In its everyday operations, Boxing Futures Ltd. (“Boxing Futures”, “we”, “us”, “our” and “the Charity”) collects and stores records of many types and in a variety of different formats. This Data Retention Policy & Schedule (“Policy”) sets the required retention periods for specified categories of data and sets out the minimum standards to be applied when destroying certain information within the Charity.
The records may also include personal data, which is any type of information relating to a living, identifiable individual. More information on personal data and on Boxing Future’s responsibilities can be found in our Privacy Policy and Data Protection Handling Policy.
Boxing Futures is responsible for the protection of the data, which is in its possession and which it processes, using controls appropriate to the sensitivity of the data involved, including its retention and disposal. This Policy explains our requirements to retain data and to dispose of data and provides guidance on appropriate data handling and disposal. Failure to comply with this Policy can expose us to fines and penalties, adverse publicity, difficulties in providing evidence when we need it and in running our business.
This Policy applies to all divisions, processes, and organisations in all areas in which the Charity operates and has dealings or other business relationships with third parties. This Policy applies to all trustees, employees, volunteers, contractors, consultants, advisors, or service providers that may collect, process, or have access to data (including personal data and / or sensitive personal data). It is the responsibility of all the above to familiarise themselves with this Policy and ensure adequate compliance with it.
This Policy applies to all data that we hold or have control over. This includes physical data such as hard copy documents, contracts, notebooks, letters and invoices. It also includes electronic data such as emails, electronic documents, audio and video recordings, data generated by physical access control systems and CCTV recordings. It applies to both personal data and non-personal data. In this Policy we refer to this information and these records collectively as “data”.
• UK GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
• Data Protection Act 2018
• Boxing Future’s Data Protection Handling Policy
• Boxing Future’s Privacy Policy
• Boxing Futures Storage, Handling, Use, Retention & Disposal of Disclosures & Disclosure Information Policy
3.1 Retention General Principles
A number of key general principles are in place that should be adopted when considering record retention and disposal. These are:
• Records should be retained in compliance with all applicable legal, regulatory and contractual requirements;
• Records should not be retained for a period longer than what is required;
• The protection of records in terms of their confidentiality, integrity and availability must be in accordance with their security classification;
• Records should remain retrievable in line with business requirements at all times;
• At the end of their lifecycle, records should be properly disposed.
In the event, for any category of documents not specifically defined elsewhere in this Policy (and within the Data Retention Schedule) and unless otherwise mandated differently by applicable law, the required retention period for such document will be deemed to be 3 years from the date of creation of the document.
3.2 Retention General Schedule
The Data Protection Officer defines the time-period for which the data should be retained through the Data Retention Schedule. As an exemption, retention periods within the Data Retention Schedule can be prolonged in cases such as; ongoing investigations from any law enforcement agencies, if there is a chance records of personal data are needed by the Charity to prove compliance with any legal requirements; and/or when exercising legal rights in cases of lawsuits or similar court proceeding recognised under local law; and / or as otherwise required by law.
3.3 Safeguarding of Data during Retention Period
The possibility that data media used for archiving will wear out shall be considered. If electronic storage media are chosen, any procedures and systems ensuring that the information can be accessed during the retention period (both with respect to the information carrier and the readability of formats) shall also be stored in order to safeguard the data against loss as a result of future technological changes. The responsibility for the storage falls on the Data Protection Officer.
3.4 Destruction of Data
The Charity and its employees should therefore, on a regular basis, review all data, whether held electronically on their device or on paper, to decide whether to destroy or delete any data once the purpose for which those documents were created is no longer relevant. See Appendix for the Retention Schedule. Overall responsibility for the destruction of data falls to the Data Protection Officer.
Once the decision is made to dispose according to the Retention Schedule, the data should be deleted, shredded or otherwise destroyed in accordance with their level as defined in section 4.2 below and their level of confidentiality. The method of disposal varies and is dependent upon the nature of the document. For example, any documents that contain sensitive or confidential information (and particularly sensitive personal data) must be disposed of as confidential waste and be subject to secure electronic deletion; some expired or superseded contracts may only warrant in-house shredding. The Document Disposal Schedule section below defines the mode of disposal.
The specific deletion or destruction process may be carried out either by an employee or by an internal or external service provider that the Data Protection Officer subcontracts for this purpose. Any applicable general provisions under relevant data protection laws and the Charity’s Data Protection Handling and Privacy Policy shall be complied with.
Appropriate controls shall be in place that prevent the permanent loss of essential information of the Charity because of malicious or unintentional destruction of information – these controls are described in the Charity’s IT Security Policy.
The Data Protection Officer shall fully document and approve the destruction process. The applicable statutory requirements for the destruction of information, particularly requirements under applicable data protection laws, shall be fully observed.
3.5 Breach, Enforcement and Compliance
The Data Protection Officer has the responsibility to ensure that each of the Charity’s workplaces complies with this Policy. It is also the responsibility of the Data Protection Officer to assist with enquiries from any local data protection or governmental authority.
Any suspicion of a breach of this policy must be reported immediately to the Data Protection Officer at info@boxing-futures.org.uk. All instances of suspected breaches of the policy shall be investigated and action taken as appropriate.
Failure to comply with this Policy may result in adverse consequences, including, but not limited to, loss of customer confidence, litigation and loss of competitive advantage, financial loss and damage to the Charity’s reputation, personal injury, harm, or loss. Non-compliance with this Policy by permanent, temporary or contract employees, or any third parties, who have been granted access to Charity premises or information, may therefore result in disciplinary proceedings or termination of their employment or contract. Such non-compliance may also lead to legal action against the parties involved in such activities.
4.1. Routine Disposal Schedule
Records which may be routinely destroyed unless subject to an on-going legal or regulatory inquiry are as follows:
• Announcements and notices of day-to-day meetings and other events including acceptances and apologies.
• Requests for ordinary information such as travel directions.
• Reservations for internal meetings without charges / external costs.
• Transmission documents such as letters, e-mail messages, routing slips, compliments slips and similar items that accompany documents but do not add any value.
• Message slips.
• Superseded address list, distribution lists etc.
• Duplicate documents such as CC and FYI copies, unaltered drafts, snapshot printouts or extracts from databases and day files.
• Stock in-house publications which are obsolete or superseded; and
• Trade magazines, vendor catalogues, flyers and newsletters from vendors or other external organizations.
In all cases, disposal is subject to any disclosure requirements which may exist in the context of litigation.
4.2. Destruction Method
Level 1 documents are those that contain information that is of the highest security and confidentiality and those that include any personal data. These documents shall be disposed of as confidential waste (crosscut shredded) and shall be subject to secure electronic deletion.
Disposal of these documents should include proof of destruction.
Level 2 documents are proprietary documents that contain confidential information such as parties’ names, signatures, and addresses, or which could be used by third parties to commit fraud, but which do not contain any personal data. The documents should be cross-cut shredded and disposed of; electronic documents will be subject to secure electronic deletion.
Level 3 documents are those that do not contain any confidential information or personal data and are published Charity documents. These should be strip-shredded or disposed of through a recycling Charity and include, among other things, advertisements, catalogues, flyers, and newsletters. These may be disposed of without an audit trail.
Record Name | Storage Location | Person Responsible for storage | Controls for record protection | Retention time |
Data Retention Schedule | Boxing Futures Microsoft One Drive | Data Protection Officer | Only Authorized persons can access the document | Permanently |
This document is valid as of 1st May 2024.
The owner of this document is the Data Protection Officer who must check and, if necessary, update the document at least once a year. If you have any questions about this Policy please contact info@boxing-futures.org.uk.
This policy was approved on 1st May 2024.
Review date: May 2025.
Financial Records
Record category | Retention period | Record owner |
Payroll records | 7 years after audit | Finance |
Supplier contracts | 7 years after contract ends | Finance |
Chart of Accounts | Permanent | Finance |
Fiscal Policies and Procedures | Permanent | Finance |
Permanent Audits | Permanent | Finance |
Financial statements | Permanent | Finance |
General Ledger | Permanent | Finance |
Investment records | 7 years | Finance |
Invoices | 7 years | Finance |
Cancelled cheques | 2 years | Finance |
Bank deposit slips | 2 years | Finance |
Business expenses documents | 7 years | Finance |
Cheque registers/books | 2 years | Finance |
Property/asset inventories | 7 years | Finance |
Credit card receipts | 3 years | Finance |
Petty cash receipts/documents | 3 years | Finance |
Business Records
Record category | Retention period | Record owner |
Articles of Incorporation | Permanent | Finance |
Board policies | Permanent | Finance |
Board meeting minutes | Permanent | Finance |
Tax or employee identification number designation | Permanent | Finance |
Office and team meeting minutes | Permanent | Finance |
Annual corporate filings | Permanent | Finance |
HR: Employee Records
Contracts
Record category | Retention period | Record owner |
Signed employment contracts, related correspondence and other supporting documentation | 3 years following end of employment | Finance |
Contract amendments | 3 years following end of employment | Finance |
Successful tender documents | 6 years | Finance |
Contractors’ reports | Permanent | Finance |
Operation and monitoring, e.g. complaints | Permanent | Finance |
Customer Data
Record category | Retention period | Record owner |
Screen recordings from support session | Automatically deleted after 90 days | Support |
CRM data – inclusive of name, email address, mobile number, address, emails and phone call summaries, DPO information | Retained whilst organisation remains a customer or deleted by user. Once an organisation requests all records to be deleted, data will be removed from the back-ups within one month, unless the request is a data subject access request in which case the personal data will be removed in compliance with the data protection law. | Support |
Metrics data | Retained whilst organisation remains a customer or deleted by user. Once an organisation requests all records to be deleted, data will be anonymized. | Development Team |
Non-Customer Data
Record category | Retention period | Record owner |
Name, email address | Kept until person unsubscribes / requests to be removed from system | Marketing & Sales |
Call recordings | Automatically deleted after 6 months | Sales |
IT
Record category | Retention period | Record owner |
Recycle Bins | As required | Individual employee |
Downloads | As required | Individual employee |
Inbox | As required | Individual employee |
Deleted Emails | As required | Individual employee |
Personal Network Drive | As Required | Individual employee |
Local Drives & files | As required | Individual employee |
Google Drives, drop box | As required | Individual employee |
If you have any questions about this policy, please contact us:
Or you can contact us about our Code of Conduct Policy here:
CONTACT USThis website is owned and operated by Boxing Futures Ltd
We are a charity registered in United Kingdom No.1162086
Our registered office is:
Anzo Group, 25 Golden Square, London W1F 9LU
Cookie | Type | Duration | Description |
---|---|---|---|
_ga Google | Third party | 1 day | Google Analytics tag used to distinguish one user from another. |
_gat Google | Third party | 1 minute | Google Analytics tag. Sometimes appears as _dc_gtm_<property-id> .Google Analytics tag. Sometimes appears as _dc_gtm_<property-id> . |
_gid Google | Third party | 2 years | Google Analytics tag used to distinguish one user from another. |