1.1 The corporate information, records and Data of Akums Drugs & Pharmaceuticals Ltd. ("we", "our", "us", "the Company") are important to how we conduct business and manage employees.
1.2 There are legal and regulatory requirements for us to retain certain Data, usually for a specified amount of time. We also retain Data to help our business operate and to have information available when we need it. However, we do not need to retain all Data indefinitely, and retaining Data can expose us to risk as well as be a cost to our business.
1.3 As we operate across a number of countries, these legal and regulatory requirements can include both Indian and laws of other countries.
1.4 This Data Retention Policy explains our requirements to retain Data and to dispose of Data and provides guidance on appropriate Data handling and disposal by reference to UK laws.
1.5 Failure to comply with this policy can expose us to fines and penalties, adverse publicity, difficulties in providing evidence when we need it and in running our business.
1.6 This policy does not form part of any employee's contract of employment and we may amend it at any time.
2.1 This policy covers all Data that we hold or have control over. This includes physical Data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic Data such as emails, electronic documents, audio and video recordings and CCTV recordings. It applies to both Personal Data and Non-Personal Data. In this policy we refer to this information and these records collectively as "Data".
2.2 This policy covers Data that is held by third parties on our behalf, for example cloud storage providers or offsite records storage. It also covers Data that belongs to us but is held by employees on personal devices.
2.3 This policy explains the differences between our Formal or Official Records, Disposable Information, confidential information belonging to others, Personal Data and Non-Personal Data. It also gives guidance on how we classify our Data.
2.4 This policy applies to all business units and functions of the Company.
Through this policy, and our Data retention practices, we aim to meet the following commitments:
4.1 Responsibility of all employees. We aim to comply with the laws, rules, and regulations that govern our organisation and with recognised compliance good practices. All employees must comply with this policy, the Record Retention Schedule, any communications suspending Data disposal and any specific instructions from the Data Protection Officer. Failure to do so may subject us, our employees, and contractors to serious civil and/or criminal liability. An employee's failure to comply with this policy may result in disciplinary sanctions, including suspension or termination. It is therefore the responsibility of everyone to understand and comply with this policy.
4.2 Data Protection Officer. The Data Protection Officer is responsible for identifying the Data that we must or should retain, and determining the proper period of retention. It also arranges for the proper storage and retrieval of Data, co-ordinating with outside vendors where appropriate. Additionally, the Data Protection Officer handles the destruction of records whose retention period has expired.
4.3 The Data Protection Officer is additionally responsible for:
5.1 Formal or Official Records. Certain Data is more important to us and is therefore listed in the Record Retention Schedule. This may be because we have a legal requirement to retain it, or because we may need it as evidence of our transactions, or because it is important to the running of our business. Please see paragraph 6.1 below for more information on retention periods for this type of Data.
5.2 Disposable Information. Disposable Information consists of Data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or Data that may be safely destroyed because it is not a Formal or Official Record as defined by this policy and the Record Retention Schedule. Examples may include:
Please see paragraph 6.2 below for more information on how to determine retention periods for this type of Data.
5.3 Personal Data. Both Formal or Official Records and Disposable Information may contain Personal Data; that is, Data that identifies living individuals. Data protection laws require us to retain Personal Data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). See paragraph 6.3 below for more information on this.
5.4 Confidential information belonging to others. Any confidential information that an employee may have obtained from a source outside of the Company, such as a previous employer, must not, so long as such information remains confidential, be disclosed to or used by us. Unsolicited confidential information submitted to us should be refused, returned to the sender where possible, and deleted, if received via the internet.
6.1 Formal or Official Records. Any Data that is part of any of the categories listed in the Record Retention Schedule contained in the Annex to this policy, must be retained for the amount of time indicated in the Record Retention Schedule. A record must not be retained beyond the period indicated in the Record Retention Schedule, unless a valid business reason (or notice to preserve documents for contemplated litigation or other special situation) calls for its continued retention. If you are unsure whether to retain a certain record, contact the Data Protection Officer.
6.2 Disposable Information. The Record Retention Schedule will not set out retention periods for Disposable Information. This type of Data should only be retained as long as it is needed for business purposes. Once it no longer has any business purpose or value it should be securely disposed of.
6.3 Personal Data. As explained above, UK and EEA Data protection laws require us to retain Personal Data for no longer than is necessary for the purposes for which it is processed (principle of storage limitation). Where Data is listed in the Record Retention Schedule, we have taken into account the principle of storage limitation and balanced this against our requirements to retain the Data. Where Data is Disposable Information, you must take into account the principle of storage limitation when deciding whether to retain this Data. More information can be found in our Privacy Guidelines.
6.4 What to do if Data is not listed in the Record Retention Schedule. If Data is not listed in the Record Retention Schedule, it is likely that it should be classed as Disposable Information. However, if you consider that there is an omission in the Record Retention Schedule, or if you are unsure, please contact the Data Protection Officer.
7.1 Storage. Our Data must be stored in a safe, secure, and accessible manner. Any documents and financial files that are essential to our business operations during an emergency must be duplicated and/or backed up at least once per week and maintained off site.
7.2 Destruction. Our Data Protection Officer is responsible for the continuing process of identifying the Data that has met its required retention period and supervising its destruction. The destruction of confidential, financial, and employee-related hard copy Data must be conducted by shredding if possible. Non-confidential Data may be destroyed by recycling. The destruction of electronic Data must be co-ordinated with the IT Department.
7.3 The destruction of Data must stop immediately upon notification from the Legal Department that preservation of documents for contemplated litigation is required (sometimes referred to as a litigation hold). This is because we may be involved in a legal claim or an official investigation. Destruction may begin again once the Legal Department lifts the requirement for preservation.
8.1 Preservation of documents for contemplated litigation and other special situations. We require all employees to comply fully with our Record Retention Schedule and procedures as provided in this policy. All employees should note the following general exception to any stated destruction schedule: If you believe, or the Legal Department informs you, that certain records are relevant to current litigation or contemplated litigation (that is, a dispute that could result in litigation), government investigation, audit, or other event, you must preserve and not delete, dispose, destroy, or change those records, including emails and other electronic documents, until the Legal Department determines those records are no longer needed. Preserving documents includes suspending any requirements in the Record Retention Schedule and preserving the integrity of the electronic files or other format in which the records are kept.
8.2 If you believe this exception may apply, or have any questions regarding whether it may apply, please contact the Legal Department.
8.3 In addition, you may be asked to suspend any routine Data disposal procedures in connection with certain other types of events, such as our merger with another organisation or the replacement of our information technology systems.
Questions about the policy. Any questions about retention periods relevant to your department or this policy should be raised with the Data Protection Officer at: dpo@akums.net, who is in charge of administering, enforcing, and updating this policy.
10.1 Reporting policy breaches. We are committed to enforcing this policy as it applies to all forms of Data. The effectiveness of our efforts, however, depend largely on employees. If you feel that you or someone else may have breached this policy, you should report the incident immediately to your supervisor. If you are not comfortable bringing the matter up with your immediate supervisor, or do not believe the supervisor has dealt with the matter properly, you should raise the matter with the Data Protection Officer. If employees do not report inappropriate conduct, we may not become aware of a possible breach of this policy and may not be able to take appropriate corrective action.
10.2 No one will be subject to and we do not allow, any form of discipline, reprisal, intimidation, or retaliation for reporting incidents of inappropriate conduct of any kind, pursuing any record destruction claim, or co-operating in related investigations.
10.3 Audits. Our Data Protection Officer will periodically review this policy and its procedures (including where appropriate by taking outside legal or auditor advice, to ensure we are in compliance with relevant new or amended laws, regulations or guidance. Additionally, we will regularly monitor compliance with this policy, including by carrying out audits.
The Company establishes retention or destruction schedules or procedures for specific categories of Data. This is done to ensure legal compliance (for example, with our Data protection obligations) and to accomplish other objectives, such as protecting intellectual property and controlling costs.
Employees should comply with the retention periods listed in the record retention schedule below, in accordance with the Company’s Data Retention Policy.
If you hold Data not listed below, please refer to the Company’s Data Retention Policy. If you still consider your Data should be listed, become aware of any changes that may affect the periods listed below, or have any other questions about this record retention schedule, please contact the Data Protection Officer.
| Type of Data | Retention Period | Reason | Comments |
|---|---|---|---|
| Accounting records | 3 years from the date they were made | Section 388(4) Companies Act 2006 (“CA 2006”) | Tax requirements or other legislation may require longer. |
| Register of members | Entries for former members can be removed 10 years after the date they ceased to be members | Section 121, CA 2006 | |
| Register of directors | Indefinite | Usual practice | Section 162 of the CA 2006 requires the register to be kept but legislation is not explicit about retention periods. General practice is to retain details of current and former directors, together with the date of ceasing to be a director. |
| Register of directors' residential addresses | Remove addresses of former directors after 10 years | Best practice | Section 165 of the CA 2006 requires the register to be kept but there is no statutory retention period or indication whether addresses of former directors should be removed. Company will need to consider anything that has been told to directors and what is appropriate. |
| Minutes of internal directors' meetings | 10 years from the date of the meeting | Section 248, CA 2006 | Statutory minimum period (no period applies to meetings held before 1 October 2007, but best practice is to apply a consistent standard). |
| Members resolutions passed other than at general meetings; minutes of general meetings, details of decisions provided by a sole director | 10 years from date of resolution, decision, or meeting | Sections 355 and 358, CA 2006 | Minimum period; can be extended if appropriate. |
| Health and safety inspections, property management and asset records | 6 years | Health and Safety at Work Act 1974 and Limitation Act 1980 (“LA 1980”) | |
| Historical records and archives about the company e.g. former directors, chairpersons, employees of note etc. | Indefinite | Usual practice | Balance data minimisation principle against the need to retain this information for historical purposes in the legitimate interests of the organisation. |
| Type of Data | Retention Period | Reason | Comments |
|---|---|---|---|
| Name and address of scheme or provider of the automatic enrolment scheme used to comply with the employer's duties | 6 years | Employers' Duties (Registration and Compliance) Regulations 2010 (SI 2010/5) (regulations 5, 6 and 8) | Minimum statutory period. |
| Employer pension scheme reference | 6 years | Employers' Duties Regulations 2010 (regulations 5, 6 and 8) | Minimum statutory period. |
| Evidence scheme complies with auto-enrolment statutory quality tests | 6 years | Employers' Duties Regulations 2010 (regulations 5, 6 and 8) | Minimum statutory period. |
| Name, NI number, date of birth and automatic enrolment date of all jobholders auto-enrolled (and corresponding details for non-eligible jobholders and entitled workers who have opted in or joined) | 6 years | Employers' Duties Regulations 2010 (regulations 5, 6 and 8) | Minimum statutory period. |
| Evidence of jobholders' earnings and contributions | 6 years | Employers' Duties Regulations 2010 (regulations 5, 6 and 8) | Minimum statutory period. |
| Contributions payable by employer in respect of jobholders and dates on which employer contributions were paid to scheme | 6 years | Employers' Duties Regulations 2010 (regulations 5, 6 and 8) | Minimum statutory period. |
| If auto-enrolment postponement period used, records of workers who were given notice of postponement including full name, NI number and date postponement notice was given | 6 years | Employers' Duties Regulations 2010 (regulations 5, 6 and 8) | Minimum statutory period. |
| Auto-enrolment opt-in notices, joining notices and opt-out notices (original format) | 6 years (4 years for opt-out notices) | Employers' Duties Regulations 2010 (regulations 5, 6 and 8) | Minimum statutory period. Opt-in, joining, and opt-out notices must be kept in the original format; copies or electronic versions are acceptable. |
| If employer is (or was) sponsoring employer of an occupational pension scheme, any document relating to monies received by or owing to the scheme, investments or assets held by the scheme, payments made by the scheme, contracts to purchase a lifetime annuity in respect of scheme member and documents relating to the administration of the scheme | For the tax year to which they relate and the following 6 years | Registered Pension Schemes (Provision of Information) Regulations 2006 (SI 2006/567) (regulation 18) | Minimum statutory period. |
| Information relating to applications for ill health early retirement benefits, including medical reports | While entitlement continues and for period of 15 years after benefits stop being paid | Limitation period | Employers may also need to keep data relating to employees' job descriptions to assist with any ill-health application. |
| Death benefit nomination and revocation forms | While entitlement continues and for period of 15 years after the death of member and their beneficiaries | Limitation period | Longer may be required for public sector employees e.g., the National Archives suggests 100 years from date of birth. |
| Type of Data | Retention Period | Reason | Comments |
|---|---|---|---|
| General information about internally developed IT infrastructure, software and systems for internal use | 5 years from decommissioning of system | Business need | No statutory period so organisation can balance need to retain these records against data minimisation principle. |
| General information about externally developed IT infrastructure, software and systems for internal or external use | 7 years from decommissioning of system | Contractual obligation; Limitation period | See also Procurement section. |
| General information about internally developed IT infrastructure, software and systems for external use | 7 years from decommissioning of system | Contractual obligation; Limitation period | Where IT infrastructure, software or systems are used externally (for example, by customers) then this information may be relevant to claims and disputes. |
| Systems monitoring (e.g., to detect and prevent failures, vulnerabilities, and external threats) | Current year plus 1 year. Consider anonymisation where possible. | Business need; Contractual obligation; Limitation period | No statutory period so organisation can balance need to retain these records against data minimisation principle. Monitoring logs may be relevant to claims and disputes where IT is used externally. |
| Business continuity and information security plans | 3 years from when the plan is superseded | Business need; Legal or contractual obligation; Limitation period | No statutory period. Consider whether organisation is subject to legal or contractual obligations (e.g., NIS Regulations). Relevant for external systems. |
| Technical support and help-desk requests | 3 years from end of system (consider longer if needed) | Business need; Contractual obligation; Limitation period | No statutory period. Consider external customer obligations and limitation periods. |
| Contracts and agreements (software licences, support agreements, hardware agreements etc.) | 12 years from expiry of the agreement | Limitation period plus reasonable period thereafter for business records | See also Procurement section. |
| System backups | 3 months | Business need | May vary depending on the system. |
| Type of Data | Retention Period | Reason | Comments |
|---|---|---|---|
| Bought-in mailing lists for business to business contacts and associated contracts | 1 year for mailing lists; 6 years from expiry/termination for contracts (12 years if executed as a deed) | Best practice for mailing lists; Limitation period for contracts | Consult ICO guidance. Bought-in lists should not be used for consumers without careful consent consideration. |
| Marketing database records (e.g., lead generation, meeting feedback, contact data) | 2 years from last contact | Business need | Depends on nature of business, scope of consent, and type of contact. |
| Customer relations database records (call centre records, queries, meeting feedback, account history) | 6 years from last contact | Business need; Limitation period | |
| Order fulfilment records | 6 years from completion | Limitation period and accounting requirement | |
| Opt-out/suppression lists | Indefinite | Business and compliance need | Only retain sufficient information to enable the opt-out. |
| Evidence of consent to marketing (including electronic marketing) | While consent valid; 6 years from date consent withdrawn or ceases to be valid | Business need; Limitation period | Consent can be withdrawn at any time; validity duration depends on context. |
| Market research, marketing campaigns | 2 years from completion | Business need | DMA suggests two years from last campaign. |
| Press releases | 5 years from publication | Business need | |
| Customer complaints handling | 6 years from settlement or closure | Business need; Limitation period | |
| Website analytics reports from cookies and other similar technology | 2 years | Business need | Refers to output from cookies. No firm ICO period; French regulator recommends 25 months; DMA for Google Analytics recommends 2 years. Cookies themselves may vary by function. |
| Type of Data | Retention Period | Reason | Comments |
|---|---|---|---|
| Unsuccessful tenders | 2 years | Business need | Businesses with many tenders may retain only 1 year depending on nature of business. |
| Successful tenders | Contract period plus 6 years (12 years for deeds) | Limitation period | |
| Contractual documents | Contract period plus 6 years (12 years for deeds) | Limitation period |
| Type of Data | Retention Period | Reason | Comments |
|---|---|---|---|
| Legal advice and opinions (non-litigation) | 6 years after life of service or matter | Business need | |
| Legal advice and other records relating to litigation or claim | 6 years from settlement or withdrawal of claim | Limitation period | |
| Data subject rights requests | 6 years from closure of request | Limitation period | |
| Previous versions of policies (IT, privacy, retention etc.) | 6 years from being superseded | Business need and limitation period | |
| Monitoring and investigation requests | 6 years from closure of investigation | Limitation period | |
| Insurance claims | 3 years after settlement | Limitation period |
| Type of Data | Retention Period | Reason | Comments |
|---|---|---|---|
| Wages/Salary records (also overtime & bonuses) | Records not needed by HMRC: ≥3 years; Records needed by HMRC: 6 years | Taxes Management Act 1970 | If in doubt, keep for 6 years |
| Income Tax & NI Returns, records & correspondence with HMRC | Not less than 3 years after end of financial year | Regulation 97, Income Tax (PAYE) Regulations 2003 | |
| Retirement Benefits Schemes – records of notifiable events (e.g., incapacity) | 6 years from end of scheme year | Retirement Benefits Schemes (Information Powers) Regulations 1995 | |
| National Minimum Wage | 3 years after end of pay reference period | National Minimum Wage Act 1998 | |
| Statutory Maternity Pay records (MATB1 or other medical evidence) | 3 years after end of tax year of maternity period | Regulation 26, Statutory Maternity Pay (General) Regulation 1986 | |
| Shared Parental Pay | 3 years after end of tax year of SPL period | Regulation 9, Statutory Shared Parental Pay (Administration) Regulations 2014 | |
| Documents relating to Working Time | 2 years after employment ceases | Regulations 5 and 9, Working Time Regulations 1998 |
| Type of Data | Retention Period | Reason | Comments |
|---|---|---|---|
| Employee personal records (appraisals, performance, salary, disciplinary, pre-employment notes) | 6 years after cessation of employment | Section 5, Limitation Act 1980; CIPD guidance | Includes senior executives; CIPD suggests permanent retention for some records. |
| Written particulars of employment (contracts, T&Cs changes) | 6 years after cessation of employment | Section 5, Limitation Act 1980 | |
| Pre-employment Right to Work ID documents | 6 years after cessation of employment | Immigration Order 2007; Section 5, Limitation Act 1980 | |
| Pre-employment criminal record checks | None (unless relevant to ongoing employment) | Rehabilitation of Offenders Act 1974; ICO Employment Practices Code | |
| Personal records of senior executives | Minimum 6 years or permanent for historical purposes | CIPD recommendation | |
| Pre-employment assessment/interview notes (unsuccessful candidates) | 6 months (up to 1 year if retained for further vacancies) | Equality Act 2010; CIPD guidelines | One-year limit for defamation actions |
| HMRC "approvals" | Permanently | ||
| Payroll records | Limited companies: 6 years; Unincorporated: 5 years after Jan 31 following assessment | Guidelines suggest up to 12 years | |
| Parental leave records | 5 years from birth/adoption (18 years if disabled) | CIPD recommendation | |
| Paternity Leave | 3 years after end of tax year | Regulation 26, Statutory Maternity Pay (General) Regulation 1986 | |
| Pension Scheme Investment Policies | 12 years from ending of any benefit | ||
| Pensioners’ records | 12 years from ending of benefits paid | CIPD recommendation | |
| Retirement benefit schemes information & pension administration | Minimum 6 years (12 years recommended) | Regulation 18, Registered Pension Schemes; Retirement Benefits Schemes Regulations 1995 | |
| Redundancy details (payments, refunds, notifications) | 6 years from date of redundancy | CIPD recommendation | |
| Records of advances for season tickets | 6 years after repayment | Tax Management Act 1970 | |
| Sickness records (SSP, certificates, self-certificates) | 6 years after employment ceases | Statutory Sick Pay Regulations; CIPD guidance | |
| Annual Leave Records | 6 years from date of records | Working Time Regulations 1998; CIPD guidance | |
| Data for emergency medical care, reintegration plans, incapacity assessments, workplace adaptions | 6 years after creation/employment ceases | Section 5, Limitation Act 1980 | |
| Medical Records | 40 years from date of last entry | Control of Lead at Work Regulations 1998; COSHH Regulations 1999 |
| Type of Data | Retention Period | Reason | Comments |
|---|---|---|---|
| Accident books / Accident Reports & Records | 6 years (children: until child reaches 21) | Limitations Act 1980; RIDDOR 1995 | |
| Health & Safety records | 6 years (industrial injuries: longer) | Limitations Act 1980; Health & Safety at Work Act 1974; COSHH 2002; Asbestos 2002/2006 | |
| Risk Assessments | For duration of process/activity + minimum 3 years | Management of Health and Safety at Work Regulations 1999 | |
| Accident reports and insurance correspondence | 6 years from incident or 3 years following settlement – whichever is later | Limitations Act 1980 | |
| Assessments under health & safety law for consultation with safety representatives | Permanently | Safety Representatives & Safety Committees Regulations 1977/1996 | |
| Records of tests & examinations of control systems and protective equipment | 5 years from test date | COSHH Regulations 1999/2002 | |
| Fire Risk Assessments | For the life of the building | Best practice | Permanently recommended |
| Employers’ Liability Insurance Certificate | Minimum 40 years | Best practice | Permanently recommended |
| Permits to Work | 3 years | Health & Safety Executive Guidance | |
| Display Screen Equipment Assessments | 6 years | Limitations Act 1980 | |
| H&S Training Records | 6 years from superseded | Limitations Act 1980 | |
| New or expectant mothers risk assessment | 6 years from end (6 months after return to work or breastfeeding ends) | Limitations Act 1980 |