Contact Us:

670 Lafayette Ave, Brooklyn,
NY 11216

+1 800 966 4564
+1 800 9667 4558

Data Retention Policy

Request / Remove my details
Please fill out the contact form below to request to view the data we hold on you or to request it is deleted. We will only use the data entered in the form to help you with your enquiry. For more details please see our Data Retention Erasure Policy.

    1. POLICY STATEMENT

    HSQE Consultancy Group hereinafter referred to as the “Company” recognises that the efficient management of its Data and records is necessary to support its core business functions, to comply with its legal, statutory, and regulatory obligations, to ensure the Protection of Personal information and to enable the effective management of the Organisation.  This Policy and related documents meet the standards and expectations set out by contractual and legal requirements and has been developed to meet the best practices of business records management, with the aim of ensuring a structured approach to document control.

    Effective and adequate records and Data management is necessary to:

    • Ensure that the business conducts itself in a structured, efficient, and accountable manner.
    • Ensure that the business realises best value through improvements in the quality and flow of information and greater coordination of records and storage systems.
    • Support core business functions and provide evidence of conduct and the appropriate maintenance of systems, tools, resources, and processes.
    • Meet legislative, statutory, and regulatory requirements.
    • Deliver services to, and protect the interests of, employees, clients, and stakeholders in a consistent and equitable manner.
    • Assist in document Policy formation and managerial decision making.
    • Provide continuity in the event of a disaster or security breach.
    • Protection Personal information and Data subject rights.
    • Avoid inaccurate or misleading Data and minimise risks to Personal information.
    • Erase Data in accordance with the legislative and regulatory requirements.

    Information held for longer than is necessary carries additional risk and cost and can breach Data Protection rules and principles. The Company only ever retains records and information for legitimate or legal business reasons and always comply fully with the Data Protection Laws, guidance, and best practice.

    2. PURPOSE
    The purpose of this document is to provide the Company’s statement of intent on how it provides a structured and compliant Data and records management system. We define ‘records’ as all documents, regardless of the format, which facilitate business activities, and are thereafter retained to provide evidence of transactions and functions. Such records may be created, received, or maintained in hard copy or in an electronic format with the overall definition of records management being a field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, distribution, storage, and disposal of records.
    3. SCOPE
    This Policy applies to all Staff within the Company (meaning permanent, fixed term, and temporary Staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns, and agents engaged with the Company in the UK or overseas). Adherence to this Policy is mandatory and non-compliance could lead to disciplinary action.
    4. PERSONAL INFORMATION AND DATA PROTECTION
    The Company needs to collect Personal information about the people we employ, work with have a business relationship with, to carry out our everyday business functions and activities effectively and compliantly, and to provide the products and services defined by our business type. This information can include (but is not limited to), name, address, email address, Data of birth, IP address, identification number, private and confidential information, sensitive information, and bank details. In addition, we may occasionally be required to collect and use certain types of Personal information to comply with the requirements of the law and/or regulations, however we are committed to collecting, processing, storing and destroying all information in accordance with the General Data Protection Regulation, UK Data Protection law and any other associated legal or regulatory body rules or codes of conduct that apply to our business and/or the information we process and store. Our Data Retention Policy and processes comply fully with the GDPR’s fifth Article 5 principle: Personal Data shall be kept in a form which permits identification of Data subjects for no longer than is necessary for the purposes for which the Personal Data are processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the Data subject (‘storage limitation’).
    5. OBJECTIVES

    A record is information, regardless of media, created, received, and maintained which evidences the development of, and compliance with, regulatory requirements, business practices, legal policies, financial transactions, administrative activities, business decisions or agreed actions. It is the Company’s objective to implement the necessary records management procedures and systems which assess and manage the following processes:

    • The creation and capture of records.
    • Compliance with legal, regulatory, and contractual requirements.
    • The storage of records.
    • The Protection of record integrity and authenticity.
    • The use of records and the information contained therein.
    • The security of records.
    • Access to and disposal of records.

    Records contain information that are a unique and invaluable resource to the Company and are an important operational asset. A systematic approach to the management of our records is essential to protect and preserve the information contained in them, as well as the individuals such information refers to. Records are also pivotal in the documentation and evidence of all business functions and activities.  The Company’s objectives and principles in relation to Data Retention are to:

    • Ensure that the Company conducts itself in an orderly, efficient, and accountable manner.
    • Support core business functions and providing evidence of compliant retention, erasure, and destruction.
    • To develop and maintain an effective and adequate records management program to ensure effective archiving, review, and destruction of information.
    • To only retain Personal information for as long as is necessary.
    • Comply with the relevant Data Protection regulation, legislation, and any contractual obligations.
    • Ensure the safe and secure disposal of confidential Data and information assets.
    • Ensure that records and documents are retained for the legal, contractual, and regulatory period stated in accordance with each body rules or terms.
    • Ensure that no document is retained for longer than is legally or contractually allowed.
    • Mitigate against risks or breaches in relation to confidential information.
    6. GUIDELINES & PROCEDURES

    A record is information, regardless of media, created, received, and maintained which evidences the development of, and compliance with, regulatory requirements, business practices, legal policies, financial transactions, administrative activities, business decisions or agreed actions. It is the Company’s objective to implement the necessary records management procedures and systems which assess and manage the following processes:

    • The creation and capture of records.
    • Compliance with legal, regulatory, and contractual requirements.
    • The storage of records.
    • The Protection of record integrity and authenticity.
    • The use of records and the information contained therein.
    • The security of records.
    • Access to and disposal of records.

    Records contain information that are a unique and invaluable resource to the Company and are an important operational asset. A systematic approach to the management of our records is essential to protect and preserve the information contained in them, as well as the individuals such information refers to. Records are also pivotal in the documentation and evidence of all business functions and activities.  The Company’s objectives and principles in relation to Data Retention are to:

    • Ensure that the Company conducts itself in an orderly, efficient, and accountable manner.
    • Support core business functions and providing evidence of compliant retention, erasure, and destruction.
    • To develop and maintain an effective and adequate records management program to ensure effective archiving, review, and destruction of information.
    • To only retain Personal information for as long as is necessary.
    • Comply with the relevant Data Protection regulation, legislation, and any contractual obligations.
    • Ensure the safe and secure disposal of confidential Data and information assets.
    • Ensure that records and documents are retained for the legal, contractual, and regulatory period stated in accordance with each body rules or terms.
    • Ensure that no document is retained for longer than is legally or contractually allowed.
    • Mitigate against risks or breaches in relation to confidential information.
    7. EXPIRATION OF RETENTION PERIOD

    Once a record or Data has reached its designated retention period date, the designated owner should refer to the retention register for the action to be taken. Not all Data or records are expected to be deleted upon expiration; sometimes it is sufficient to anonymise the Data in accordance with the GDPR requirements or to archive records for a further period.

    7.1 DESTRUCTION AND DISPOSAL OF RECORDS & DATA

    All information of a confidential or sensitive nature on paper, card, microfiche or electronic media MUST be securely destroyed when it is no longer required. This ensures compliance with the Data Protection Laws and the duty of confidentiality we owe to our employees, clients and customers.

    The Company is committed to the secure and safe disposal of any confidential waste and information assets in accordance with our contractual and legal obligations and that we do so in an ethical and compliant manner. We confirm that our approach and procedures comply with the Laws and provisions made in the General Data Protection Regulation (GDPR) and that Staff are trained and advised accordingly on the procedures and controls in place.

    7.1.1 PAPER RECORDS

    Due to the nature of our business, the Company retains paper based Personal information and as such, has a duty to ensure that it is disposed of in a secure, confidential and compliant manner. The Company utilise Onsite to dispose of all paper materials.  Employee shredding machines and confidential waste sacks are made available throughout the building and where we use a service provider for large disposals, regular collections take place to ensure that confidential Data is disposed of appropriately.

    7.1.2 ELECTRONIC & IT RECORDS AND SYSTEMS

    The Company uses numerous systems, computers and technology equipment in the running of our business. From time to time, such assets MUST be disposed of and due to the information held on these whilst they are active, this disposal is handled in an ethical and secure manner.  The deletion of electronic records MUST be organised in conjunction with the IT Department who will ensure the removal of all Data from the medium so that it cannot be reconstructed. When records or Data files are identified for disposal, their details MUST be provided to the designated owner to maintain an effective and up to date a register of destroyed records.  Only the IT Department can authorise the disposal of any IT equipment and they MUST accept and authorise such assets from the department Personally. Where possible, information is wiped from the equipment through use of software and formatting, however this can still leave imprints or Personal information that is accessible and so we also comply with the secure disposal of all assets.  In all disposal instances, the IT Department MUST complete a disposal form and confirm successful deletion and destruction of each asset. This MUST also include a valid certificate of disposal from the service provider removing the formatted or shredded asset. Once disposal has occurred, the IT Department is responsible for liaising with the information Asset Owner and updating the Information Asset Register for the asset that has been removed.  It is the explicit responsibility of the asset owner and IT Department to ensure that all relevant Data has been sufficiently removed from the IT device and backed up before requesting disposal and/or prior to the scheduled pickup.

    7.1.3 INTERNAL CORRESPONDENCE AND GENERAL MEMORANDA

    Unless otherwise stated in this Policy or the retention periods register, correspondence and internal memoranda should be retained for the same period as the document to which they pertain or support (i.e. where a memo pertains to a contract or Personal file, the relevant retention period and filing should be observed).  Where correspondence or memoranda that do not pertain to any documents having already be assigned a retention period, they should be deleted or shredded once the purpose and usefulness of the content ceases or at a maximum, 2 years.

    Examples of correspondence and routine memoranda include (but are not limited to): –

    • Internal emails.
    • Meeting notes and agendas.
    • General inquiries and replies.
    • Letter notes or emails of inconsequential subject matter.
    8. ERASURE

    In specific circumstances, Data subjects’ have the right to request that their Personal Data is erased, however the Company recognise that this is not an absolute ‘right to be forgotten’. Data subjects only have a right to have Personal Data erased and to prevent processing if one of the below conditions applies:

    • Where the Personal Data is no longer necessary in relation to the purpose for which it was originally collected/processed.
    • When the individual withdraws consent.
    • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
    • The Personal Data was unlawfully processed.
    • The Personal Data MUST be erased to comply with a legal obligation.
    • The Personal Data is processed in relation to the offer of information society services to a child.

    Where one of the above conditions applies and the Company received a request to erase Data, we first ensure that no other legal obligation or legitimate interest applies. If we are confident that the Data subject has the right to have their Data erased, this is carried out by the Data Protection Officer in conjunction with any department manager and the IT team to ensure that all Data relating to that individual has been erased.  These measures enable us to comply with a Data subject right to erasure, whereby an individual can request the deletion or removal of Personal Data where there is no compelling reason for its continued processing. Whilst our standard procedures already remove Data that is no longer necessary, we still follow a dedicated process for erasure requests to ensure that all rights are complied with, and that no Data has been retained for longer than is needed.  Where we receive a request to erase and/or remove Personal information from a Data subject, the below process is followed:

    • The request is allocated to the Data Protection Officer and recorded on the Erasure Request Register.
    • The DPO locates all Personal information relating to the Data subject and reviews it to see if it is still being processed and is still necessary for the legal basis and purpose it was originally intended.

    The request is reviewed to ensure it complies with one or more of the grounds for erasure:

    • the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
    • the Data subject has withdrawn consent on which the processing is based and where there is no other legal ground for the processing.
    • the Data subject objects to the processing and there are no overriding legitimate grounds for the processing.
    • the Personal Data has been unlawfully processed.
    • the Personal Data MUST be erased for compliance with a legal obligation.
    • the Personal Data has been collected in relation to the offer of information society services to a child.
    • If the erasure request complies with one of the above grounds, it is erased within 30 days of the request being received.
    • The DPO writes to the Data subject and notifies them in writing that the right to erasure has been granted and provides details of the information erased and the date of erasure.

    Where the Company has made any of the Personal Data public and erasure is granted, we will take every reasonable step and measure to remove public references, links, and copies of Data and to contact related controllers and/or processors and inform them of the Data subjects request to erase such Personal Data.  If for any reason, we are unable to act in response to a request for erasure, we always provide a written explanation to the individual and inform them of their right to complain to the Supervisory Authority and to a judicial remedy.  Such refusals to erase Data include:

    • Exercising the right of freedom of expression and information.
    • Compliance with a legal obligation for the performance of a task carried out in the public interest.
    • For reasons of public interest in public health.

    For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing.

    For the establishment, exercise, or defence of legal claims.

    8.1 SPECIAL CATEGORY DATA

    In accordance with GDPR requirements and Schedule 1 Part 4 of The Data Protection Bill, organisations are required to have and maintain appropriate Policy documents and safeguarding measures for the retention and erasure of special categories of Personal Data and criminal convictions etc… Our methods and measures for destroying and erasing Data are noted in this Policy and apply to all forms of records and Personal Data, as noted on our retention register schedule.

    9. COMPLIANCE AND MONITORING
    The Company are committed to ensuring the continued compliance with this Policy and any associated legislation and undertake regular audits and monitoring of our records, their management, archiving and retention. Information asset owners are tasked with ensuring the continued compliance and review of records and Data within their remit.
    10. RESPONSIBILITIES
    Heads of departments and information asset owners have overall responsibility for the management of records and Data generated by their departments’ activities, namely, to ensure that the records created, received, and controlled within the purview of their department, and the systems (electronic or otherwise) and procedures they adopt, are managed in a way which meets the aims of this Policy. Where a DPO has been designated, they MUST be involved in any Data retention processes and records or all archiving and destructions MUST be retained. Individual employees MUST ensure that the records for which they are responsible are complete and accurate records of their activities, and that they are maintained and disposed of in accordance with the Company’s protocols.
    11. RETENTION PERIODS
    Section 12 of this Policy contains our regulatory, statutory, and business retention periods and the subsequent actions upon reaching those dates. Where no defined or legal period exists for a record, the default standard retention period is 6 years plus the current year (referred to as 6 years + 1).