Document and Data Retention Policy


  1. Scope and Objectives

This policy sets out how data and documents, which are controlled or processed by Monarch College . and will be managed through retention, storage and disposal. This applies to all documents and data that Monarch possess, from creation to destruction, inclusive of whether the data or documents are printed, written on paper or stored electronically/digitally, regardless of whether the data or documents are personal, confidential, or any other type of data. Monarch College specific policy objectives are:

  • To ensure compliance with the General Data Protection Regulations 2018 and the Data Protection Act 1998
  • To protect Data Subject Rights
  • To prevent the storage of documents or data longer then is lawfully required
  • To ensure that retention schedules are consistent with what is stated when the data is gathered
  • To prevent unlawful or premature destruction of personal, corporate and other types of data
  • To promote good Records Management practices within
  1. Policy Statement

To provide the comprehensive range of services that Monarch College delivers, the retention, storage and disposal of data will be undertaken at appropriate times, with adequate methods to meet our legislative, regulative and any other significant obligations. Monarch College needs to process data and use documentation to be able to provide its services. This requires information to be stored in systems that enable it to honour contracts and service agreements. Monarch College will only hold data and documentation for as long as required and will deploy an effective review mechanism to ensure that this works in practice. Monarch College will ensure compliance with all necessary regulatory and legislative requirements regarding data and document retention, storage and disposal.

  1. Roles and Responsibilities

The Board are responsible for:

  • taking ownership of responsibility for data and document retention within Monarch College, and leading by
  • Regularly reviewing Monarch College’s data and document retention policy and data retention

The Audit and Risk Committee are responsible for:

  • monitoring the adherence to policy through regular reporting to the

The Director of IT is responsible for:

  • the security and maintenance of the IT Infrastructure and Cyber Security

Data Owners are responsible for taking reasonable measures to:

  • create and maintain the data retention schedule for their area
  • ensure data and documents are managed in line with their relevant data retention schedule
  • ensure data and documents are disposed of, and that disposal is appropriate for the type of data
  • appoint a data
  • ensure that logs are maintained for Special Categories of Personal Data within their Data Owners and their remits are detailed in the table below:

Data Owner Role


Head of Communications

Corporate related communication, websites, and images/footage.

Head of Development

Development documentation

Head of Finance

Financial  records  and  returns,  including  tax,  invoices,  journals,  and payment related information.

Head   of   Governance  and Legal

Documentation related to Procurement, Governance, Contracts, Board, Policy, and Legal correspondence and matters.

Head of Home Ownership

Leases  (current  and  former),  Deeds  of  Ownership,  and  Help  to  Buy Documents.

Head of Housing Operations

Tenancy and Applicant files (current and former), ASB cases, rent statements, tenant and  applicant correspondence, supporting information, CCTV images and call recordings.

Shared Ownership and Leaseholders (applicant, current and former) files, statements, correspondence and supporting information.

Head of Human Resources

Any item that is Employee (current, former and prospective) related

Head of Property Services

Property maintenance records, building control information and reports and professional opinions relating to property.

Head of Retirement Living

Tenancy and Applicant files (current and former), ASB cases, rent statements, tenant and applicant correspondence, including any support and risk documentation relating to the tenancies and support provided, CCTV images and call recordings. . Shared Ownership and Leaseholders (applicant, current and former) files, statements, correspondence and supporting information.

Head of Treasury

Business plans & supporting documentation, valuation, insurance (coverage and claims), funding (bonds, grant, loads), regulator returns and Ownership related documentation.

Health, Safety, Environment and Facilities Manager

Health and Safety records, vehicle MOT and registration.

Quality and Assurance Manager

Standards (e.g. ISO), audit, risk, project management related documentation

Data Stewards are responsible for:

  • day-to-day responsibility for ensuring compliance to the Data and Document Retention Policy and

The Data Protection Officer (DPO) is responsible for:

  • monitoring and  reporting  to  senior  management  on  data  and  document  retention  policy compliance
  • regular auditing of different business units to ensure compliance

All employees are responsible for:

  • working in accordance with data and document retention policies, procedures and
  1. Policy Details

Monarch College processes and stores a wide range of data and documentation. This includes, but is not limited to:

  • Handwritten notes
  • E-mails
  • Letters and correspondence
  • Invoices and financial statements
  • Proof of identification and medical information
  • Memory in mobile devices, computer hardware and backup
  • Computer programmes
  • Call Recordings/voicemail
  • Surveillance footage
  • Online postings on social media platforms or websites


This policy ensures that the periods identified in the Data and Document Retention Schedule are enforced and that documents or data are not prematurely destroyed.

Documents and data will be retained in secure locations and in the appropriate format to meet its purpose. Electronic copies will be minimised to a single copy where possible, with paper documents retained for legal or contractual purposes only.


Data and Documentation, whether paper or electronic, will be disposed of in line with the Schedules detailed in Monarch College’s Data and Document Retention Schedule. Monarch College will take every opportunity to automate the review and disposal process.

A record of document and data disposal will be retained to confirm the implementation of these guidelines.

Paper copies will be confidentially and securely destroyed with a certificate of destruction where practical. Digital, electronic or hardware containing data will be disposed of in co-ordination with the IT department aligned to National Archive guidelines.


 Monarch College will ensure that data is stored in a way that meets the principle of “Secure by Design”. Robust security protocols and safeguards will be applied regardless of storage type or location (e.g. paper, device, system).

Monarch College will seek to store as few copies of the same documentation and data as possible. The location of data and documentation storage will comply with the GDPR.


Where consent is required for the storage and processing of data, the withdrawal of consent will mean that data will be erased or returned. In the event that processing is solely reliant on consent, this Data Subject Right overrides this policy and Monarch College’s Data and Document Retention Schedule.


Monarch College will ensure that where data is shared with 3rd parties , they will follow Monarch College’s Data and Document Retention Policy. This will identify where data needs to be deleted or returned by the Data Processor. This will be enforced through legally binding contracts.

Where Monarch College are the Data Processor, we will comply with the Data Controllers Data Retention, Storage and Disposal  requirements where they are aligned  with our contractual, regulatory and legislative obligations. This will be defined in the pre-contract signing stage.

Monarch College will not share personally identifiable or personal information without a legally binding contract or regulatory/legal imperative.


Monarch College sometimes need to record calls and gather photographic images/recordings to fulfil our obligations.

  • Call Recording

 All calls that are handled through the Automatic Call Distribution (ACD) are recorded. Monarch College ensures that a clear welcome message details the purpose and usage of call recording. Calls will be automatically deleted after a period of 6 months. The retention period for specific calls may be extended based upon where callers have been abusive or problematic, or where complaints or legal claims have been received or are expected. The retention of all such calls will be reviewed monthly, and calls will be deleted where they are no longer required.

Monitoring of call recordings will be undertaken by authorised employees on a need to know basis to ensure policy adherence, meeting Monarch College’s obligations and for staff development.

Call recording files on the Call Recording system will not be copied, unless there is an overriding imperative to do so.

  • Closed Circuit Television (CCTV)

Monarch College utilises CCTV and photographic images for a variety of legitimate reasons including, but not limited to, prevention or detection of crime or disorder to identifying service needs (e.g. fly-tipping).

Before CCTV systems are installed, a CCTV Impact Assessment will be carried out. This will ensure the system is compliant with the GDPR. A master list of all CCTV systems is held by the Data Protection Officer.

CCTV recordings will be automatically deleted after a maximum of 6 months, unless there is an investigation, legal and/or regulatory requirement or request for the footage from a particular system. CCTV recordings will only be shared with 3rd parties in line with section 5.

  • Photographic images (excluding CCTV)

Monarch College employees are provided with devices, where required, that contain the ability to capture and store photographic images and video recordings. All Monarch College staff receive annual Data Protection training and will only take photographic images or recordings with people identifiable where necessary.

Employees must ensure that photographic images and recordings are held only as long as required by Monarch College’s Data and Document Retention Schedule. If the images or recordings are used in a form of corporate publication, a photographic consent form will be required before usage.


The GDPR identifies “Special Categories of Personal Data”. These merit special protection and a significant restriction of processing.

Monarch College will ensure that these are only gathered in line with our legal responsibilities or within the acceptable use of Special Categories of Personal Data identified within the GDPR.

Where Monarch College collects this information for a specific purpose this will be identified on logs so that all Special Category of Personal Data is tracked, monitored and deleted after it’s requirement. Monarch College will ensure that there are an appropriate number of logs to prevent unnecessary access to such data. This will be overseen by the Data Protection Officer.


For personal data, there are three exceptions to this policy

  • Consent has already been mentioned as an exception to this policy under section
  • Where data or documentation needs to be retained for establishment or defence of legal
  • User discretion over temporary data or This includes duplicates of originals also preliminary drafts of letters, spreadsheets, or informal notes that do not represent significant steps or decisions towards making official records.
  1. Regulatory and legal Considerations

General Data Protection Regulations 2018 Data Protection Act 1998

CCTV Code of Practice produced by ICO Human Rights Act 1998

Regulation of Investigatory Powers Act 2000

Telecommunications (Data Protection and Privacy) Regulations 1999 Protection of Freedoms Act 2012

Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000

  1. Monitoring, Reviews and Evaluation

The policy will be monitored by the Data Protection Officer. Regular reports to Monarch College’s Senior Management

will identify the compliance status for retention, storage and disposal.

  1. Associated Documents and Procedures

Data and Document Retention Schedule Data and Document Retention Protocol Data Protection Policy

Data Protection Impact Assessments CCTV Impact Assessment

Special Categories of Personal Data logs



Version 1




Head of Legal


Next review date


9 January 2022