Introduction
This policy sets out the period for which documents and electronic records must be retained.
Policy objective
The policy objective is to set out the requirements imposed by law or good practice on Inchcape for the retention of documents and records in whatever form they may exist, both in hard copy and electronic media collectively referred to as documents herein, and for disposing of documents at the end of the retention period.
The benefits of enforcing a document retention policy are
to:
• ensure compliance with statutory, legal and regulatory requirements on document retention and data
protection;
• improve operational efficiency and reduce storage costs; and
• ensure protection for Inchcape against legal risks.
The key legislation that we are required to comply with in the UK on this subject includes; the Data Protection Act 2018, the UK General Data Protection Regulation (“GDPR”) and The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).
We recognise that the correct and lawful treatment of personal data will maintain confidence in our organisation and will provide for successful business operations. Protecting the confidentiality and integrity of personal data is a critical responsibility that we must take seriously
at all times.
Who is the policy applicable to?
This Policy applies to all Inchcape Plc, Inchcape Management (Services) Limited, Inchcape Corporate Services Limited, Inchcape International Holdings Limited, Inchcape Digital Limited and any other UK based Inchcape Group company, which performs activity for and on behalf of the Inchcape Group from time to time (“Inchcape”) employees.
What is personal data?
Personal data includes any information about an individual from which that person can be identified. Examples include someone’s name, identification number, email or home address, photograph and bank account details, factors specific to an individual (such as their physical, physiological, mental, economic, cultural or social identity) and any data that allows the identification of an individual when combined with other data.
Types of Documents and Records
A record is any type of information created, received, or transmitted in the operation of our business. Examples include:
• emails
• contracts
• handwritten notes
• invoices
• letters and correspondence
• performance reviews
• voicemails
• online postings such as on Facebook, Twitter, Instagram etc.
• audio and video recordings (including CCTV)
Retention Periods
Certain documents and records must be kept for a minimum period of time, notably where imposed by law or regulation. In addition, you should bear in mind the legal requirement that personal information is retained ‘for no longer than is necessary’.
In considering whether or not to dispose of documents the following must be taken into account – is the document:
• required to be kept for a specific period of time by law or regulation?
• connected with ongoing, threatened or anticipated legal action?
• an original contract or document of title – e.g. property title deeds, share certificates etc.?
• required for any audit of accounts?
• needed for the ongoing operation of the business?
• required to comply with any record keeping or audit requirements in a contract?
The retention periods for the main types of documents and records used in Inchcape business are set out in Appendix 1 to this document. If you are unable to find a specific document in the Appendix then you should align the retention period of your document to the most suitable category within the Appendix. Please check with Data Protection Team at [email protected] or Group Legal Counsel if there is any doubt as to how long a document should be retained.
Always remember: the period you need to retain something may be longer than you realise – always check this policy first and ask Data Protection Team or Group Legal Counsel if you are not sure.
Procedures
Filing and archiving
Filing must generally be kept in an orderly manner and capable of being easily accessed. Where space, security and health and safety considerations allow, documents should be kept on site. Where this is not feasible and the business needs to store records offsite, the approved archiving facility arrangements should be used. For further details please contact Data Protection Team or Group Legal Counsel.
The approved archiving supplier is the only off site archiving facility to be used for future archiving requirements after issue of this Policy. Where any other third party archiving facility is currently being used, you must ensure that adequate security and document destruction processes are in place otherwise, the archived documents should be transferred to the approved archiving supplier. Daily bank records should be kept in a secure office and only authorised accounting personnel should have access to this information. Accounting personnel should not allow these documents to be accessed by any unauthorised members of staff without prior consent of the Accountant or Financial Controller. When these records are archived they should be marked ‘Confidential’.
Archived documents held onsite should be retained in a locked room or cabinet and should only be accessible by authorised personnel. When transferring to an offsite facility, the approved supplier will collect the barcoded records and provide a consignment note to track the records into storage.
Retrieval of any records from the approved supplier or other offsite archive facility must be authorised by the Accountant, Financial Controller or Group Legal Counsel, and securely stored on receipt.
It is very important to note that documents which have been stored in an archive facility are still subject to the data retention periods and the data destruction process outlined in this policy. Care must be taken to ensure that these records are still reviewed periodically to assess whether destruction is required.
Security of documents
All colleagues are responsible for ensuring that any documents held on site or accessed through computers on site are kept securely and that they are not disclosed to any unauthorised third party, particularly if they contain commercially sensitive data or personal data.
Dependent on the sensitivity and value of the documents, appropriate physical measures should be taken for storage and access which may include:
• lockable room with controlled access;
• locked drawer or filing cabinet;
• not leaving documents unattended in public areas;
• complying with a ‘clear desk’ policy;
• if electronic, are password protected, with controlled distribution;
• password protected screen-savers: user names and passwords must not be shared;
• PC, laptop and terminal screens are not visible to the public.
Document Destruction
Group Legal Counsel and the heads of each business area are responsible for ensuring that documents are periodically reviewed (at least annually) to determine whether any retention periods applying to documents within their business (including those that are archived) have expired. This task may be delegated by the Group Legal Counsel and/or the relevant heads of each business area to senior employees. Once the retention period has expired, the document must be reviewed and an action agreed, which is either:
a) the destruction and/or deletion of the document or
record; or
b) the retention of the document or record for a further
period within the business.
The decision must be reached having regard to:
• on-going business and accountability needs (including audit and potential litigation);
• current applicable legislation;
• best practice in the applicable professional field (for example health and safety);
• costs associated with continued storage versus costs of destruction;
• the legal, political and reputational risks associated with keeping, destroying or losing control over the record.
Decisions must not be made with the intent of denying access or destroying evidence.
Deletion of Electronic Records
Inchcape has an IT system tool to help us locate and identify certain electronic documents (such as Word or Excel files) that are stored on servers in networked shared or user folders that exceed the stated retention periods in this policy. Once identified, the tool may be used to delete such identified records. The tool is not a replacement for ‘good housekeeping’ however and colleagues must still assume responsibility for ensuring that this Data Retention Policy is adhered to, particularly where they are documents which are not able to be identified within the tool (such as scanned documents, pictures, Project or Visio documents).
Any computer equipment should also be disposed of through the IS&T Department to ensure any storage media is wiped or physically destroyed in a secure manner.
It is essential that all colleagues follow the Inchcape Information Security Policies regarding storage of electronic data. If you have stored personal data that is not business-related, Inchcape will not be held responsible for the loss of any information that is not business-related during this destruction process.
Deletion of Emails and Attachments
Emails and the attachments stored within them are just as important to this policy as electronic or paper records. Emails often attach the same documents that may well have required deletion in accordance with the principle of electronic record deletion above.
It is also important to remember that emails may also hold the only copy of an important document so care must be taken to ensure that documents which need to be retained are removed from emails and stored in an appropriate location. Colleagues must ensure that they carefully consider the retention periods for the emails and attachments within them when reviewing compliance with this policy.
Like the process for destruction of electronic documents, it is essential that all colleagues follow the Inchcape Information Security and Acceptable Usage Policies regarding storage and archiving of emails and attachments. If you have stored personal emails and attachments to them that are not business-related, Inchcape will not be held responsible for the loss of any information that is not business-related during this deletion process.
Email Guidelines:
As a broad overview of email housekeeping the following represents good practice regarding emails and attachments:
• Be sensible when retaining emails – keep the business related ones for periods which match those listed in Appendix 1 of this policy;
• File emails in a similar way to how you might store them in any other electronic storage location – use folders and sub-folders where appropriate;
• Regularly archive your emails but be aware of the process and limitations of the email archiving system;
• Seek help from local IT colleagues where needed;
• Remember that the value of any electronic document deletion tool is going to be reduced if a person is still holding on to the same document in an attachment to an email years after the original is deleted.
When a user leaves Inchcape’s employment the following retention periods apply:
• the Outlook records will be permanently deleted after 7 years.
If an individual’s Inbox or a shared Inbox requires a longer retention period due to the nature of their role, the IS&T Department must be specifically advised in advance to retain the inbox for the appropriate period of time.
Destruction of Paper Documents
Destruction should be carried out in a way that preserves the confidentiality of the document. Non-confidential documents i.e. documents that are clearly in the ‘public domain’ can be placed in general waste or recycling bins. Confidential records should be placed in the confidential waste bins or placed in the confidential waste sacks for collection by an approved disposal firm for security shredding. If the documents to be destroyed are in the archiving facility, either recall the files that require destruction or ensure that the archiving facility provide a certificate of destruction.
Questions?
If you have any questions on how this policy operates or whether you are doing the right thing, then please contact the Data Protection Team at [email protected] or Group Legal Counsel.
Appendix 1
Period of Retention for Documents and Records
The term of years given refers to the previous completed financial years ended 31 December unless otherwise stated.
The justification for each retention period is held by the Data Protection Team or Group Legal Counsel. If you require further information contact the Data Protection Team or Group Legal Counsel.
Contracts/Agreements
| Document Type (Document Type (with examples)with examples) | Retention Period |
| Contractual documents not executed as deeds (Such as terms and conditions, hire agreements, supplier agreements, NDAs, customer agreements.) |
12 years |
| Contracts executed as deeds | 18 years |
| Agreements relating to building work | Permanent |
General Records
| Document Type | Retention Period |
| General Correspondence | 7 Years |
| Telephone Recordings | 3 months: Video Capture 1 year: Audio Capture |
| CCTV | 30 days |
| Sales & Aftersales (Such as deal files, vehicle records, vehicle order forms, quotations, parts records, service records, time sheets, clock cards.) |
7 Years |
| Supply Chain (including OEM) (Such as new supplier forms, due diligence questionnaires, rebate records, supplier audit information and reports, supplier volume and performance reports, supplier price lists and rates information, supplier evaluation documents) |
12 Years |
| Employer’s liability insurance policy records noting insurers, policy period and policy number |
Permanent |
| Public and product liability insurance policy records noting insurers, policy period and policy number |
Permanent |
| Public and product liability claims | 12 years |
| Insurance policy records (other than employers liability and public & products liability) |
12 years |
Finance Records
| Document Type | Retention Period |
| Finance (Such as cashier records, office records, purchase documentation, sales financial documentation, accounts records, reports, VAT records, corporation tax records, cheques, bank statements and reconciliations, funder reports, funder pricing records) |
12 years |
| Nominal Ledgers | Permanent |
| Fixed Assets | For the life of the asset or 7 years whichever is longer |
Customer Data
| Document Type | Retention Period |
| Personal & Business Customer Records (Such as details of vehicles, customer records including service records, fines, administration records, accident management |
7 Years following the date of last activity on the customer’s account |
| records (including driving licence checks), MOT and service reminders and recall notices, customer enquiries, customer survey results, customer reports, customer financial information relevant to an agreement to purchase or lease (including bank details for payment), contact information, customer marketing activity, CSI / NPS reports. |
|
| Data relating to potential customers (prospects) | 4 years after no contact from potential customer |
| Customer road traffic / driving offences | 7 years |
| Customer subject access requests, third party subject access requests pertaining to customers and personal data breaches relating to customers |
7 years from date of request / breach |
| Customer complaints and litigation | 7 years |
| Test Drive Documentation (Copies of driving licences) |
6 months following the date of the test drive |
| Verification Information relating to customer applications for finance (Such as proof of identification documentation). |
Originals should be returned to the customer immediately after use (if applicable). Copies should not be retained once the verification information has been passed to the relevant finance house providing the quotation for funding. |
| PPI claims and financial ombudsman PPI complaints | 7 years |
| Customer motor claims | 9 years |
| Compliance audits | 7 years following vehicle sale |
Property Records
| Document Type | Retention Period |
| Title deeds | Until sold or transferred |
| Leases | 15 years after expiry/termination |
| Licenses | 15 years after expiry/termination |
Employment/ Pensions Records
| Document Type | Retention Period |
| Unsuccessful Candidates (Such as job applications, CVs and records of interviews, rejection letters) |
12 months after no activity on the account. |
| Personnel records (Such as job applications, references, CVs, records of interviews, offer letters, contracts of employment, right to work documentation, working time regulations records, DBS, security clearances, flexible working requests, travel and expenses records, training records, performance reviews, records relating to salary reviews, bonuses, compensation and promotions, disciplinary records, grievance records, investigation records, medical reports (including occupational health reports), sickness records, absence and leave records (including maternity, paternity, child bereavement and adoption leave, driving licence checks for employees and their partners and motor vehicle checks) records relating to redundancy, termination of employment and exit interview data. |
7 years after end of employment |
| Employee benefits provision including childcare, Cycle to Work, access to Showroom and Stars and car deductions |
7 years from the end of the period for which the company is required to make the return |
| Hotel bookings and travel reservations | 4 years |
| Payroll and wages records (Such as tax coding, tax and national insurance, P45, P60, P11d, PAYE records, payslips, attachment of earnings, student loans, salary sacrifice records) |
7 years from the end of the period for which the company is required to make the return |
| Bank details | 3 months after end of employment |
| Emergency contact information | 3 months after end of employment |
| Employee subject access requests, third party subject access requests pertaining to employees and personal data breaches relating to employees |
7 years from date of request / breach |
| Pensions information | Permanently |
| Insurance renewal of technicians’ tools | 7 years from expiry of the policy |
| Current and ex-employee motor claims experience for purchasing personal motor insurance |
3 years |
| Employee motor claims | 9 years |
| Employer’s liability claims | 75 years |
| Insurance claims other than employer’s liability and public and products liability |
7 years |
| Equal opportunity monitoring information | 7 years after end of employment |
Health and Saftey and Accreditation
| Document Type | Retention Period |
| Statement of health and safety policy | Life of the company |
| Accident book | 21 years from the date of last entry |
| Health & Safety Records – Statutory or Serious Impact (Such as health surveillance records (including exposure to chemicals/hazardous substances), asbestos assessments, fire maintenance log/fire risk assessment, asbestos records, medical records under the Ionising Radiations Regulations 1999, health and safety file CDM, major maintenance records, noise exposure and noise surveillance, |
Permanent |
| Health & Safety Records (Such as Display Screen Equipment (DSE), food hygiene records, H&S minutes, H&S policy documents, legionella testing records, PAT testing, electrical fixed installation, risk assessments (activity based, PUWER, COSHH, manual handling, fire ) fire protection equipment annual checks (alarm testing and maintenances, fire extinguishers, smoke and heat detector tests, emergency lighting tests (visual and full discharge), fire stopping, fire drills), record of issue of PPE, instruction manuals, controlled waste management, special waste management – removal of waste, statutory checks for LOLER, inspection and maintenance records – completion, air monitoring exposure, LEV examination and testing, workplace inspections & audit reports) |
7 Years |
| Report of violent conduct at work | 12 years |
| Fire equipment repair logs – | Life of equipment |
| Safe System of Work Documentation/Permits to Work | 4 years from cessation of the activity |
| Statutory Inspections Records | 4 years from disposal of the equipment |
| Portable Electrical Equipment Examination Report | 4 years from disposal of the equipment |
| ISO / Accreditation Documentation and Records | 7 Years from expiry of the ISO or accreditation expiry date |
Company Records
| Document Type | Retention Period |
| Corporate Information (Including incorporation documents, memorandum/articles of association, register of directors, register of secretaries, register of members, charges register, register of persons with significant control copies of instruments creating registered charges, Board minutes, written resolutions, minutes of shareholder meetings, Notices of shareholder meetings) |
Permanent |
| Business Information (Such as strategic plans, company reports, company communications and presentations, contract for purchase of own shares, annual return, statutory forms/returns filed at Companies House, cancelled share certificates) |
Permanent |
| Stock transfer forms | Permanent |
| Powers of attorney | 12 years after ceasing to be valid |
| Notices of shareholder meetings | 12 years or life of the company if notice required in order to understand minutes of the meeting |
Who should I contact about data retention?
If you have a general query about data retention and/ or data protection or if you have any concerns that this Data Retention Policy is not being or has not been followed, please contact the Data Protection Team at [email protected] or Group Legal Counsel.
Employee Responsibility
All of our colleagues must comply with this policy and any document referenced in it. Failure to do so may expose Inchcape, and its employees to serious civil and/or criminal liability.
We take our data responsibilities very seriously and a wilful or reckless failure to comply with this policy may be regarded as an act of gross misconduct under our disciplinary procedure and may result in disciplinary action up to and including dismissal.
Document Control
Group Legal Counsel is the owner of this document and is responsible for ensuring that this Policy is regularly reviewed in line with the requirements of the GDPR and applicable data protection legislation.
This is version 2.0 of the Data Retention Policy and was approved in August 2022.