How to set your records straight

There is no shortage of standards, rules and regulations that apply to the handling and retention of information

In the eyes of the law, there is no difference between physical and electronic records; the same degree of stewardship must be applied to whatever format an organisation chooses to store its vital information. And there is no shortage of standards, rules and regulations that apply to the handling and retention of information.

To understand how to create a robust information management strategy, IT leaders must consider:

• The key pieces of legislation that govern how organisations treat stored data and the key requirements that are imposed by the legislation.
• The specific requirements for storing personal information; the access rights associated with legislation.
• The powers of the Information Commissioner.
• The problems faced by an organisation which has to make disclosure in legal proceedings.

What are the key laws governing information management?

The main pieces of legislation that affect the retention of business information are: The Companies Act 1985 and 2006; the Limitation Act 1980; the Electronic Communications Act 2000; and various Finance Acts.

For personal information, the primary pieces of legislation are the Data Protection Act 1989 and the right to respect for personal privacy in the Human Rights Act 2000.

For organisations in the public sector, there are also specific requirements for dealing with public records and the Freedom of Information Act 2000 to consider.

However, there are other specific obligations, for example in relation to employee data or health and safety records, which may affect specialist businesses. There is also a multitude of “soft law” – ­ the various codes of practice that apply in particular areas and can affect retention decisions.

Finally, there are non-statutory but still mandatory rules. For example, those businesses that operate in the financial services sector are subject to the rulings of the Financial Services Ombudsman under the Financial Services and Markets Act 2000 in which the FSA has set out the Principles for Business.

Can you explain the main legal drivers?

The main provisions of the Companies Act that are relevant to the issue of data retention are those concerned with the keeping of accounting records. Companies must keep accounting records that are sufficient to enable them to disclose, with reasonable accuracy, a company’s financial position at the time they are asked.

Company directors must ensure compliance with the Companies Act, and the accounting records have to be detailed enough for them to do so. The legislation dictates that the accounts must contain day-to-day entries of all sums of money received and expended by the company, and show all the assets and liabilities of the firm. There are additional requirements where the company’s business involves the sale or purchase of goods.

Accounting records must be kept for a period of three years from the date on which they are made for a private company and six years for a public company. In some cases there can be criminal penalties for failure to retain records. Under Section 450 of the Companies Act 1985, an officer of a company who destroys documents relating to the company’s property or affairs is guilty of an offence punishable by a fine and/or imprisonment unless they can show they had no intention of concealing the state of affairs of the company. These legal retention periods must therefore be built into a company’s document retention policy.

As a general rule, UK tax records must be kept for at least six years following the end of the accounting period to which they relate. The Income Tax (PAYE) Regulations 2003 require that documents such as wage sheets and deductions working sheets are kept for three years from the end of the tax year to which they relate.

Limitation periods should also be considered in relation to document retention. Limitation periods set out in the Limitation Act 1980 are the periods of time within which a party may bring an action in tort, contract or under a deed. While the Act does not dictate how long records must be kept, it is sensible to take this into account and consider when documents may be required as evidence when deciding how long to keep information.

It should be noted that it is inadvisable to define retention periods solely on the basis of limitation periods, as information may remain of business value long after the limitation period and in some instances claims may still be brought.

Parties to a contract may agree on specific provisions relating to data retention and covering many of the areas that have already been discussed. Although the contractual provisions should comply with the requirements of applicable legislation, outside of those requirements the parties will be free to agree on retention provisions that are most appropriate to the objectives of the agreement.

Companies should consider how long documents need to be kept for insurance purposes. It will, of course, be necessary to keep copies of insurance policies for the life of the policy and in many cases much longer, sometimes permanently (for example, employer’s liability insurance), however, companies should also consider what documents will be required as evidence for a claim. So, for example, if a company is being sued for professional negligence, it will be important for it to retain the letter of claim, to forward to its insurance company. The company should then consider the documents it may need to retain to assist in defending its position.

As mentioned above, there are a number of regulatory authorities that govern different industries and these all have their own rules and guidance on data retention. In some cases regulatory rules may require information to be retrieved and produced within a specified period and this should be factored into any document retention system. For example, the FSA Handbook states that in surance companies must keep copies of policy documents provided to customers for three years after the information has been provided and should consider longer retention periods.