{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Record Retention, Archiving, and Disposal Policy

{{org_field_name}}

1. Purpose

The purpose of this policy is to provide a clear and comprehensive framework for the safe, lawful, and effective retention, archiving, and disposal of records held by {{org_field_name}}. The agency has a legal, regulatory, and ethical obligation to manage records responsibly to ensure that information is accurate, up-to-date, securely stored, and disposed of when no longer required. This policy ensures compliance with The Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR), The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, The Care Quality Commission (Registration) Regulations 2009, The Limitation Act 1980, and all other relevant legislation and best practice guidelines. Effective records management safeguards the privacy of individuals, supports operational efficiency, and facilitates compliance with inspection, audit, and information requests from regulators and commissioners.

2. Scope

This policy applies to:

• All records held by {{org_field_name}} relating to service users, candidates, employees, clients, stakeholders, and operational matters
• All employees, directors, and temporary staff involved in the creation, processing, storage, archiving, or disposal of records
• All formats, including paper records, electronic files, audio recordings, photographs, emails, and digital images
  Records may relate to recruitment, personnel, safeguarding, health and safety, incidents, complaints, finance, clinical governance, or regulatory compliance.

3. Related Policies

• Confidentiality and Data Protection Policy
• Candidate Confidentiality and Data Handling Policy
• Communication and Record-Keeping Policy
• Incident and Accident Reporting Policy
• Safeguarding Adults and Children Policy
• Supervision and Appraisal Policy
• Whistleblowing Policy

4. Policy Statement

{{org_field_name}} is committed to ensuring that all records are retained, archived, and disposed of in accordance with legal, regulatory, and contractual requirements. The agency will maintain records that are:

• Accurate, clear, and up-to-date
• Kept only for as long as necessary
• Stored securely to protect confidentiality and prevent loss, damage, or unauthorised access
• Disposed of securely and appropriately when no longer required
  The Director will oversee record management to ensure consistency, compliance, and best practice in all aspects of record keeping.

5. Responsibilities

Director
The Director will:

• Implement and review this policy annually or sooner if required
• Ensure systems are in place for secure record storage, archiving, and disposal
• Provide training and guidance to all staff involved in record management
• Audit record keeping practices as part of regular quality assurance activities
• Investigate any incidents relating to record loss, breaches, or non-compliance
• Approve disposal and destruction schedules

All Staff
All staff are responsible for:

• Complying with this policy and related procedures
• Ensuring that records they create are accurate, factual, and completed contemporaneously
• Protecting records from unauthorised access, loss, or damage
• Following retention and disposal instructions provided by the Director or compliance staff
• Reporting any concerns regarding records management without delay

6. Types of Records Covered

This policy applies to, but is not limited to, the following types of records:

• Candidate application forms, employment contracts, and recruitment documents
• Training records, supervision notes, appraisal records, and disciplinary documentation
• Safeguarding referrals and outcomes
• Incident and accident reports
• Health and safety audits
• Complaints and investigation records
• Financial records (invoices, payroll, tax documentation)
• Communication logs with clients and external stakeholders
• Staff rotas, shift records, and time sheets
• Clinical records where held directly by the agency

7. Retention Periods

Retention periods will be determined by:

• Legal obligations
• Statutory limitation periods
• Regulatory requirements (e.g., CQC, HMRC)
• Best practice guidance from the Records Management Code of Practice for Health and Social Care
  Examples of standard retention periods include:
• Personnel records: 6 years after employment ends
• DBS check records: 6 months after recruitment decision
• Safeguarding records: 30 years (in accordance with statutory guidance)
• Incident and accident reports: 10 years
• Complaints records: 10 years
• Financial records: 6 years
• Training and supervision records: 6 years
  The Director will maintain and publish a Record Retention Schedule to all staff.

8. Archiving

Records that are no longer required for everyday use but are still within their retention period must be archived securely.

• Paper records must be stored in locked filing cabinets or secure off-site storage facilities
• Electronic records must be securely stored on encrypted devices or approved secure servers
• Access to archived records will be restricted to authorised staff only
• An archive log must be maintained detailing record location, type, and retention date
  Archiving ensures that records are retrievable if needed for inspections, audits, or legitimate requests.

9. Secure Storage

To protect confidentiality, all records must be:

• Stored securely when not in active use
• Kept in lockable storage (for paper records)
• Accessed only by staff with legitimate authority
• Protected by passwords, encryption, or other cybersecurity measures (for electronic records)
  Staff must avoid leaving records unattended or visible to unauthorised persons.

10. Secure Disposal

When the retention period for a record has expired, it must be securely destroyed.
For paper records:

• Confidential waste must be shredded or incinerated
• Disposal must be documented and, where appropriate, a certificate of destruction obtained
  For electronic records:
• Files must be permanently deleted and removed from backup systems
• Secure deletion methods must be used to prevent data recovery
  Under no circumstances should records be discarded in general waste.

11. Breach of Record Security

Any breach involving the loss, unauthorised access, or inappropriate disposal of records must be:

• Reported immediately to the Director
• Investigated in accordance with the Incident and Accident Reporting Policy
• Notified to the Information Commissioner’s Office (ICO) where required under the UK GDPR
• Addressed through appropriate remedial actions
  The Director will ensure that staff involved receive support and further training where necessary.

12. Data Subject Rights

Records must be retained in a way that allows individuals to exercise their rights under UK GDPR, including:

• The right to access their data
• The right to rectification
• The right to erasure (where applicable)
• The right to restriction of processing
  {{org_field_name}} will ensure that records are stored in a manner that facilitates data subject access requests within the statutory timeframe.

13. Training

All staff will receive training on:

• This policy and related procedures
• Confidentiality and data protection principles
• Record creation, maintenance, and secure disposal
• The importance of accurate, clear, and contemporaneous documentation
  Training will be provided during induction and refreshed regularly.

14. Supervision and Monitoring

The Director will:

• Include records management in staff supervision and appraisal
• Conduct audits of record keeping, archiving, and disposal practices
• Review incidents and complaints relating to record management
• Implement learning and improvements as necessary

15. Director’s Oversight

The Director is responsible for:

• The overall implementation and governance of this policy
• Reviewing and authorising the Record Retention Schedule
• Ensuring that retention, archiving, and disposal procedures meet legislative and regulatory standards
• Promoting best practice in record keeping across the organisation

16. Policy Review

This policy will be reviewed annually by the Director or earlier if legislative, regulatory, or operational changes require it.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.