Data Retention Policy
Version: 1.0
Effective Date: 11/12/2025
Review Date: 11/12/2026
1. Purpose
This policy sets out how Mendip Community Transport manages the retention and disposal of personal data in line with the UK GDPR, the Data Protection Act 2018, and other applicable laws. Its aim is to ensure data is kept only for as long as necessary and securely deleted or anonymised when no longer required.
2. Scope
This policy applies to:
- All employees, contractors, and third parties handling personal data on behalf of Mendip Community Transport.
- All personal data processed in any format (paper, electronic, audio, video).
3. Principles
We will:
- Retain personal data only for the minimum period necessary.
- Regularly review and securely dispose of data that is no longer needed.
- Keep records of retention periods and disposal actions.
4. Retention Schedule (Example)
| Data Category | Retention Period | Disposal Method |
|--------------------------------|---------------------------|-------------------------|
| Employee records | 6 years after leaving | Secure shredding / deletion |
| Customer account details | 6 years after last activity| Secure deletion / anonymisation |
| Financial records (invoices, receipts) | 6 years (per HMRC rules) | Secure shredding / deletion |
| Marketing consent records | Until consent withdrawn + 2 years | Secure deletion |
5. Disposal Methods
- Paper records: Cross-cut shredding or secure disposal service.
- Electronic files: Permanent deletion using secure erase tools.
- Physical media: Destruction by certified disposal provider.
6. Roles & Responsibilities
- Data Protection Officer (DPO): Oversees compliance and approves retention schedules.
- Managers: Ensure staff follow retention rules in their departments.
- All Staff: Follow this policy and report any issues to the DPO.
7. Review & Updates
This policy will be reviewed annually or sooner if legal or operational changes occur.
