Data Retention Policy
This is a Controlled Document
In line with Vaxa's governance framework, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.| Version | Effective | Reviewed | Next review due |
|---|---|---|---|
| 1.0.0 | 2024-12-01 | 2024-12-01 | 2024-12-01 |
Purpose
The purpose of this Data Retention Policy is to ensure that Vaxa retains necessary data for business operations, legal obligations, and regulatory compliance. This policy aims to manage data efficiently, reduce storage costs, and minimise risks associated with unnecessary data retention.
Scope
This policy applies to all employees, contractors, and third-party partners of Vaxa who handle company data. It covers all types of data collected, stored, processed, or transmitted by Vaxa, including electronic and physical records.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Management | Oversee policy implementation and compliance. |
| IT Department | Manage data storage, backups, and disposal. |
| Data Owners | Classify data and define retention periods. |
| All Staff | Follow data handling and retention guidelines. |
| Security Officer | Monitor compliance and conduct audits. |
Policy Statements, Standard, or Procedure
Data classification
- All data must be classified in accordance with our Data Classification Policy.
Retention periods
- Data is to be retained for 7 years, unless flagged for a different retention period based on its classification (see exceptions).
Data Disposal
- Upon expiration of the retention period, data must be securely disposed of.
- Disposal methods shall be complete, irreversible, and in compliance with data protection regulations regardless of the physical medium.
Legal and regulatory dompliance
- Data shall be retained longer if required by law, regulation, or ongoing litigation.
- Data disposal shall be paused in case of legal holds until clearance is obtained under appropriate legal advice.
Third-party data
- Data received from clients or partners must be retained according to contractual agreements.
- Some contracts with clients may necessitate earlier or later data disposal than our standard retention period; this should be documented and adhered to.
Exceptions
Any exceptions to this policy must be documented and approved by the Security Officer. Requests for exceptions should outline the reasons and duration of the exception, as well as details of how it was implemented in our data storage systems.
Compliance & Monitoring
The Security Officer will conduct regular reviews to ensure adherence to this policy. Non-compliance may lead to disciplinary actions as per company guidelines.