We owe a number of duties in relation to the retention and destruction of records, documents and information, in any format, which come into our possession or control or are produced in the course of business. We are committed to complying with those duties by retaining such data securely and ensuring that they are destroyed in a timely and secure manner.
“Documents” includes, but is not limited to:
- communications between us, our clients and third parties instructed on our clients’ behalf
- documents produced by us in order to achieve the objective of the retainer (for example, agreements or written representations)
- documents prepared by a third party during the course of the retainer (for example, opinions of counsel and experts' reports)
- attendance notes and internal memoranda
- time recordings
- drafts and working papers
- internal emails and correspondence created during the course of the retainer
- accounting records, including vouchers and instructions
“Deeds” means both deeds within the narrow legal meaning and also any other documents which must be stored in safes or strong rooms when we are not working with them.
“Information” includes, but is not limited to “documents” and “records” as defined in this procedure which may or may not include hard copy documents in any format, electronic documents in any format.
“Records” includes, but is not limited to:
- medical records
- personnel records
- occupational health records
- financial records
- educational records
- social care records
“Retention Period” – refer to our Retention Schedule.
We have legal and regulatory duties to retain records/documents for certain periods of time, for example under the Limitation Act 1980 and the Money Laundering Regulations 2017. We also have other retention obligations to our indemnity insurers, regulators, accreditation bodies and clients.
Balanced against this, the data protection legislation only permits us to retain information including or comprising personal data for as long as is necessary. There are also cost implications of retaining records/documents for any longer than required and/or retaining duplicate records/documents.
Records/documents must be stored, electronically and/or as hard copies, in accordance with this policy and our Sending, Handling and Storing Confidential Information Policy.
Our Retention Schedule provides guidance on retention periods. We will hold records/documents for all client matter types for a minimum of 7 years from the date of file closure, unless our contract with the client or relevant legislation says otherwise or the fee earner determines that a different period applies as per the Retention Schedules.
Clients are informed of our Retention & Destruction Policy in our Terms of Business.
We may exercise a lien over any records/documents in our possession until all fees, disbursements and other expenses are paid in respect of all matters we have carried out on the client’s behalf.
Hard copy records/documents storage
All hard copy records/documents must be entered on iCompli and must be stored in designated tambours across the offices and/or in accordance with Business Operations processes. Hard copy documents received from external sources must be scanned into the relevant electronic file on receipt and named so that they can be easily identified.
Hard copy records/documents which are rarely used, or records/documents which are no longer in active use but we need to retain, must be sent to our off-site storage provider by placing a collection request on iCompli.
Electronic records/documents storage
Electronic records/documents must be stored on the internal Filesite (iManage), the relevant content managememt system or BJ Access data room. Where records need to be retained offline on CD, DVDs, magnetic discs or other removable media, these must be kept in an encrypted format and/or in a designated/controlled access location. Where we receive information in one of those formats it must be scanned into the relevant system/electronic file on receipt and named so that it can be easily identified.
Backup tapes (such as Tape, Disk, and Cartridge) must be stored at an authorised secure off-site archive facility whilst not in use.
Monthly, a full set of backup tapes will be retained at an authorised secure off-site archive facility for compliance, legal and regulatory purposes.
All backup servers, tape drives and backup tapes must be located in a physically secure location with an appropriate level of physical and environmental protection, including authorised access control.
The location of the authorised secure off-site archive facility will be of sufficient distance from our offices as to not be impacted or affected by natural disasters or man-made incidents at any of these offices. The best practice distance is 50 miles.
All laptops are encrypted as part of our standard build using Bitlocker with TPM. If there is a requirement to use an external storage device, the device must be encrypted. Guidance on encryption and the secure transfer of data is provided to staff in our Sending, Handling & Storing Confidential Information Policy and our IT Encryption Procedure.
Backup media are encrypted in accordance with the Cryptography Policy and will be tested regularly, using the established restoration procedures, to ensure that both the media and the procedures are reliable. These testing arrangements shall be aligned to and support our business continuity arrangements.
Whenever possible, we do not retain original records and documents. We scan original records/documents and return them to the client or sender as soon as practicable, unless we have agreed to retain the originals. If we have agreed to retain original records/documents, such as deeds and original signed agreements, they must be stored in accordance with Business Operations processes.
Destruction of records/documents
The destruction of records/documents is an irreversible act. Many of the records we hold contain sensitive and/or confidential information and their destruction will be undertaken in secure locations and proof of secure destruction may be required. Destruction of all records, regardless of the media, must be conducted in a secure manner to ensure there are safeguards against accidental loss or disclosure.
All confidential papers that need to be disposed of should be placed into the confidential bins located around each floor/office. These bins are locked, and only opened when the waste is collected by our external provider. We do however retain copies of keys for these bins within each office in a secure key store/safe should a situation arise where an item is accidently placed into the confidential bin.
Confidential waste collection
We outsource the collection and disposal of confidential waste through an external supplier governed by contractual terms that comply with our information security requirements. Our supplier is contracted to collect the contents of the confidential waste bins and destroy them on site, once a fortnight at each office location.
In the event that bins become full before the scheduled collection, additional collections can be organised via the Document Solutions Team.
Retrieval of items mistakenly placed in the confidential waste bins
There may be instances where individuals across the firm need to access the confidential waste bins to retrieve items disposed of in error. In such instances, the individual will contact the Document Solutions team leader or local floor captain, as applicable for their office, who will seek approval froma member of senior management. Out of hours requests will be directed to Business Operations service desk for action as soon as someone is in the office.
Disposal of large quantities of confidential information
In the event that employees need to dispose of a large volume of confidential documents, please contact the Nottingham Document Solutions team (regardless of office) so that we can arrange for secure bags to be provided for disposal of the documents.
Keeping iCompli/records management data up to date
In the event that you place documents into the confidential waste bins that are recorded onto iCompli, please remember to delete any such items from iCompli.
Destruction of Electronic records/documents
Any media containing our data must be securely destroyed and proof of secure destruction obtained. Any hard drives from firm laptops, servers, desktop PCs or other equipment that the firm are returning to a supplier or re-selling must be removed from the device and securely destroyed by the firm’s chosen destruction third party.
Whilst it is our preference that the destruction of hard drives takes place on our premises, where this is not feasible the third party responsible for the destruction must provide a duty of care note to advise they will ensure the hard drives are securely transported to their premises. Once the destruction has taken place, a certificate must be obtained and retained for auditing purposes.
Items such as network switches and routers that contain network configuration pertaining to our infrastructure must be wiped by an authorised member of the IT team.
Third parties instructed by us during the course of our business (for example, counsel and medical experts) have their own obligations in relation to the retention and destruction of records/documents and our letters of instruction remind third parties of their obligations.