TODO:

Introduction

This policy sets out the period for which documents and electronic records must be retained.

Policy objective

The policy objective is to set out the requirements imposed by law or good practice on Inchcape for the retention of documents and records in whatever form they may exist, both in hard copy and electronic media collectively referred to as documents herein, and for disposing of documents at the end of the retention period.

The benefits of enforcing a document retention policy are
to:
• ensure compliance with statutory, legal and regulatory requirements on document retention and data
protection;
• improve operational efficiency and reduce storage costs; and
• ensure protection for Inchcape against legal risks.

The key legislation that we are required to comply with in the UK on this subject includes; the Data Protection Act 2018, the UK General Data Protection Regulation (“GDPR”) and The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

We recognise that the correct and lawful treatment of personal data will maintain confidence in our organisation and will provide for successful business operations. Protecting the confidentiality and integrity of personal data is a critical responsibility that we must take seriously
at all times.

Who is the policy applicable to?

This Policy applies to all Inchcape Plc, Inchcape Management (Services) Limited, Inchcape Corporate Services Limited, Inchcape International Holdings Limited, Inchcape Digital Limited and any other UK based Inchcape Group company, which performs activity for and on behalf of the Inchcape Group from time to time (“Inchcape”) employees.

What is personal data?

Personal data includes any information about an individual from which that person can be identified. Examples include someone’s name, identification number, email or home address, photograph and bank account details, factors specific to an individual (such as their physical, physiological, mental, economic, cultural or social identity) and any data that allows the identification of an individual when combined with other data.

Types of Documents and Records

A record is any type of information created, received, or transmitted in the operation of our business. Examples include:

• emails
• contracts
• handwritten notes
• invoices
• letters and correspondence
• performance reviews
• voicemails
• online postings such as on Facebook, Twitter, Instagram etc.
• audio and video recordings (including CCTV)

Retention Periods

Certain documents and records must be kept for a minimum period of time, notably where imposed by law or regulation. In addition, you should bear in mind the legal requirement that personal information is retained ‘for no longer than is necessary’.

In considering whether or not to dispose of documents the following must be taken into account – is the document:

• required to be kept for a specific period of time by law or regulation?
• connected with ongoing, threatened or anticipated legal action?
• an original contract or document of title – e.g. property title deeds, share certificates etc.?
• required for any audit of accounts?
• needed for the ongoing operation of the business?
• required to comply with any record keeping or audit requirements in a contract?

The retention periods for the main types of documents and records used in Inchcape business are set out in Appendix 1 to this document. If you are unable to find a specific document in the Appendix then you should align the retention period of your document to the most suitable category within the Appendix. Please check with Data Protection Team at [email protected] or Group Legal Counsel if there is any doubt as to how long a document should be retained.

Always remember: the period you need to retain something may be longer than you realise – always check this policy first and ask Data Protection Team or Group Legal Counsel if you are not sure.

Procedures

Filing and archiving

Filing must generally be kept in an orderly manner and capable of being easily accessed. Where space, security and health and safety considerations allow, documents should be kept on site. Where this is not feasible and the business needs to store records offsite, the approved archiving facility arrangements should be used. For further details please contact Data Protection Team or Group Legal Counsel.

The approved archiving supplier is the only off site archiving facility to be used for future archiving requirements after issue of this Policy. Where any other third party archiving facility is currently being used, you must ensure that adequate security and document destruction processes are in place otherwise, the archived documents should be transferred to the approved archiving supplier. Daily bank records should be kept in a secure office and only authorised accounting personnel should have access to this information. Accounting personnel should not allow these documents to be accessed by any unauthorised members of staff without prior consent of the Accountant or Financial Controller. When these records are archived they should be marked ‘Confidential’.

Archived documents held onsite should be retained in a locked room or cabinet and should only be accessible by authorised personnel. When transferring to an offsite facility, the approved supplier will collect the barcoded records and provide a consignment note to track the records into storage.

Retrieval of any records from the approved supplier or other offsite archive facility must be authorised by the Accountant, Financial Controller or Group Legal Counsel, and securely stored on receipt.

It is very important to note that documents which have been stored in an archive facility are still subject to the data retention periods and the data destruction process outlined in this policy. Care must be taken to ensure that these records are still reviewed periodically to assess whether destruction is required. 

Security of documents

All colleagues are responsible for ensuring that any documents held on site or accessed through computers on site are kept securely and that they are not disclosed to any unauthorised third party, particularly if they contain commercially sensitive data or personal data.

Dependent on the sensitivity and value of the documents, appropriate physical measures should be taken for storage and access which may include:
• lockable room with controlled access;
• locked drawer or filing cabinet;
• not leaving documents unattended in public areas;
• complying with a ‘clear desk’ policy;
• if electronic, are password protected, with controlled distribution;
• password protected screen-savers: user names and passwords must not be shared;
• PC, laptop and terminal screens are not visible to the public.

Document Destruction

Group Legal Counsel and the heads of each business area are responsible for ensuring that documents are periodically reviewed (at least annually) to determine whether any retention periods applying to documents within their business (including those that are archived) have expired. This task may be delegated by the Group Legal Counsel and/or the relevant heads of each business area to senior employees. Once the retention period has expired, the document must be reviewed and an action agreed, which is either:

a) the destruction and/or deletion of the document or
record; or
b) the retention of the document or record for a further
period within the business.

The decision must be reached having regard to:

• on-going business and accountability needs (including audit and potential litigation);
• current applicable legislation;
• best practice in the applicable professional field (for example health and safety);
• costs associated with continued storage versus costs of destruction;
• the legal, political and reputational risks associated with keeping, destroying or losing control over the record.

Decisions must not be made with the intent of denying access or destroying evidence.

Deletion of Electronic Records

Inchcape has an IT system tool to help us locate and identify certain electronic documents (such as Word or Excel files) that are stored on servers in networked shared or user folders that exceed the stated retention periods in this policy. Once identified, the tool may be used to delete such identified records. The tool is not a replacement for ‘good housekeeping’ however and colleagues must still assume responsibility for ensuring that this Data Retention Policy is adhered to, particularly where they are documents which are not able to be identified within the tool (such as scanned documents, pictures, Project or Visio documents).

Any computer equipment should also be disposed of through the IS&T Department to ensure any storage media is wiped or physically destroyed in a secure manner.

It is essential that all colleagues follow the Inchcape Information Security Policies regarding storage of electronic data. If you have stored personal data that is not business-related, Inchcape will not be held responsible for the loss of any information that is not business-related during this destruction process.

Deletion of Emails and Attachments

Emails and the attachments stored within them are just as important to this policy as electronic or paper records. Emails often attach the same documents that may well have required deletion in accordance with the principle of electronic record deletion above.

It is also important to remember that emails may also hold the only copy of an important document so care must be taken to ensure that documents which need to be retained are removed from emails and stored in an appropriate location. Colleagues must ensure that they carefully consider the retention periods for the emails and attachments within them when reviewing compliance with this policy.

Like the process for destruction of electronic documents, it is essential that all colleagues follow the Inchcape Information Security and Acceptable Usage Policies regarding storage and archiving of emails and attachments. If you have stored personal emails and attachments to them that are not business-related, Inchcape will not be held responsible for the loss of any information that is not business-related during this deletion process.

Email Guidelines:

As a broad overview of email housekeeping the following represents good practice regarding emails and attachments:

• Be sensible when retaining emails – keep the business related ones for periods which match those listed in Appendix 1 of this policy;
• File emails in a similar way to how you might store them in any other electronic storage location – use folders and sub-folders where appropriate;
• Regularly archive your emails but be aware of the process and limitations of the email archiving system;
• Seek help from local IT colleagues where needed;
• Remember that the value of any electronic document deletion tool is going to be reduced if a person is still holding on to the same document in an attachment to an email years after the original is deleted.

When a user leaves Inchcape’s employment the following retention periods apply:

• the Outlook records will be permanently deleted after 7 years.

If an individual’s Inbox or a shared Inbox requires a longer retention period due to the nature of their role, the IS&T Department must be specifically advised in advance to retain the inbox for the appropriate period of time.

Destruction of Paper Documents

Destruction should be carried out in a way that preserves the confidentiality of the document. Non-confidential documents i.e. documents that are clearly in the ‘public domain’ can be placed in general waste or recycling bins. Confidential records should be placed in the confidential waste bins or placed in the confidential waste sacks for collection by an approved disposal firm for security shredding. If the documents to be destroyed are in the archiving facility, either recall the files that require destruction or ensure that the archiving facility provide a certificate of destruction.

Questions?

If you have any questions on how this policy operates or whether you are doing the right thing, then please contact the Data Protection Team at [email protected] or Group Legal Counsel.

Appendix 1

Period of Retention for Documents and Records

The term of years given refers to the previous completed financial years ended 31 December unless otherwise stated.

The justification for each retention period is held by the Data Protection Team or Group Legal Counsel. If you require further information contact the Data Protection Team or Group Legal Counsel.

 

Contracts/Agreements

Document Type (Document Type (with examples)with examples) Retention Period
Contractual documents not executed as deeds
(Such as terms and conditions, hire agreements, supplier
agreements, NDAs, customer agreements.)
12 years
Contracts executed as deeds 18 years
Agreements relating to building work Permanent

 

General Records 

Document Type Retention Period
General Correspondence 7 Years
Telephone Recordings 3 months: Video Capture
1 year: Audio Capture
CCTV 30 days
Sales & Aftersales
(Such as deal files, vehicle records, vehicle order forms, quotations,
parts records, service records, time sheets, clock cards.)
7 Years
Supply Chain (including OEM)
(Such as new supplier forms, due diligence questionnaires, rebate
records, supplier audit information and reports, supplier volume and
performance reports, supplier price lists and rates information,
supplier evaluation documents)
12 Years
Employer’s liability insurance policy records noting insurers, policy
period and policy number
Permanent
Public and product liability insurance policy records noting insurers,
policy period and policy number
Permanent
Public and product liability claims 12 years
Insurance policy records (other than employers liability and public &
products liability)
12 years

 

Finance Records 

Document Type Retention Period
Finance
(Such as cashier records, office records, purchase documentation,
sales financial documentation, accounts records, reports, VAT
records, corporation tax records, cheques, bank statements and
reconciliations, funder reports, funder pricing records)
12 years
Nominal Ledgers Permanent
Fixed Assets For the life of the asset or 7 years whichever is longer

 

Customer Data

Document Type Retention Period
Personal & Business Customer Records
(Such as details of vehicles, customer records including service
records, fines, administration records, accident management
7 Years following the date of last activity on
the customer’s account
records (including driving licence checks), MOT and service
reminders and recall notices, customer enquiries, customer survey
results, customer reports, customer financial information relevant to
an agreement to purchase or lease (including bank details for
payment), contact information, customer marketing activity, CSI /
NPS reports.
Data relating to potential customers (prospects) 4 years after no contact from potential
customer
Customer road traffic / driving offences 7 years
Customer subject access requests, third party subject access
requests pertaining to customers and personal data breaches
relating to customers
7 years from date of request / breach
Customer complaints and litigation 7 years
Test Drive Documentation
(Copies of driving licences)
6 months following the date of the test drive
Verification Information relating to customer applications for
finance
(Such as proof of identification documentation).
Originals should be returned to the customer
immediately after use (if applicable). Copies
should not be retained once the verification
information has been passed to the relevant
finance house providing the quotation for
funding.
PPI claims and financial ombudsman PPI complaints 7 years
Customer motor claims 9 years
Compliance audits 7 years following vehicle sale

 

Property Records 

Document Type Retention Period
Title deeds Until sold or transferred
Leases 15 years after expiry/termination
Licenses 15 years after expiry/termination

 

Employment/ Pensions Records 

Document Type Retention Period
Unsuccessful Candidates
(Such as job applications, CVs and records of interviews, rejection
letters)
12 months after no activity on the account.
Personnel records
(Such as job applications, references, CVs, records of interviews,
offer letters, contracts of employment, right to work documentation,
working time regulations records, DBS, security clearances, flexible
working requests, travel and expenses records, training records,
performance reviews, records relating to salary reviews, bonuses,
compensation and promotions, disciplinary records, grievance
records, investigation records, medical reports (including
occupational health reports), sickness records, absence and leave
records (including maternity, paternity, child bereavement and
adoption leave, driving licence checks for employees and their
partners and motor vehicle checks) records relating to redundancy,
termination of employment and exit interview data.
7 years after end of employment
Employee benefits provision including childcare, Cycle to Work,
access to Showroom and Stars and car deductions
7 years from the end of the period for which the
company is required to make the return
Hotel bookings and travel reservations 4 years
Payroll and wages records
(Such as tax coding, tax and national insurance, P45, P60, P11d,
PAYE records, payslips, attachment of earnings, student loans, salary
sacrifice records)
7 years from the end of the period for which the
company is required to make the return
Bank details 3 months after end of employment
Emergency contact information 3 months after end of employment
Employee subject access requests, third party subject access
requests pertaining to employees and personal data breaches
relating to employees
7 years from date of request / breach
Pensions information Permanently
Insurance renewal of technicians’ tools 7 years from expiry of the policy
Current and ex-employee motor claims experience for purchasing
personal motor insurance
3 years
Employee motor claims 9 years
Employer’s liability claims 75 years
Insurance claims other than employer’s liability and public and
products liability
7 years
Equal opportunity monitoring information 7 years after end of employment

 

Health and Saftey and Accreditation

Document Type Retention Period
Statement of health and safety policy Life of the company
Accident book 21 years from the date of last entry
Health & Safety Records – Statutory or Serious Impact
(Such as health surveillance records (including exposure to
chemicals/hazardous substances), asbestos assessments, fire
maintenance log/fire risk assessment, asbestos records, medical
records under the Ionising Radiations Regulations 1999, health and
safety file CDM, major maintenance records, noise exposure and
noise surveillance,
Permanent
Health & Safety Records
(Such as Display Screen Equipment (DSE), food hygiene records, H&S
minutes, H&S policy documents, legionella testing records, PAT
testing, electrical fixed installation, risk assessments (activity based,
PUWER, COSHH, manual handling, fire ) fire protection equipment
annual checks (alarm testing and maintenances, fire extinguishers,
smoke and heat detector tests, emergency lighting tests (visual and
full discharge), fire stopping, fire drills), record of issue of PPE,
instruction manuals, controlled waste management, special waste
management – removal of waste, statutory checks for LOLER,
inspection and maintenance records – completion, air monitoring
exposure, LEV examination and testing, workplace inspections &
audit reports)
7 Years
Report of violent conduct at work 12 years
Fire equipment repair logs – Life of equipment
Safe System of Work Documentation/Permits to Work 4 years from cessation of the activity
Statutory Inspections Records 4 years from disposal of the equipment
Portable Electrical Equipment Examination Report 4 years from disposal of the equipment
ISO / Accreditation Documentation and Records 7 Years from expiry of the ISO or accreditation
expiry date

 

Company Records

Document Type Retention Period
Corporate Information
(Including incorporation documents, memorandum/articles of
association, register of directors, register of secretaries, register of
members, charges register, register of persons with significant control
copies of instruments creating registered charges, Board minutes,
written resolutions, minutes of shareholder meetings, Notices of
shareholder meetings)
Permanent
Business Information
(Such as strategic plans, company reports, company
communications and presentations, contract for purchase of own
shares, annual return, statutory forms/returns filed at Companies
House, cancelled share certificates)
Permanent
Stock transfer forms Permanent
Powers of attorney 12 years after ceasing to be valid
Notices of shareholder meetings 12 years or life of the company if notice
required in order to understand minutes of the
meeting

 

Who should I contact about data retention?

If you have a general query about data retention and/ or data protection or if you have any concerns that this Data Retention Policy is not being or has not been followed, please contact the Data Protection Team at [email protected] or Group Legal Counsel.

 

Employee Responsibility

All of our colleagues must comply with this policy and any document referenced in it. Failure to do so may expose Inchcape, and its employees to serious civil and/or criminal liability.

We take our data responsibilities very seriously and a wilful or reckless failure to comply with this policy may be regarded as an act of gross misconduct under our disciplinary procedure and may result in disciplinary action up to and including dismissal.

Document Control

Group Legal Counsel is the owner of this document and is responsible for ensuring that this Policy is regularly reviewed in line with the requirements of the GDPR and applicable data protection legislation.

This is version 2.0 of the Data Retention Policy and was approved in August 2022.