To shred or not to shred, that is the question?

Why is Data Protection relevant to record retention?

Data protection legislation demands that, as a general principle, personal data should not be kept for longer than necessary. The word “necessary” covers your statutory and legal requirements to retain information – but do you need it longer than your statutory requirements? There is a vast array of legislation, regulation and guidance to be considered and unfortunately, the rule of thumb of ‘keep it for six years’ won’t always be sufficient.

What constitutes records?

An important issue is identifying what “records” are required to be kept. From our experience, records include anything which supports the business relationship, including any correspondence on matters and transactions specific to the company.  This could be quite voluminous in some situations but if there is an obligation to keep them, then you need to keep paying for the archiving!

What are your regulatory obligations?

A licenceholder has clear regulatory guidelines set out in the Financial Services Rule Book 2016 (the “Rule Book”) which requires a licenceholder to keep and maintain proper records to show and explain transactions by and on behalf of its clients for six years after the date of the transaction. Six years seems simple enough; however this is only the starting point. The length of time documents have to be kept differs depending on the entity and how the business relationship has ceased. For example, a company incorporated under the Isle of Man Companies Act 2006 which has been dissolved or struck off, must retain its records for 18 years!

Where does anti-money laundering come into this?

Alongside the Rule Book, certain types of businesses are also obligated to comply with the Anti-Money Laundering and Countering the Financing of Terrorism Code 2015 (the “Code”) which requires a regulated person to retain customer identification records, as well as records of all transactions undertaken with, or on behalf of, a client during the period of the business relationship and for at least five years from the termination of the relationship. Don’t shred too quickly!

What if I am not a regulated entity?

If you are not regulated by the Isle of Man Financial Services Authority (“FSA”), where do you start? The simple answer is the relevant applicable statute. For example, a company incorporated under the Companies Acts 1931 – 2004 is required to keep accounting records for three years from the date on which such records were made in accordance with section 1(9), Companies Act 1982. There are lots more requirements to be taken into account though so if you need further advice, let us know and we can point you in the right direction.

Do I have to keep all the paper records? What about the trees?

A frequently asked question is whether records can be maintained solely in electronic form. There is no hard and fast rule; ultimately it is a matter of commercial expediency as to whether or not to choose to destroy all paper records. We cannot find any mandatory provisions that would prevent records being stored solely in electronic form; however, we would expect original customer identification documents to be kept in hard copy form.

Don’t forget, if you are thinking of going ‘paper light’, take precautions to guard against falsification of records and ensure all electronic records can be reproduced in a format that is acceptable to the Court.

When might paper records be relevant?

Where litigation is foreseeable, we would recommend that regardless of any document retention policy, you should seek further legal advice before destroying any documents that may be relevant to the anticipated claim(s).

In view of archiving costs and in preparation for GDPR, more and more firms are beginning to consider document retention at board level, particularly when the risks of holding documents that should have been destroyed are taken into account.  Whilst it might be your proudest moment to be able to lay your hands on a lease from 1864, the Information Commissioner might take quite a different view if you no longer need to have it.

 

For further assistance on any aspect of document retention, please contact Kirsten Middleton.  Our GDPR team would also be happy to help with any aspect of your preparations for the new regulation.

The guidance in this note is for information purposes only and is not intended to be exhaustive. It is not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. DQ shall accept no responsibility for any errors, omissions or misleading statements or for any loss which may arise from reliance on the information in this note.