Read our damp and mould report focusing on Awaab's Law

Records retention and disposal policy

On this page

1. Overview

1.1 The Housing Ombudsman Service is an independent, impartial, and free service for social housing residents. We make the final decision on disputes between residents and landlords that are registered members of our Scheme - including tenants and leaseholders of social landlords (housing associations and local authorities), as well as for our voluntary members (private landlords and letting agents). We also work to strengthen internal complaints procedures and encourage landlords to learn from complaints to prevent service failures being repeated.

1.2 In its everyday business operations the Housing Ombudsman Service collects and stores records of many types and in a variety of different formats. The relative importance and sensitivity of these records also varies and is subject to the government’s security classification scheme. It is important that these records are protected from loss, destruction, falsification, unauthorised access and unauthorised release and a range of controls are used to ensure this, including backups, access control and encryption. The Housing Ombudsman Service also has a responsibility to ensure that it complies with all relevant legal, regulatory and contractual requirements in the collection, storage, retrieval and destruction of records, including those concerned with the protection of personal data.

1.3 The aim of this policy is to outline the Housing Ombudsman Service’s approach to managing the retention and secure disposal of our information in line with our business requirements and legal obligations.

2. Scope

2.1 This policy applies to all persons within the Housing Ombudsman Service (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the company). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.

2.3 A record can be defined as ‘information created, received, and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business.

The requirements outlined in this policy have been developed to provide a consistent approach to the retention and disposal of corporate information. This policy applies to all physical and digital information, regardless of storage location.

3. Roles and responsibilities

3.1 Information Governance team

The Information Governance (IG) team will monitor compliance with this policy and provide advice on retention and disposal matters. The IG Compliance and the IG Casework Managers will also provide staff with appropriate training/guidance so that they are able to comply with their responsibilities under this policy.

3.2 Senior Information Risk Officer (SIRO)

The Director of Finance, Procurement and Digital (FPD) occupies the position of SIRO. The role of the SIRO is to take ownership of the Housing Ombudsman Service's information risk, act as an advocate for information risk at board level and provide written advice to the Accounting Officer on the content of their annual governance statement of internal control regarding information risk. The SIRO owns the information incident management framework.

The Director of FPD is also responsible for the data architecture, infrastructure, security, applications, and IT services within the Housing Ombudsman Service. The Director of FPD, working with operational leads, has responsibility for the continued integrity of datasets, maintaining and enforcing application of policies and standards applicable to the system and scrutinising the system remaining alert, for example, to the creation of new dataset combinations which raise new challenges, around privacy concerns and data retention and disposal.

3.3 Information Asset Owners (IAO)

Within the Housing Ombudsman Service, the Senior Leadership Team (SLT) are assigned specific responsibilities, as IAOs, in relation to management of all records created or acquired in their business areas. The IAO is a mandated role across government. The IAO role is to understand what information is held, what is added and what is removed, how information is moved, and who has access to it and why. As a result, they are able to understand and address risks to the information and ensure that information is fully used within the law for the public good. IAO’s will provide written assurance to the SIRO and use of their asset annually to support the audit process. The IAO responsibilities also include implementation of this policy and overall regulatory compliance.

In accordance with the requirements outlined in this policy and the IAO Handbook, all IAOs are responsible for:

  • ensuring that all assets under their control are following retention schedule rules
  • ensuring adherence to the Retention and Disposal Schedule
  • authorising the destruction of information when required

3.4 All colleagues

In accordance with this policy, all staff are responsible for managing, storing appropriately, and disposing of the information they create and receive as part of their normal daily business activities, including emails and working documents on personal drives, such as OneDrive.

Under the Civil Service Code all staff are responsible for keeping accurate public records and handling information as openly as possible within the legal framework for the Public Records Act and Section 46 Code of Records Management Practice. All staff should be familiar with the Records and Disposal Schedule appended to this policy.

4. General principles

4.1 There are various pieces of legislation which outline retention requirements. These include, but are not limited to:

  • Freedom of Information Act 2000 – including the Code of Practice Section 46 (FOIA)
  • the UK General Data Protection Regulations (the UK GDPR)
  • Data Protection Act 2018 (DPA 18)
  • Limitation Act 1980
  • Inquiries Act 2005

4.2 There are several key general principles that must be adopted when considering record retention and protection policy. These are:

  • records must be held in compliance with all applicable legal, regulatory and contractual requirements, including those related to privacy (for example the UK GDPR)
  • records must not be held for any longer than required
  • the protection of records in terms of their confidentiality, integrity and availability must be in accordance with their security classification

Records must always remain retrievable in line with business requirements.

5. Policy statements

5.1 Retention periods

5.1.1   The Retention and Disposal Schedule which forms part of this policy sets out the length of time that records should be retained and extends to all records identified in the Schedule, irrespective of the media on which they are created or held including:

  • digital files (including databases, Word documents, spread sheets, webpages and emails)
  • photographs and videotapes and audio recordings
  • paper (although as a ‘paperless’ organisation, such records should be extremely limited)

5.1.2 Retention periods are determined based upon the nature of the information held, not the medium in which it is maintained. For example, information which is held in a digital format should only be retained for the same period as it would be kept if it was in paper form. However, it is not necessary to retain both paper and digital versions of the same record, nor to retain duplicate copies of records. Retention arrangements for digital records should ensure that they will remain complete, unaltered and accessible throughout the retention period.

5.1.3 Information held for longer than is necessary carries additional risk and cost. Records and information should only be retained when there is a business need to do so. Under UK GDPR and the DPA 2018 personal data processed by the Housing Ombudsman must not be retained for longer than is necessary for its lawful purpose.

5.1.4 The Housing Ombudsman retention periods are driven by legislation and/or business need. If there is no legally defined retention period for corporate information, it is the responsibility of the relevant IAO(s) to determine an appropriate retention period. The Information Governance team must agree the proposed retention period to ensure:

  • retention triggers are clear and consistent
  • retention periods are not excessively long and are consistent with the rest of the schedule
  • the correct lawful basis for processing and retention has been identified

5.1.5 the Housing Ombudsman assigns clearly defined retention periods to our information to ensure it is kept for the appropriate length of time. Each retention period has three elements:

  • trigger – the action which begins the retention period (such as ‘End of Financial Year’ or ‘Date of last significant action’)
  • retention period – the length of time the information will be kept
  • action – either ‘review’ or ‘destroy’
  • If the action is ‘review’ the information must be reviewed to ensure it is no longer required before - outcomes of a review may be – dispose, mark for permanent preservation, or temporary extension to review again at a future date
  • if the action is ‘destroy’, this means the information can be destroyed without being reviewed in line with procedure - IAO approval is not needed prior to destruction if the action is recorded as ‘destroy’

5.2 The Retention and Disposal Schedule

5.2.1 Our Retention and Disposal Schedule forms part of our Information Asset Register (IAR) and sets out our retention periods for specific information assets. Information must be kept for the length of time defined in the IAR unless there is a legal requirement to destroy it sooner.

5.2.2 Any proposed additions or changes to retention periods must be captured on the Information Asset Register Management Form and sent through to the Information Governance team. Significant changes will need to be signed off by the relevant IAO(s).

5.2.3 Updates to the IAR are recommended to be submitted regularly, however all IAO's and IAM's will be required to complete a bi-annual or annual review of their information assets including their respective retention periods.

5.2.4 The IAR is reviewed on an annual basis by the Information Governance team with input from the Information Governance Steering Group. Any queries about the Schedule should be raised with the Information Governance team.

5.3 Routine data maintenance

5.3.1   Not all information we create has long-term value. Our Retention and Disposal Schedule does not include redundant, obsolete or trivial information. This should be destroyed periodically by each directorate as part of routine data maintenance. Approval or sign off to delete such information is not required. Such routine data maintenance does not apply to corporate records included in the Schedule, which should only be destroyed when they have reached the end of their retention period.

5.3.2 Redundant, obsolete or trivial information should be disposed of for 2 reasons:

  • to ensure that we are not wasting money or space (either digital or physical) by storing irrelevant information
  • to make the process of reviewing and appraising records easier. Sifting through low-value records makes this process more time consuming

5.3.4 Below are common examples of information which is usually of limited value once no longer in use and can be disposed through routine maintenance. This should not be seen as an exhaustive list.

Drafts - Draft documents lose value and can become obsolete once a final version has been published. However, on some occasions where significant changes or deviation have taken place, a draft may be retained to show how the final decision was made.

Trivial emails - Outlook has an automated retention policy that retains emails for 12 months. It is important that important emails which can be considered as information assets are saved to shared spaces or relevant case management systems, to provide evidence of decisions made or action taken. Where the content of emails contains information with no long-term value, these can be left in personal inboxes for automatic disposal after 12 months. In the case of long email chains; once a conversation has reached a significant point, any earlier emails from this chain can be deleted

Duplicates – We should not retain any duplications. Duplications can lead to multiple versions of information which can cause confusion.

Research material – Whether developing policy or preparing to give advice, research material may be created or collected such as notes or copies of guidance from external organisations. The value of this information decreases once the final version has been created.

5.4 Disposal

5.4.1 When records are no longer required by the organisation and do not have archival value they should be securely destroyed.

5.4.2 For any records on the schedule which have an action of ‘review’ recorded against them, records must be appropriately reviewed upon the retention deadline and must not be disposed of unless authorised by the relevant IAO. The IAO should consider the relevant information and decide whether it can be destroyed. If a high volume of information is being reviewed at once then this should be conducted at a macro level, for example not document by document. If the information is deemed to still be required, an appropriate further extension period not exceeding the initial extension period, should be applied and the information should be reviewed again at the end of this extension. If the information is deemed to not be required any longer, a record or log containing what has been destroyed, when it was destroyed and the individual who authorised the destruction should be created and retained by the relevant IAO or on the relevant digital system as part of its audit logs.

5.4.3 Information should only be retained beyond its retention period in limited circumstances. When conducting a review, the following factors should be taken into account:

  • is the information required to fulfil statutory or regulatory requirements
  • is the information relevant to ongoing litigation/subject to a legal hold
  • is the information the subject of an information request or relate to information recently disclosed in a response
  • is retention required to evidence events in the case of a dispute
  • is the information required for a Public Inquiry
  • is there another demonstrable business need for retaining the information

5.4.4 For any records on the schedule which have an action of ‘destroy’ recorded against them, records can be appropriately disposed of upon retention deadline in accordance with their security classification (if recorded) or with due regard to the level of sensitivity of their contents. Where possible, automated retention rules should be enabled in our digital systems to facilitate this.

5.4.5 A record should not be destroyed without verification that:

  • no work is outstanding in respect of that record and it is no longer required by any department within the Housing Ombudsman
  • the record does not relate to any current or pending complaint, review, investigation, dispute or litigation
  • the record is unaffected by any current or pending request made under the Freedom of Information Act or Data Protection Act

5.4.6 Disposal should be carried out in a manner that preserves the confidentiality of the record. Confidential paper records (of which there should be few) should be placed in confidential waste bins and digital records will need to be fully deleted including back-ups. Deletions should be carried out by someone with appropriate access to the system from which they are being deleted. Digital documents should be deleted and not overwritten. A record will not be considered to be deleted unless all copies of the information are destroyed (both digital and physical).

5.4.7 The retention period must not be extended indefinitely. IAOs should contact the IG Casework or Compliance teams for advice if you still intend to keep the information after applying an initial extension period.

5.5 Legal holds

5.5.1 The Housing Ombudsan is responsible for ensuring that any information under a legal hold is identified. A legal hold is the process of preserving all forms of information relevant to legal proceedings. If a legal hold is in place there is a freeze on the destruction of any relevant material held by the organisation.

5.5.2  A legal hold might be required if information relates to a Public Inquiry or if it pertains to any litigation that the Housing Ombudsman is involved with, such as a dispute which is subject to review or judicial review. If colleagues are unsure whether information falls under a legal hold, they should contact the IG Casework or Compliance teams for advice.

5.5.3 When information falls under a legal hold it should be clearly marked as such so it is not accidentally included in any scheduled destruction.

5.5.4 Under the Inquiry Rules 2006 those responsible for public records have a duty to make arrangements for the selection of any and all information they hold which contains or may contain content as identified in relation to an investigation.

5.5.5 Following the closure of the inquiry, the information should be reviewed to determine how long it needs to be retained.