations
• HMRC      Record Retention      Requirements (for tax and financial documentation)
• Professional      body guidance (e.g. CIEH – Chartered Institute of Environmental Health)

4. Definitions

• Record: Any document or data      created, received, or maintained as evidence of Company operations or      transactions.
• Retention Period: The amount of time a record is kept before it is archived or securely disposed.
• Personal Data: Information that identifies or can identify an individual.
• Confidential Information: Proprietary or sensitive business, client, or technical data.

5. Objectives

• Keep only the data and records necessary for business, regulatory, and legal purposes
• Store records securely and confidentially
• Regularly review, archive, or delete obsolete data
• Ensure secure disposal of physical and electronic information
• Maintain the ability to retrieve records efficiently if required by regulators or clients

6. Responsibilities

Role

Responsibilities

Director / Data Protection Officer (DPO)

Oversees compliance, approves retention schedules, and ensures regular reviews.

Employees and Contractors

Follow retention guidelines, limit storage of unnecessary data, and report any   breaches or concerns.

Administrative Staff

Maintain accurate document logs and handle secure archiving or disposal of records.

7. Record Retention Periods

Type of Record

Retention Period

Rationale    / Legal Basis

Client Contracts, Service Agreements & Reports

6 years after end of engagement

Limitation Act 1980 / contractual liability

Audit and Inspection Reports

6 years

Best practice / evidence of due diligence

HACCP Plans & Supporting Documents

6 years post‑completion

Regulatory reference and historical review

Invoices, Receipts & Financial Records

6 years from financial year end

HMRC requirement for business records

Payroll & Employee Records

6 years after employment ends

Employment law & HMRC requirements

Health & Safety Records / Accident Logs

3–6 years (40 years for exposure records)

H&S Regulations / RIDDOR

Training & Competency Records

6 years after departure

Quality assurance / compliance evidence

Email and General Correspondence

2 years (then review or delete)

Operational necessity

Marketing Lists & Client Contacts

Until opt‑out or consent withdrawn + 1 year

Consent management / legitimate interest

Complaints, Feedback & Disciplinary Records

6 years after resolution

Legal defensibility / improvement records

Insurance Documents & Claims

Indefinitely or minimum 6 years post policy

Legal claims history

Company Registration & Governance Documents

Permanent

Statutory requirement

8. Storage and Security

All records will be stored securely:

• Hard‑copy files – in locked cabinets within secure office premises; only authorised personnel permitted access.
• Electronic records – in encrypted or password‑protected systems and secure cloud storage.
• Remote devices / laptops – protected with antivirus, encryption, and two‑factor authentication.

Confidential data must never be transferred to personal devices, USB drives, or unapproved cloud services.

9. Archiving

• Records that are no longer actively used but required for reference will be marked as “archived” and securely stored.
• Archived records will remain accessible only to authorised senior staff.
• An Archive Register will identify record type, retention date, and planned disposal date.

10. Disposal of Records

At the end of their retention period, records will be securely destroyed:

• Paper records: shredded or disposed through a certified confidential waste service.
• Electronic records: permanently deleted with verification that no recoverable copies remain.

A Record Disposal Log will be maintained, listing materials destroyed and confirming authorisation by the Director.

11. Data Breach and Incident Reporting

Any loss, misuse, or unauthorised disclosure of records or personal data must be reported immediately to the Director / Data Protection Officer.
Incidents will be managed in accordance with the Company’s Data Protection and Breach Response Procedure.

12. Training and Awareness

All employees and subcontractors receive induction training covering record management, confidentiality, and GDPR compliance.
Refresher training will occur at least annually or whenever regulations change.

13. Monitoring and Review

The Director will monitor compliance annually and update this policy as required by legislation or operational change.
Next scheduled review: March 2026.