Data Security & Data Retention Policy and Procedure
1. Policy Statement
At Thomas Charles Facilities & Maintenance, we are committed to protecting the confidentiality, integrity, and availability of all data handled within our organization. This policy outlines our approach to data security, retention, and disposal, ensuring compliance with relevant regulations, including the UK GDPR and Data Protection Act 2018.
​
2. Scope
This policy applies to:
· All employees, contractors, and third parties handling company data.
· All data collected, processed, stored, and disposed of by the organization.
· Physical and digital data security measures across all business operations.
​
3. Data Security Measures
To ensure the protection of sensitive information, Thomas Charles Facilities & Maintenance enforces:
· Access Controls – Data access is restricted to authorized personnel through password-protected systems and multi-factor authentication (MFA).
· Encryption – Sensitive data is encrypted during transmission and storage to prevent unauthorized access.
· Network Security – Firewalls, intrusion detection systems, and secure Wi-Fi protocols protect against cyber threats.
· Physical Security – Servers, hard drives, and confidential documents are stored in secure locations with restricted access.
· Regular Audits – Security protocols are routinely reviewed to identify vulnerabilities and enhance data protection measures.
​
4. Data Retention & Storage
To comply with legal, regulatory, and operational requirements, we adhere to the following data retention principles:
· Personal Data – Retained only for as long as necessary to fulfill business or legal obligations.
· Financial Records – Stored for a minimum of six years for compliance with tax regulations.
· Employment Records – Retained for five years post-employment unless legally required for a longer duration.
· Archived Data – Secured separately from active business records to prevent unauthorized access.
​
5. Data Disposal & Destruction
Secure disposal of outdated data minimizes the risk of breaches. Procedures include:
· Physical Documents – Shredded or incinerated before disposal.
· Digital Files – Permanently deleted using data-wiping software or physical destruction of hardware.
· Third-Party Data Processing – Vendors must comply with secure disposal protocols aligned with our policies.
​
6. Responsibilities & Compliance
To ensure full adherence to data protection laws, responsibilities are assigned as follows:
· Data Protection Officer (DPO) – Oversees implementation, compliance, and monitoring of security measures.
· Managers – Ensure staff awareness and adherence to security policies.
· Employees – Maintain confidentiality, report security breaches, and comply with data retention guidelines.
​
7. Incident Response & Breach Management
In the event of a data breach or unauthorized access, the following steps must be taken immediately:
1. Detection & Reporting – Any suspected breach must be reported to the DPO or IT department without delay.
2. Investigation & Containment – Security teams assess the breach scope and take corrective action.
3. Regulatory Notification – If necessary, authorities (such as the Information Commissioner’s Office – ICO) will be informed within legal timeframes.
4. Remediation Measures – Preventative actions, including staff training and security upgrades, will be implemented to reduce future risks.
​
8. Training & Awareness
All employees receive regular training on data security and retention policies, ensuring they understand:
· Their responsibilities regarding confidential data.
· How to handle and store sensitive information securely.
· How to recognize and report cybersecurity threats.
​
9. Policy Review & Updates
This policy is reviewed annually to incorporate:
· Legal and regulatory changes affecting data protection.
· Advancements in cybersecurity best practices.
· Operational improvements in data handling and storage procedures.
​
10. Policy Accessibility
This policy is available to all employees via the HR department or internal data security portals.