Data Retention Policy

This policy applies to all parties whether independent company, employed or contracted staff with responsibility for the processing of personal data on or on behalf of the Facilitas Management Group.

The independent Groups and companies listed below are henceforth, in this document collectively referred to as “the company” or “Facilitas”

  • Noel Group
  • Broadline Group
  • Ascension Group
  • Skillsteam Group
  • Astoria Partnership Ltd
  • MatchMedics Ltd
  • Grabajob Ltd

Purpose

This document sets out the guidelines for retaining distinct types of personal data within the company. The policy applies to all personal data stored on company-owned, company-leased, and otherwise company-provided systems and media, regardless of location. These records may be created, received or maintained in hard copy or electronically.

Policy Statement

The retention of data by our company varies based on type of data, the data storage medium and the data storage location. It is our policy that data is deleted as quickly as possible once the purpose for which It was collected has been served and expired. However, the company must comply with various statutory responsibilities and obligations and therefore immediate deletion is not always achievable. This Data Retention Policy provides guidelines to ensure that all applicable regulations and rules on personal data retention are consistently applied throughout the organisation.

Reasons for data retention

Some personal data must be retained to protect the company’s interests, comply with regulatory requirements, preserve evidence, and generally conform to good business practices. Personal data may be retained for one or several of the following reasons:

  • Business requirements
  • Regulatory requirements
  • Possible litigation
  • Accident investigation
  • Security incident investigation
  • Intellectual property preservation

Retention Periods

Source of Obligation

Retention Period

Revenue Commissioners, Collector General, Companies

Acts legislative provisions

6 years rolling retention of records

Personal Injuries related records

Records are retained for a period of 3 years past the date of the cause of action unless it involves a minor, in which case the retention period will be up until 3 years after the minor reaches

the age of 18.

Breach of Contract related records

Records are retained 6 years from the date of the breach

Employment Agency Candidate for Interviews/Placements

Records

Candidate information is kept for a period of 1 year past the initial contact with the agency by the candidate unless the candidate

exercises their entitlement to a termination of processing.

Employment contract/terms of employment-related

information

Duration of the employment  this includes everything from the application form, interview notes, contract related, performance

appraisals, references

Organisation of Working Time – time sheets/holiday and public holiday records

National Minimum Wages Protection of Employment – Temporary Agency Workers, Part-Time Workers, Fixed Term Workers

Protection of Young Persons

3 years post the termination of the employment. Records kept are sufficient to show compliance with legal obligations in accordance with the statutory provisions.

Parental Leave Related

8 years – records kept show the dates when a qualifying employee availed of the parental leave and force majeure leave

provisions

Employment Equality

All records, including interviews and applications are kept for a

period of one year.

Health and Safety Records

All records relating to health and safety will be kept for a period of

10 years

Data Law Compliance

Records in relation to our compliance with Data Law and GDPR

will be kept for a five-year period.

Retention of encrypted data

If any information retained under this policy is stored in an encrypted format, considerations must be taken for secure storage of the encryption keys. Encryption keys must be retained as long as the data that the keys decrypt is retained.

Data duplication

We will endeavour to ensure that there is no duplication of data. In this regard, once candidate information is received by email, that information will be uploaded onto our Administration Management System and the originating email will be deleted. This will be the same for every instance in which that data is forwarded to an employer/client, the record of the processing will be kept in the Administration Management System, but the actual email will be deleted.

Data destruction

When the retention timeframe expires, we will actively destroy the data covered by this policy. Exceptions will only be made where there is a written application which has been given consideration by the company Data Protection Officer. Destruction will be verified by our IT contractors where it is soft copy information and certified by our shredding company where it is hard copy information.

Responsibilities

Compliance, Monitoring and Review

The Data Protection Office has the overall responsibility for ensuring compliance with the requirements of allappropriate legislation. All staff who deal with personal data are responsible for processing this data in fullcompliance with our relevant policies and procedures.

Reporting a Data Breach

In the case of possible data breach, the staff member(s) who first identifies the breach or incident, must immediately report all details of the incident to the Data Protection Officer.

The Data Protection Officer is required to report a personal data breach to the competent Data Protection Authority not later than 72 hours after becoming aware of it.

The notification must include at least:

  • a description of the nature of the breach, including, where possible, the categories and approximate number of data subjects and personal data records concerned;
  • the name and contact details of the relevant Data Protection Officer or contact point;
  • the likely consequences of the data breach; and
  • measures taken or proposed by the controller to address the breach and/or mitigate its effects.

Where a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, theData Protection Officer must communicate the breach to the data subject(s) without undue delay. The communication must describe in clear and plain language, the nature of the breach and at least:

  • the name and contact details of the relevant Data Protection Officer or contact point;
  • the likely consequences of the data breach; and
  • measures taken or proposed by the controller to address the breach and/or mitigate its effects.

Records management

  • Staff must maintain all records relevant to administering this policy and procedure in electronic form in the company Administration Management System.
  • All records relevant to administering this policy and procedure will be maintained for a period of 5 years.

Terms and Definitions

General Data Protection Regulation: The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)

is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.

Data Controller: The entity that determines the purposes, conditions and means of the processing of personal data

Data Protection Officer (DPO): An expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR

Data Subject: a natural person whose personal data is processed by a controller or processor

Personal Data: any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person

Processing: any operation performed on personal data, whether automated or manual, including collection, use, recording, etc.

Data Backup: data copied to a second location, solely for safekeeping of that data

Data Encryption: the process of encoding data with an algorithm so that it is unintelligible and secure without the key. Used to protect data during transmission or while stored

Data Encryption Key: an alphanumeric series of characters that enables data to be encrypted and decrypted