RMG00000090
RMGo00000090
IM05 — Records
Royal Mail Group
Retention Policy
Requirements for the retention and disposal of Royal Mail Group’s
business records in compliance with its legal and regulatory obligations
1. Introduction
2. Overview / Purpose
Scope
Technical / Legislative Requirements
Supporting Policies
Policy Statement
SF eo Fe
Disposal
9. Where to go for Further Information
10. Related Information
11. Ownership and Review
VERSION 1.0 — 25 September 2013
Records Retention and Disposal Requirements
Accountability for Records Retention and
Getting Help
Please contact the Group
Records Manager if you
have any queries about
this Policy.
Group Records Manager
Royal Mail Sheffield
Pond Street
Sheffield
$98 6HR
Page 1 of 4
RMG00000090
RMG00000090
1. Introduction This Records Retention Policy sets out requirements for the retention and
disposal of Royal Mail Group’s business records in compliance with its legal and
regulatory obligations. These include its legal obligations under the Data
Protection Act 1998 and Public Records Act 1958.
2. Overview / The purpose of this Policy is to specify Royal Mail Group’s requirements for the
Purpose retention and disposal of records of information produced or held in the course
of its business.
Forming part of this Policy is a set of ‘Retention Schedules’, which set out
detailed requirements for the retention and disposal of various records held by
Royal Mail Group. Royal Mail Group will keep the Retention Schedules up-to-
date to reflect any changes in law or regulation, and to meet its operational and
business requirements.
This Policy is one of a set of policies and processes which support Royal Mail
Group’s Information Management Policy (IM01). As well as complying with this
Policy, and its related guidance, please read the Information Management Policy
(IMO1).
13. Scope For the purposes of this Policy, Royal Mail Group includes Parcelforce
Worldwide. All subsidiaries and joint ventures of Royal Mail Group Ltd, including
General Logistics Systems B.V. or GmbH & Co. OHG, will have their own
equivalent policies.
This Policy applies to Royal Mail Group, partner organisations and all employees,
casuals, agents, interims, agency workers, contractors and sub-contractors,
collectively referred to as ‘Information Users’, that work with or for these
entities in handling business records.
A ‘business record’ is any record of information held by Royal Mail Group,
irrespective of medium, format, location or content. This includes employee
records, customer records, administrative records (financial & accounting,
complaints handling etc.), whether paper files, electronic documents,
correspondence, databases, web pages, audio and video media and e-mails.
The Policy is effective from 25 September 2013.
4. Technical / Royal Mail Group has produced this Policy as part of its compliance with
Legislative management of information, as described under section 46 (records
Requirements Management) of the Lord Chancellor’s Code of Practice. This Policy also
addresses Royal Mail Group’s obligations under privacy and data protection
laws, including the EU Data Protection Directive (95/46/EC) and Privacy and
Electronic Communications Directive (2002/58/EC), as implemented in the UK by
the Data Protection Act 1998 and Privacy and Electronic Communications (EC
Directive) Regulations 2003, and other applicable local laws.
VERSION 1.0 — 25 September 2013 Page 2 of 4
RMG00000090
RMG00000090
5. Supporting Links to the other policies and guidance related to, or referred to in, this Policy
Policies can be found under ‘Related Information’ below.
6. Policy Statement All Business Units and functions must have a Retention Schedule.
Royal Mail Group will ensure that business records are retained and disposed of
in a manner that supports its business needs and complies with its legal and
regulatory obligations.
7. Records All Information Users are responsible for complying with the following
Retention and requirements:
Disposal
Requirements
¢ Information Users must retain and dispose of business records in accordance
with the Retention Schedules and the requirements set out in the
Information Security Classification Policy (ISECO3).
e Information Users must securely dispose of business records before their
retention period has passed, and in accordance with the relevant Retention
Schedule and Royal Mail Group’s Records and Information Disposal and
Destruction Policy (IM06), unless there is a clear, identifiable and continuing
need to keep them (for example, for legal or evidential purposes). Where
Business Units are holding records that have exceeded the retention review
date they should seek advice from the Group Records Manager.
¢ Records with historical value must be identified as such on the relevant
retention schedule, to be either offered to or transferred to the British Postal
Museum and Archive.
¢ Information Users must transfer business records with historical value to the
British Postal Museum and Archive as soon as they are no longer in active
use, or at the end of the retention review period. Business Units must not
transfer records without first consulting the Group Records Manager.
e If any Information User becomes aware of any conflict or difference between
this Policy and any legal or regulatory requirement of Royal Mail Group, they
must notify the Group Records Manager without delay (their contact details
are in the ‘Getting Help’ box on the front of this Policy).
e Where there is insufficient space to store records for long periods, records
that are no longer active but have not reached the retention review period,
can be transferred to Royal Mail’s external storage supplier. Please see the
“External Storage’ link in the Related Information section of this Policy.
8. Accountability Failing to comply with this Policy could cause Royal Mail Group to breach its
for Records legal and regulatory obligations. This could cause Royal Mail Group financial loss,
Retention and result in regulatory enforcement action and sanctions and damage Royal Mail
Disposal Group’s brand. Any breach of law or condition may also result in criminal
VERSION 1.0 — 25 September 2013 Page 3 of 4
RMG00000090
RMG00000090
prosecution or civil action where Royal Mail Group and individuals could be
liable.
All Information Users are responsible for complying with this Policy including
being aware of and complying with the requirements of the appropriate Records
Retention Schedules when handling records.
Business Unit Managing Directors (or equivalents) are responsible for
compliance with this Policy and the Records Retention Schedules relevant to
their Business Units.
Failure to comply with this Policy could result in disciplinary action.
9. Where to go for Please refer to the ‘Getting Help’ box on the front of this Policy if you require
Further information in relation to this Policy. Further information can also be found on
Information the Company Secretary’s website on the intranet.
10.Related Royal Mail Group Information Management Policy (IM01) — Royal Mail Group
Information Policy for managing information in accordance with legal and corporate
responsibilities.
Data Protection Policy (IM02) — sets out Royal Mail Group’s commitment to
collect, use and protect Personal Information in accordance with its legal and
corporate responsibilities.
Records and Information Disposal __and__Destruction Policy __(IM06) —
Requirements for the secure disposal or destruction of information waste in
compliance with Royal Mail Group’s legal and regulatory obligations.
Information Security Classification Policy (ISECO3) — outlines Royal Mail Group’s
classification scheme in relation to the confidentiality of information and
information systems.
Records and Information Intranet Page — provides further information on Royal
Mail Group’s Records and Information handling.
Keeping Records Guidance — explains why keeping employee records are
important to Royal Mail Group and what constitutes good record keeping.
11.Ownership and This document is owned by Royal Mail Group’s Company Secretary and is
Review managed and maintained on his behalf by the Group Information and Privacy
Team.
This Policy will be reviewed as deemed appropriate, but not less frequently than
on an annual basis.
Most recent review date: 25 September 2013
Next review date: 25 September 2014
VERSION 1.0 — 25 September 2013 Page 4 of 4