1. Introduction

As a registered charity Cornerstone Collective is responsible to comply with UK and EU data laws. Data protection policies are designed to protect information, in particular personal data, which is important to Cornerstone Collective, its employees, Church members, suppliers and any other individuals. 

Having relevant policies in place also enable us to comply with applicable data protection legislation and regulations, such as the EU General Data Protection Regulation 2016/679 (GDPR).

This document provides guidance in relation to the retention and disposal of data to ensure that Cornerstone Collective comply with legislative and regulatory requirements. 

This policy will provide principles that should be applied in relation to:

  • retention of data/documents/records – what format and for what period certain data/documents/records should be retained; and 
  • disposal of data/documents/records – when and by what method data/documents/records should be disposed.
  1. Responsibilities

It is the responsibility of all persons undertaking tasks on behalf of Cornerstone Collective, be it an employee or volunteer, that come into contact any data/documents/records that is retained, stored or disposed of comply with this policy. They should be made aware of this document and should familiarise themselves with its contents and requirements. It is the responsibility of the individual to identify and consistently review any documents (both paper and electronic) that need to be destroyed in line with this policy.

  1. Procedures
    1. 3.1. Creation of Documents

Whenever a document/data/record is created it should be noted that it could have significant implications. A date document/record can be called upon in the event of a legal case or a Subject Access Request (SAR).

Prior to a document/data/record is created the purpose that it will be used for and the reasons that it will stored should be considered as well as the following:

  • Is there a legal requirement to create this record (i.e. statutory or regulatory) for example; 
    • The Companies Act 2006 imposes obligations in relation to accounting records being kept for 6 years post being generated

and

    • In the UK and Europe the General Data Protection Regulation (EU) 2016/679 (GDPR) requires all personal data processed for a particular purpose to be kept in identifiable form for no longer than is necessary for that purpose.

ïIs retention required for all documents / records?

Not all documentation should be retained, information that is deemed as non-applicable and only had a temporary purpose can be disposed of, and this is at the discretion of the individual, for example:

    • Duplicates of originals
    • Spam / Junk mail
    • Reference material
    • Draft documentation
    1. 3.2.Method and Form of Retention

Depending on the nature of the data the method of storage / retention may differ. However, consideration should be taken to:

  • The sensitivity of the data
  • Requirement of accessibility of the data and, subsequent, restriction
  • Appropriate location of where the data will be stored at
    1. 3.3.Review

Under GDPR documents/records should only be retained if they are up to date and still relevant, therefore any data/documents that require the need to be retained should be reviewed on a regular basis (at least once a year) to decide whether retention is still required or if it can in fact be disposed of. Some documents will have a set requirement period of retention, Appendix 1 provides detail of these.

Attention should be made to any changes to legislation that may affect retention periods.

    1. 3.4.Disposal

Once a document/record has been reviewed and it is deemed that it is no longer required the following should be completed when disposing;

  • Any physical document/record that is deemed sensitive should be disposed of using a cross cutting shredding
  • Any electronic document/record that is deemed sensitive should be deleted from the platform it is held on including laptops, mobile devices and e-mails.

Any other document/record that is not deemed sensitive should be disposed of using appropriate measures.

A log should be kept of any sensitive document/record that is disposed of. This is to be held by the Operations Pastor.

  1. Non-Conformance

If Cornerstone Collective were found to be in breach of data protection laws, the church could face fines and enforcement notices and would also, potentially, have a negative impact on the gospel work of the Collective Churches. If an enforcement action was taken against Cornerstone Collective there would be a time and cost implication and additionally the associated publicity would, potentially, have a negative impact on the gospel work undertaken by the Collective Churches, as Cornerstone Collective may be perceived as persons who do not respect the privacy rights of individuals.

  1. Definitions

 

Term Used:

Definition

GDPR

General Data Protection Regulation (EU) 2016/679

ICO

Information Commissioners Office 

Sensitive Personal Data 

Certain types of personal data are considered to be ‘sensitive’ or be ‘special categories’ of personal data. Additional care needs to be taken when handling such data. Particular care should be taken when collecting and using this type of data (often an individual's explicit consent, or a legal obligation, to do so will be sought). 

Sensitive personal data means any information relating to: 

  • medical and biometric information 
  • racial or ethnic origin 
  • criminal convictions 
  • political opinions 
  • religious beliefs or political or philosophical opinion 
  • trade union membership 
  • sex life or sexual orientation 
  • genetic data 

 

While financial data (such as bank account or credit card details or salary information) are not included in the above-mentioned list of sensitive personal data, this information should be treated as sensitive by their very nature.. 

 

  1. Appendix 1

Category

Record Type

Retention Period

Method of Disposal

Recruitment

Job Applications, CVs, test results, references and interview records of unsuccessful candidates

A short period (e.g. 2 - 6 months) following

communication of decision.

Secure disposal

Congregation

Membership database

Whilst still a member (consent required)

Deletion from database

Congregation

Connect Information

Three months

Deletion from database

Congregation

Gift Aid Information

Whilst giving

Physical – Secure disposal

Electronic – Delete from database

Congregation

Children’s Information

Whilst still a member (consent required)

Physical – Secure disposal

Electronic – Delete from database

Congregation

Children’s Information – non-member

Three months

Physical – Secure disposal

Electronic – Delete from database

Staff

Staff Contracts

Six years after employment ends

Physical – Secure disposal

Electronic – Delete from storage area

Staff

Staff Appraisals

Six years after employment ends

Physical – Secure disposal

Electronic – Delete from storage area

Staff

Staff Disciplinary Hearings

Six years after employment ends

Physical – Secure disposal

Electronic – Delete from storage area

Staff

Staff Expense Claims

Six years after employment ends

Physical – Secure disposal

Electronic – Delete from storage area

Staff

Payroll Information

Six years after employment ends

Physical – Secure disposal

Electronic – Delete from storage area

Staff and Volunteers

DBS Applications

No longer than necessary

Secure Disposal

Staff and Volunteers

DBS Outcome Letter

Six years after employment ends

Secure Disposal

Trustees

Trustee Minutes

Six years from end of financial year

Physical – Secure disposal

Electronic – Delete from storage area