ACCOUNTSCO’S DATA RETENTION POLICY
1. Background
This Policy sets out our policies and obligations regarding the retention of personal data that we collect, hold, and process. This policy should be read in conjunction with our:
All of these can be found on the footer of our UK website www.accountsco.co.uk.
2. Information about us
AccountsCo is the trading name of PG&E Professional Services Ltd (the “Company”, “we”, “us” or “AccountsCo”). Details about AccountsCo can be found here.
3. Information about our Data Protection Officer
The Data Protection Officer shall be responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other Data Protection-related policies (including, but not limited to, its Data Protection Policy), and with the Data Protection Legislation. Any questions regarding this Policy, the retention of personal data, or any other aspect of Data Protection Legislation compliance should be referred to the Data Protection Officer. Details of AccountsCo’s Data Protection Officer can be found here.
4. Client’s responsibility to keep records
We are a paperless business and we do not, except in exceptional circumstances, keep paper records or original documents. Most of the documents that we receive are in electronic form. When we receive documents in paper form our normal process is to electronically scan them and then to destroy the original.
It is our client’s responsibility to keep documents that they may need in order to meet their statutory and other obligations. This includes tax returns, accounts and advice letters, which we send to our clients in the course of our work. It also includes documents, workings and other information that our clients send to us.
5. Data retention periods
AccountsCo’s standard data retention period is 6 years + 1, defined as 6 years after the last change in a record followed by destruction to be carried out in the additional current (+1) year. If the record is not mentioned in the table below this period will apply. This and other data retention periods are shown in the table below.
Type of data | Purpose of data | Retention Period | Notes |
Client records, including: – Accounts – Tax returns (VAT, Corporation Tax, – Personal, Inheritance, Capital Gains, PAYE etc) – Working papers – Invoices – Bank statements – Other support | To keep a record of work done & submissions to Companies House, HMRC and other parties To be able to answer questions posed by clients & third parties To be able to demonstrate that work has been done properly | Trigger: the later of record creation or last change in record Retention: 6 years + 1 | This is in line with HMRC’s general data retention policy and broadly in line with the Institute of Chartered Accountants in England and Wales guidance |
e-mails | To keep a record of conversations | Trigger: email date Retention: 2 years | e-mails are archived after two years (and are stored off site) e-mails are deleted from the archive after 6 years |
Records relating to AccountsCo’s anti-money laundering (AML) and customer due diligence (KYC) purposes, including: – Passports – Bank statements – Driving licences – ID Cards – Utility bills – Other proofs of address – Other identity documents | To keep records for AML and KYC purposes To comply with AML & KYC rules and CCAB guidance | Trigger: Disengagement Retention: 5 years + 1 | This is in line with CCAB Anti-money laundering guidance for the accountancy sector |
Records relating to audits conducted by AccountsCo, including: – Accounts – Tax returns (VAT, Corporation Tax, – PAYE etc) – Working papers – Invoices – Bank statements – Other support | To keep records of audits To be able to demonstrate that work has been done properly To comply with the Audit Regulations | Trigger: End of accounting period Retention: 6 years + 1 | This is in line with Regulation 3.11 of the Audit Regulations |
Records relating to AccountsCo’s employees: – Payslips – P60s, P45s & other payroll documents Not contracts, important letters or reviews (see below) | To keep records of employment | Trigger: the later of record creation or last change in record Retention: 6 years + 1 | This is in line with HMRC’s general data retention policy |
Other documents, including: – Employment contracts – Employment reviews – Important letters – Insurance documents – Regulatory submissions & support – AccountsCo’s accounting records – Other records | To keep important records that may need to be referred to in the future | Indefinitely | AccountsCo retains certain records indefinitely, subject to periodic review |
Information retained on third party software (See, third party software) for a full list | To support accounts, tax returns and other submissions | See the web-site of the software provider | Retention of information on third party software is outside of the control of AccountsCo |
6. Data protection legislation
Data Protection Law. “Data Protection Law” means all applicable legislation in force from time to time in the United Kingdom applicable to data protection and privacy including, but not limited to, the UK GDPR, the Data Protection Act 2018 (and regulations made thereunder), and the Privacy and Electronic Communications Regulations 2003 as amended, and any successor legislation. You can read about Data Protection Law in our GDPR Policy.
Under the Data Protection Legislation, personal data shall be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. In certain cases, personal data may be stored for longer periods where that data is to be processed for archiving purposes that are in the public interest, for scientific or historical research, or for statistical purposes (subject to the implementation of the appropriate technical and organisational measures required by the Data Protection Legislation to protect that data).
In addition, the Data Protection Legislation includes the right to erasure or “the right to be forgotten”. Data subjects have the right to have their personal data erased (and to prevent the processing of that personal data) in the following circumstances:
- Where the personal data is no longer required for the purpose for which it was originally collected or processed (see above);
- When the data subject withdraws their consent;
- When the data subject objects to the processing of their personal data and the Company has no overriding legitimate interest;
- When the personal data is processed unlawfully (i.e. in breach of the Data Protection Legislation);When the personal data has to be erased to comply with a legal obligation; or
- Where the personal data is processed for the provision of information society services to a child.
This Policy sets out the type(s) of personal data held by the Company. the period(s) for which that personal data is to be retained, the criteria for establishing and reviewing such period(s), and when and how it is to be deleted or otherwise disposed of.
The Company retains personal information for the purposes of:
- the provision of accounting, tax, payroll and related services;
- keeping records to support accounts, tax, payroll and related submissions;
- meeting the Company’s anti-money laundering obligations; and
- demonstrating to regulators and other third parties, such as the Institute of Chartered Accountants of England & Wales that it has fulfilled its obligations.
For further information on other aspects of data protection and compliance with the Data Protection Legislation, please refer to the Company’s GDPR Policy.
7. Scope
This Policy applies to all personal data held by the Company and by third-party data processors processing personal data on the Company’s behalf. AccountsCo holds Personal data on various data systems. You can see a list of the data systems that we use here. AccountsCo is paperless and does not retain physical records.
8. Data subject rights and data integrity
All personal data held by the Company is held in accordance with the requirements of the Data Protection Legislation and data subjects’ rights thereunder, as set out in the Company’s GDPR Policy.
Data subjects are kept fully informed of their rights, of what personal data the Company holds about them, how that personal data is used and how long the Company will hold that personal data (or, if no fixed retention period can be determined, the criteria by which the retention of the data will be determined).
Data subjects are given control over their personal data held by the Company including the right to have incorrect data rectified, the right to request that their personal data be deleted or otherwise disposed of (notwithstanding the retention periods otherwise set by this Data Retention Policy), the right to restrict the Company’s use of their personal data and further rights as set out in the Company’s GDPR Policy.
9. Technical and organisational data security measures
The technical measures in place within the Company to protect the security of personal data are included within the Company’s Information Security Policy.
The organisational measures in place within the Company to protect the security of personal data are included within the Company’s Information Security Policy.
10. Data disposal
Upon the expiry of the data retention periods set out below in Part 4 of this Policy, or when a data subject exercises their right to have their personal data erased, personal data shall be deleted, destroyed, or otherwise disposed of as follows:
- Personal data stored electronically (including any and all backups thereof) shall be deleted;
- The Company does not store Personal data in paper or hardcopy form. Where hard copies, such as letters or correspondence, are received they are scanned and shredded or scanned and sent to the Date Subject concerned;
11. Data retention
As stated above, and as required by law, the Company shall not retain any personal data for any longer than is necessary in light of the purpose(s) for which that data is collected, held, and processed.
Different types of personal data, used for different purposes, will necessarily be retained for different periods (and its retention periodically reviewed), as set out below.
When establishing and/or reviewing retention periods, the following shall be taken into account:
- The guidance provided by the Institute of Chartered Accountants in England & Wales
- The requirements to maintain records as specified by HMRC;
- The usual needs of the data Subject;
- The objectives and requirements of the Company;
- The type of personal data in question;
- The purpose(s) for which the data in question is collected, held, and processed;
- The Company’s legal basis for collecting, holding, and processing that data; and
- The category or categories of data subject to whom the data relates.
If a precise retention period cannot be fixed for a particular type of data, criteria shall be established by which the retention of the data will be determined, thereby ensuring that the data in question, and the retention of that data, can be regularly reviewed against those criteria.
Notwithstanding the following defined retention periods, certain personal data may be deleted or otherwise disposed of prior to the expiry of its defined retention period where a decision is made within the Company to do so (whether in response to a request by a data subject or otherwise).
12. Changes to this policy
This policy was last updated 16/4/23. AccountsCo may change this policy from time to time.