Calibre Audio
Accessibility ToolsAccessibility Tools

Data Retention & Disposal Policy

Data Retention & Disposal Policy

Last Updated On 26-September-2025
Effective Date 26-September-2025

1. Purpose

This Data Retention & Disposal Policy sets out how long Calibre Audio retains different categories of personal data and the processes we follow to securely dispose of information when it is no longer required.

The purpose of this policy is to:

  • Comply with the UK GDPR and Data Protection Act 2018 (storage limitation principle).

  • Meet statutory and regulatory requirements (e.g. HMRC for Gift Aid).

  • Ensure data is not kept for longer than necessary.

  • Reduce risks of unauthorised access or misuse of data.

  • Ensure compliance with ICO guidance on retention and destruction of information.

2. Principles

  • Necessity: We only keep data for as long as required for the purpose it was collected.

  • Transparency: Retention rules are communicated in our Privacy Policy.

  • Security: Data awaiting deletion is held securely and access is restricted.

  • Disposal: When retention periods expire, data is securely deleted, anonymised, or shredded (for physical records).

  • Review: Retention periods are reviewed annually or sooner if legal requirements change.

  • Accountability: We maintain a record of destruction for key classes of records so we can demonstrate compliance.

3. Roles and responsibilities

  • Board of Trustees: ultimate accountability for compliance.

  • Chief Operating Officer (Data Protection Lead): responsible for implementing and monitoring this policy.

  • Department Managers: ensure staff follow retention rules for data within their areas.

  • All staff and volunteers: must comply with this policy when handling personal data.

4. Retention schedule

5. Secure disposal

  • Electronic records: securely deleted from systems, backups overwritten on cycle.

  • Paper records: cross-shredded or disposed of via approved confidential waste provider.

  • Third parties: must confirm secure deletion when data is processed on our behalf.

  • Destruction logs: kept for key classes of records (e.g. member files, staff files, safeguarding records) to evidence compliance.

6. Exceptions and legal holds

  • Where data is required for an ongoing legal, regulatory, safeguarding, or information request, retention will be extended until the matter is resolved.

  • If an FOI, EIR or data subject access request is received, deletion of relevant information will be delayed until the request is answered.

  • Deleting information deliberately to prevent disclosure may constitute an offence (e.g. under FOIA Section 77).

7. Monitoring and review

  • This policy is reviewed annually by the COO (Data Protection Lead).

  • Compliance audits will include checks on adherence to retention schedules and disposal practices.

  • Exceptions must be documented and approved by the COO.