darren davies

Taclus Guide to Shredding Part 1

Each fortnight, for 10 weeks we will be publishing our Taclus guide to shredding, providing you with answers to the questions you didn’t even know you needed to ask. We hope this will help you ensure that you are meeting all data protection regulations, limiting your exposure to fraud and creating a safe and secure office environment. Darren, one of our drivers pictured above, is ready, willing and able to load bags of paper, hard drives and other confidential waste onto our van for shredding back at our paper shredding site. Alternatively, we can bring our big mobile shredding truck to you. So, buckle up, here is Part 1:

What do I need to shred? What documents need to be shredded?

There is no one-size-fits-all answer to the question how long I need to keep records or documents for, but at Taclus Confidential we are here to steer you in the right direction.

The answer depends in part of what type of organisation you are, what sort of document you are talking about, and also what the need to keep the data is based upon. 

For example, some legal documents (wills, for instance) can be kept indefinitely, schools have a multitude of different timelines depending on the type of document (e.g. child protection documents have to be kept for over 25 years), and special rules apply to local government.

That said, for most businesses the answer is more straightforward.  For finance matters, you need to keep records for at least five years after submitting a tax return.  We’ve included a table below listing the most common types of business documents and how long they need to be kept for.

Finance DocumentationMinimum time to keep
Annual accounts, including profit and loss.Six years
Bank statements and paying-in slipsSix years
Cash books and account books.Six years
Sales and purchase invoices.Six years
Credit notes.Six years
Order and delivery notes.Six years
Records of daily takings.Six years
Sales and purchase documents relating to dealings with EC Member States.Six years
Other documentation relating to imports and exports.Six years
Documentation relating to any special VAT treatment.Six years
Business correspondenceSix years
Staff Records
Accident Books and ReportsThree years from the date of the last entry
Income Tax & NI ReturnsThree years after the end of the financial year to which they relate
Medical RecordsRelated to Asbestos, Hazardous substances and biological tests 40 years from the date of last entry
Medical examination CertificatesFour years from the date of issue
Statutory Maternity PayThree years after the end of the tax year in which the maternity period ends
Wage/Salary records plus overtime and expensesSix years
National Minimum WageThree years after the end of the pay reference period
Records relating to working hoursTwo years from the date on which they were made

If you’re unsure about how exactly this issue relates to your business, please get in touch on 029 2030 3717 or enquiries@tacusconfidential.co.uk

How long am I allowed to keep documents for?

Once you’ve worked out how long you’re required to keep various different types of document: how do you work out how long you are allowed to keep documents for, if you wanted to hold on to them for longer than the law requires?

For purely financial documents, there is no limit.  But, if the document can be used to identify a living individual, the new Data Protection Act Applies.

When GDPR (now part of the Data Protection Act 2018) came into force, it changed the way organisations are allowed to hold data.  There are six lawful bases to hold information:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

There are lots of ways that these bases can apply, if you’re unsure there is a lot of help on the Information Commissioner’s website https://ico.org.uk/

There is no fixed period for holding data, but when deciding the purpose for holding it part of the process should be deciding how long you need to keep any personal data for.  Once you’ve decided that, you should have a system with a review date for records and documents and a process for deleting or destroying the records after that date if they are no longer needed.

If you’re unsure about how exactly this issue relates to your business, please get in touch on 029 2030 3717 or enquiries@tacusconfidential.co.uk

David Lovatt, Director