- 1. Purpose

The purpose of this Data Retention Policy is to establish clear guidelines for the retention, storage, and disposal of data within Quality Waste. This policy ensures that the company complies with legal, regulatory, and operational requirements, minimises data-related risks, reduces storage costs, and protects sensitive information.

- 2. Scope

This policy applies to all data, whether in electronic or physical form, that is created, received, and maintained by Quality Waste. It covers all employees, contractors, vendors, and third-party service providers who handle company data.

- 3. Definitions

- Data: Any information that is created, received, maintained, or transmitted by Quality Waste, including but not limited to emails, documents, records, databases, and physical files.

- Personal Data: Any information relating to an identified or identifiable natural person, including names, contact information, identification numbers, and other data linked to an individual.

- Retention Period: The length of time that data must be retained before it can be securely disposed of.

- Disposal: The process of securely destroying data that is no longer required to prevent unauthorised access.

- 4. Data Classification

Data shall be classified based on its sensitivity and importance, as follows:

- Confidential Data: Includes personal data, financial information, intellectual property, and other sensitive information that must be protected from unauthorised access.

- Internal Data: Non-confidential data intended for internal use only, such as internal reports, meeting minutes, and project documentation.

- Public Data: Data that is intended for public release and has no restrictions on access, such as marketing materials, press releases, and public reports.

- 5. Retention Periods

Retention periods for different categories of data shall be determined based on legal, regulatory, and operational requirements. The following general guidelines apply:

- Confidential Data: Retained for the minimum period required by law or as long as necessary for business operations, typically 5-7 years.

- Internal Data: Retained for 3-5 years, depending on the nature and relevance of the data.

- Public Data: Retained as long as it is relevant or useful for the company, typically 1-3 years.

Specific retention periods for various types of data are detailed in Quality Waste’s Data Retention Schedule, which should be consulted for precise guidelines.

- 6. Storage and Access

- Storage Locations: Data must be stored in secure, approved locations, including company servers, cloud storage services, or physical archives.

- Access Control: Access to data must be restricted based on the classification of the data. Confidential data must be accessible only to authorised personnel who require it for their work.

- Encryption: Sensitive and confidential data should be encrypted both in transit and at rest to protect it from unauthorised access.

- 7. Data Disposal

When data reaches the end of its retention period or is no longer needed, it must be securely disposed of to prevent unauthorised access. The following methods should be used:

- Electronic Data: Deleted from all storage locations, including backups, and securely overwritten where necessary.

- Physical Data: Shredded, incinerated, or otherwise destroyed so that it cannot be reconstructed or read.

- Data Disposal Records: Maintain records of disposed data, including the date, method of disposal, and the person responsible for the process.

- 8. Legal and Regulatory Compliance

Quality Waste must comply with all applicable laws and regulations concerning data retention and disposal. This includes, but is not limited to:

- General Data Protection Regulation (GDPR): Requires that personal data is not retained longer than necessary and mandates the right to erasure.

Any changes in relevant laws or regulations will prompt a review and update of this policy.

- 9. Responsibilities

- Data Protection Officer (DPO): Responsible for overseeing the implementation of this policy, ensuring compliance with legal requirements, and managing data disposal processes.

- IT Department: Responsible for implementing technical measures for data retention, storage, and secure disposal, and ensuring that data is encrypted and access-controlled.

- Employees: Responsible for adhering to this policy, classifying data correctly, and ensuring that data is stored and disposed of according to the guidelines.

- 10. Monitoring and Review

- Monitoring: Regular audits will be conducted to ensure compliance with this Data Retention Policy and identify any areas for improvement.

- Review: This policy will be reviewed annually or as needed based on changes in legal, regulatory, or business requirements.

- 11. Training and Awareness

All employees will receive regular training on data retention and disposal best practices to ensure they understand their responsibilities under this policy.

- 12. Consequences of Non-Compliance

Failure to comply with this Data Retention Policy may result in disciplinary action, including termination of employment or contracts. Non-compliance may also lead to legal penalties if it results in a breach of legal or regulatory obligations.

---

This policy is a crucial component of Quality Waste's commitment to maintaining data security and compliance with all applicable laws. Regular updates and training will ensure its continued effectiveness.