DATA RETENTION & ERASURE POLICY

1. Policy Statement

Top Outsourcing Partners ("TOP", "we", "our", or "the Company") recognizes that effective data and records management is vital to fulfilling business objectives, meeting compliance standards, protecting personal data, and ensuring operational excellence.

This policy aligns with global best practices and aims to:

• Support structured and efficient business operations
• Ensure regulatory, statutory, and contractual compliance
• Protect sensitive and personal data through responsible handling
• Enable transparent and accountable document management
• Improve information flow and evidence-based decision-making

2. Purpose

This policy outlines TOP’s intent to implement structured, secure, and compliant management of data and records, both physical and digital. It governs how data is created, received, maintained, stored, and destroyed, ensuring its integrity and regulatory conformity.

3. Scope

This policy applies to:

• All permanent, temporary, contractual, and third-party staff
• Interns, volunteers, agents, and contractors
• All physical and electronic records maintained by TOP
• Operations conducted globally under TOP's name

Non-compliance may result in disciplinary action.

4. Legal Context (GDPR Alignment)

We collect personal data such as:

• Full names, addresses, DOB, ID numbers
• IP addresses, sensitive and financial data
• Employment details, communication records

The collection is lawful, necessary for business functions, and aligned with GDPR and other privacy laws.

5. Objectives

TOP ensures data and records are:

• Properly created and captured
• Stored securely
• Used responsibly
• Archived or destroyed based on classification and regulation

We emphasize compliance, data authenticity, controlled access, and robust documentation.

6. Guidelines & Procedures

6.1 Retention Period Protocol

We periodically review all retained data to assess:

• Purpose and lawful basis for storage
• Accuracy and relevance
• Type of data subject
• Retention obligations by law or contract

Movement and access logs are maintained. Destruction follows regulatory standards.

6.2 Designated Owners

Each system and record is assigned to an Information Asset Owner (IAO) who:

• Oversees data through its lifecycle
• Approves all access, review, and deletion
• Is listed on the central Retention Register

6.3 Document Classification

We classify all data into five levels:

• Unclassified: Low-value or temporary data with no sensitive content
• Public: Publicly available data with no confidentiality requirement
• Internal: Internal operational data with limited external exposure
• Personal: Personally identifiable data protected by law
• Confidential: High-risk, restricted data requiring strict handling

6.4 Suspension for Legal Holds

In the event of:

• Litigation
• Legal notice
• Investigation or audit

...record disposal is immediately suspended. A legal hold remains until resolution.

7. Expiration & Disposal

7.1 Post-Retention Actions

After a record reaches its end-of-life:

• It is deleted, archived, or anonymized per GDPR standards
• Any retention extensions are documented by the IAO

7.1.1 Paper Records

• Disposed securely via onsite shredding
• Confidential bins and shredders are available across all facilities

7.1.2 Electronic Records

• Deleted with assistance from the IT Department
• All media are wiped beyond recovery
• Disposal is logged by IAOs for audit trail compliance

7.1.3 Internal Correspondence

• Unless otherwise linked to a formal record, internal memos/emails:
• Are retained for a maximum of 2 years
• Are deleted/shredded once their use ends

8. Right to Erasure ("Right to be Forgotten")

Individuals may request data erasure under GDPR if:

• Data is no longer needed
• Consent is withdrawn
• Processing is unlawful
• There is no overriding legal basis

TOP will:

• Validate each request
• Fulfill deletion where applicable
• Inform the requester if deletion is not possible due to legal or operational obligations

8.1 Special Category Data

For sensitive data, TOP ensures:

• A documented retention policy is in place
• Erasure requests are reviewed by DPO, IT, and Department Heads
• Justification and safeguards follow Schedule 1, Part 4 of the UK Data Protection Bill

9. Compliance & Monitoring

• Regular internal audits are conducted
• IAOs must verify retention activity quarterly
• Monitoring ensures that expired records are disposed of and compliance is maintained

10. Roles & Responsibilities

• Heads of Departments: Enforce policy in their domain
• Information Asset Owners (IAOs): Maintain registers, authorize disposal
• DPO: Ensures compliance with data protection law
• Employees: Maintain accuracy and completeness of records they handle

Document Classification Levels