Which documents should you shred?

Confidential Data Protection - Poor Security Image

Securely disposing of old documents that are no longer needed ensures legal compliance and makes practical sense. But which documents can you shred, and which do you need to keep?

When the new financial year rolls round, it’s only natural to think of clearing out all your old paperwork and stored documents. Anything you no longer need can be securely disposed of, freeing up storage space and ensuring you’re fully compliant with data protection law. But what exactly can you keep, and what is safe to shred?

By law, you must keep all client, employee and company data confidential, and failure to do so could land you with a hefty fine. That includes documents such as financial and accounting records, contracts, purchasing and sales documents, personnel files and insurance records.

However, there is variation in terms of how long you need to different types of record. The period begins as soon as the document ceases to be applicable, and depends on the type of document and the laws that cover it.

Company and financial records should be kept for six years after the end of the last company financial year they relate to. However, you should keep them for longer if they show a transaction covering more than one accounting period, or if they relate to an asset that might last longer than six years, such as machinery.

Under data protection law, any document through which you can identify a person or company is deemed confidential. In general, you shouldn’t keep personal data for longer than you need to, based on the purpose that you gathered it for in the first place. If you have a legitimate, relevant reason why you might need to refer to the data again in future, you can retain it. But you should not hang on to data ‘just in case’ – that is, so you can use it for some potential future purpose that has not yet been decided.

It’s important to remember that retaining personal data brings risks and obligations. The data could go out of date or become inaccurate. You must keep it securely, even if you’re not actively using it at the moment. And you must be willing and able to respond to subject access requests. The more data you hold, the greater the practical implications of these rules.

It’s good practice to set up your own standard retention periods, based on the legislation and your own business needs, so you don’t have to make individual, ad hoc decisions about each and every batch of data you hold. You’ll need a way to keep on top of what you hold and how long you’ve held it for, as well as a system for reviewing data and deciding when it can be disposed of.

So, what should you be shredding? Anything that you no longer need, or that’s gone beyond the minimum retention period, you can shred. Also, if you’ve digitised any documents through data entry or document scanning, you no longer need to retain the paper copies.

Looking beyond your own documents, you may also need to destroy unsolicited mail that includes personal details. Also, bear in mind that handwritten notes and photocopies of original documents can still contain confidential information, so these may also have to be destroyed.

When documents need to be destroyed, the disposal process must be carried out securely, from storage through to destruction. To discuss your data destruction requirements, please contact us.