This document sets out the policy of Insolvency Support Services Ltd (“the Company”) on the retention of personal data and the timing and manner of its destruction.
It should be noted that processing or storing personal data for longer than is necessary can constitute a personal data breach to which fines and penalties may be applied.
This policy applies to the retention and destruction of all person data processed by the Company, whether in relation to its Staff Members, clients or prospective clients or others whose data the Company processes in connection with formal insolvency appointments.
Individual living persons (as opposed to companies) have rights to data privacy in respect of their personal data, contained in the data protection legislation. These include a right that their data only be processed for as long as is necessary to fulfil the lawful purpose for which it was obtained.
The nature of insolvency practice is such that personal data will come into our possession in the ordinary conduct of the Company’s business activities.
A list of the different types of personal data (“data categories”) that we deal with in relation to different individuals (“data subjects”), can be found in our Data Processing Register.
Timely destruction of person data that is no longer required is an important protection afforded to individuals. Destruction also assists in reducing the possibility of inadvertent disclosure.
In accordance with the data protection legislation, the Company only retains personal data for as long as is necessary. That period will vary depending upon:
Most of the data we hold about staff members is required to be held for tax purposes for 6 years following termination of employment.
There are some exceptions to this, for example information about your pension entitlements, which may be retained for significantly longer periods (up to 75 years). Bank details and contact details will be retained for 2 years from the termination of employment, unless there are unresolved claims or legal proceedings between the employee and the Company, in which case, they will be held until the later of 2 years from the termination of employment or the resolution of the claim or proceedings.
The period for which we retain the personal data of clients that approach us for advice about their debt problems, or those of their business, will depend upon whether they decide to proceed with a debt solution which utilises our services. Where a formal debt solution is taken up, see the policy below concerning insolvency appointments.
When we are approached for advice, but a client does not return to us immediately, personal data contained in the fact find and any meeting notes taken will be retained for 6 months. We consider this to be a reasonable period of time as it is not uncommon for clients to return after a period of reflection, or if their circumstances deteriorate. Retaining their information in this way enables us to assist them more efficiently. The Client may object to our retaining their personal data in this way.
FCA regulations in relation to Debt Counselling activity require the Company to maintain a record for the grounds of being satisfied that the recipient of the service is not going to enter into a contract with us. That record and will state only the name of the Client, date of the advice and the grounds for being satisfied (e.g. a referral to an alternative source of advice or assistance). There is no statutory retention period for that record, and our policy is that a record will be kept for the current and two preceding calendar years. This will ensure that appropriate records are available for regulatory compliance purposes.
Additionally, where Money Advice has been provided to an individual by the Company, a record of that advice is required to be retained for a period of 2 years. The record contains the evidence of your income and expenditure that you supplied and a record in relation to the advice given to you. The record of Money Advice is retained in connection with a statutory function that has been undertaken and therefore cannot be erased at the Client’s request.
The personal information contained in an insolvency case file may be substantial and can include special category and criminal conviction information. Data subjects will not generally be entitled to request the early destruction of this information, as it is being held to fulfil statutory retention requirements.
For further details about the types of information which may be contained in a formal insolvency case file, please refer to the relevant Privacy Notice that described your relationship with us.
In addition to its functions as an insolvency practice, the Company supplies training and compliance services to other practices. In the course of this activity, the Company will hold the contact details of course attendees, participants in in-house training sessions or other contacts that have purchased our products or services or expressed an interest in doing so. Such information will be ordinarily retained for a period of 3 years for the purposes of fulfilling our legitimate commercial interests.
Additionally, we hold contact information pertaining to business contacts and potential customers for email marketing purposes. This data is held with the data subject’s consent and will be deleted from mailing lists upon request.
The Company operates a paperless office system and the majority of the personal data we process is supplied and stored digitally. Incoming postal correspondence is scanned and allocated to the appropriate folder. Correspondence may contain personal data relating to any of the above data subjects or capacities.
Our process for the hard copies of all correspondence is that the hard copy is stored securely, chronologically by data of receipt and retained for a period of 12 months.
All communications sent and received by email are securely archived 12 months from sending or receipt. Digital copies may be retained for the purposes and durations described above depending upon the nature of the communication and the nature of any data subject to whom it relates.
Personal data held by the company, either digitally or physically, will be routinely and securely destroyed within 6 months of the expiry of the stated data retention period, without further reference to the data subject.
It is the responsibility of Line Managers to ensure that procedures are in place within their teams to ensure that all copies of such information, including but not limited to those which may be contained in our cases management, email and hard copy systems, are destroyed in accordance with this policy.
Staff Members are expected to comply with this policy and implement any destruction procedures of which they are advised by their Line Manager, in respect of all copies of personal data in their possession. Deliberate and unauthorised retention of personal data is a matter the Company will take very seriously.
In the event that a Staff Member becomes aware of a failure to destroy data in accordance with this policy, they must report it to their Line Manager immediately on becoming aware, as unnecessary retention may constitute a data breach to which the Data Breach Policy will apply.
Any failure to follow the procedures and guidance laid out in this Policy may lead to disciplinary action which could result in termination of employment.
The Company reserves the right to pursue a claim for recovery of costs incurred where a Staff Member fails to adhere to this policy and the Company suffers loss or damage.