Retention of Records Procedure 

1.        Scope


ICNARC’s information assets and any information assets owned by a third party that ICNARC supports.

All ICNARC’s records are subject to the retention requirements of this procedure.

2.        Responsibilities


2.1      All Employees of ICNARC have specific compliance responsibilities.

2.2      The Information Security Manager is responsible for software and system audits.

2.3       The Senior Management Team (SMT) is responsible for retention of records.

3.        Procedure

3.1      Legal, statutory and other requirements – General

3.1.1       The Senior Management Team retain a list of applicable statutory and regulatory requirements relevant to the company’s information systems. The Senior Management Team reviews this list annually, updating as appropriate and ensuring that any activities undertaken do not contravene any of the prevailing regulations and statutes. Appropriate staff training and awareness is provided as necessary.

3.1.2       ICNARC will protect its own and other parties' intellectual property through control of access to information and the proper licensing of information and software.

3.1.3       ICNARC ensures that it has licences for all proprietary software that is installed on ICNARC information assets and maintains and monitors a software licence register.

3.1.4       ICNARC trains Employees to recognise and deal appropriately with IPR, and monitors compliance.


3.2      Copyright


3.2.1       Copying (including duplicating and any other variant of the copying concept) of anything (whether document, digital asset, software, or anything else) other than in line with UK copyright law is explicitly forbidden.

3.2.2       Software and other third-party copyrighted items may only be obtained through legitimate suppliers, and only on the basis that the software or copyright licence terms will be complied with, including as to numbers of users/basis of sale, etc. ICNARC will maintain a software and copyright asset register together with copies of software licences, etc. From time to time, internal audits will be carried out to ensure no unlicensed software has been installed and that the maximum number of user licences has not been exceeded.

3.2.3       ICNARC’s copyright ownership of documents (including, drawings, charts, etc., owned or originated by ICNARC, or contributed to or originated by third parties under contract to ICNARC, including contractors, teleworkers and Employees during their employment) should be established through contracts.

3.2.4       ICNARC’s copyright ownership of software (including code, code contributions, applications, etc., owned or originated by ICNARC, or contributed to or originated by third parties under contract to ICNARC, including contractors, volunteers, associates and staff during their employment) should be established through contracts.

3.2.5       ICNARC will ensure that it complies with all legal requirements relating to copyrights.

3.2.6       Any use of unlicensed and improperly obtained software or unauthorised use of proprietary information, whether belonging to ICNARC or a third party, is strictly prohibited and will be treated as a serious disciplinary breach.


3.3      Trademarks


3.3.1       Management will identify where it is appropriate for ICNARC to register trademarks.

3.3.2       All trademarks, whether or not registered, are listed and these will be managed by the Senior Management Team.

3.3.3       The Board of Management will take appropriate action, including legal action where necessary, to protect its trademarks from infringement.


3.4      Data protection and privacy

See DSP DOC 01-1.2.1b Data Protection and Confidentiality Policy.

3.5      Record retention

3.5.1      The retention periods, by record category, are below, the retention periods will often vary depending on the specific contract or regulations associate with a specific record:


Record category

Retention period


HR record

Minimum 6 years

Managing Director (MD)


Finance data


Head of Finance and Resources


Customer data


Head of Data and Business Technology


Incident documents

Minimum 7 years

Senior Information Risk Owner (SIRO)


Property lease documents


Head of Finance and Resources


Third-party contracts and agreements


Head of Finance and Resources


Tax records


Head of Finance and Resources


Internal audit records


Information Security Manager


Management review records


Information Security Manager


Health and care records

The specific retention requirements for health and care records are listed in the Records Management Code of Practice for Health and Social Care 2016 in its detailed retention schedule (This document is updated regularly).


3.5.2        The DPO is responsible for destroying data once it has reached the end of the retention period.  Destruction must be completed within 90 days of the planned retention period.

3.5.3        ICNARC uses audit tools for system audits and Head of Data and Business Technology is responsible for protection of information system audit tools.

Document owner and approval

The Information Security Manager is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the DSP Toolkit.

A current version of this document is available to all members of staff on the Huddle and Confluence (internal link http://jira:8090/x/xoKV

This procedure was approved by the Senior Information Risk Owner