CPS Retention and Disposal Policy
- 1. Background
- 2. Introduction
- 3. Aim of the Retention and Disposal Policy
- 4. Scope of the Retention and Disposal Policy
- 5. Records and Information Management
- 6. Retention requirements for personal data
- 7. Sensitive personal data
- 8. Roles and Responsibilities.
- 9. Definitions of Disposal Action Terms Used
- 10. Lines of Business and Appraisal reports
- 11. Audit and compliance
- 12. Revision of the Retention and Disposal Policy
1. Background
1.1 Scope
The Retention and Disposal Policy (R&DP) covers all information and records, irrespective of medium, and should be applied to all digital and paper copy information as well as databases and social media. The R&DP provides a management tool for identifying and determining the retention and disposal of information and records created by the Crown Prosecution Service (CPS) and contains the major categories of information and records it creates. It provides guidance to enable adherence with legal obligations.
1.2 Sensitive Data
For sensitive information, including that covered by the General Data Protection Regulation (UK GDPR) (EU) 2016/679 UK GDPR overview, the Data Protection Act 2018 (DPA 2018) and Law Enforcement Directive (LED) 2016 LED 2016, we must be able to allow access to those who need to see this information while preventing others from gaining access. We also need to be able to identify personal and/or sensitive personal information, know who it is shared with, and dispose of information we are no longer entitled to hold.
1.3 Purpose
This R&DSP has been created to form part of the CPS Information Management and Governance, as required under section 46 code of practice of the Freedom of Information (FOI) Code 2000 s46 FOI Code Records Management.
2. Introduction
2.1 Disposal scheduling is an important aspect of establishing and maintaining control of corporate information.
It increases efficiency and cost-effectiveness by ensuring that information is disposed of when no longer needed. This enables more effective use of resources, for example physical and digital storage space, and saves staff time searching for information that may not be there.
Efficiently disposing of information once it has reached a set retention date also ensures compliance with legislation such as the Public Records Act (PRA) 1958 & 1967, the UK GDPR, the DPA and the LED.
3. Aim of the Retention and Disposal Policy
3.1 The aim of this R&DS is to provide a consistent approach to the way the CPS handles its information, and to provide a clear set of guidelines to all staff and support the Information Management and Governance Policy.
The R&DS will help the organisation to:
- Identify information which has historical significance, and which will be transferred to The National Archives (TNA)
- Retain personal data no longer than is necessary for the purpose you obtained it for
- Ensure personal data is disposed of when no longer needed, reducing the risk that it will become inaccurate, out of date or irrelevant
- Prevent premature destruction of information which needs to be retained for a specific period to satisfy legal, financial and other requirements
- Authorise the destruction of information once no longer required by the business.
4. Scope of the Retention and Disposal Policy
4.1 Information
The R&DP covers all the functional information and records of the CPS. This is a corporate document. As well as providing a guide for staff, it will be used externally as a reference tool by members of the public when they wish to request information under legislation such as the FOIA and DPA.
4.2 Retention and Destruction
The R&DP details the types of information and the length of time it should be retained before taking disposal or archive action. Many retention periods are determined by statute – such as information needed for income tax and audit purposes, or information on aspects of employment/health and safety. If we keep personal data to comply with a requirement like this, it will not be considered to have been kept “for longer than necessary”. Where available or appropriate the relevant legislation or statutory reason for keeping the information for a specific period has been included.
4.3 Further information
You can read about legislation that relates to, or affects archives, records management or public sector information on The National Archives website.
5. Records and Information Management
5.1 Definition
A record can be defined as information created, received, and maintained as evidence and information by an organisation, in pursuance of legal obligations or in the transaction of business. Ref. ISO 15489-1:2016.
5.2 Proprietary Information
Information created by staff on behalf of the CPS belongs to the department and must be reviewed and disposed of routinely and in accordance with line of business retention and disposal schedules.
5.3 Statutory obligations
Through effective information management, the Department will comply with the following regulations:
- DPA (DPA 2018)
- UK GDPR
- PRA
- The Government’s Information Principles (management of information from creation to destruction)
- The Civil Service code.
5.4 Ownership and Handling
All systems and records must have designated owners throughout their lifecycle, whether that is named individuals or nominated business areas. Records and information must be stored and handled in accordance with the requirements of the Government Security Classification System.
5.5 Continuity
Digital continuity must be considered for the systems and formats that are used to store digital records. All records must be supported by metadata that documents their authority, status, structure, and integrity to demonstrate their administrative context and relationship with other records.
5.6 Integrity and Availability
All records must be traceable and retrievable. File movements and movements of data must be tracked, including for files migrated into or out of the department through machinery of government changes.
5.7 Appropriate Storage of Hard Copy Records
Records must be stored in environmental conditions that protect them from deterioration. For more information refer to The National Archives guidance:
6. Retention requirements for personal data
6.1 Personal Information under UK GDPR
The UK GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people. This also applies to work email addresses when they include a person’s full name.
6.2 Scope of UK GDPR
The UK GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised – e.g., key-coded – can fall within the scope of the UK GDPR depending on how difficult it is to attribute the pseudonym to an individual.
6.3 Storage Limitation
UK GDPR Article 5(1)(e) about storage limitation specifies that personal data shall be kept for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of UK GDPR.
6.4 Lawful Processing
CPS’ lawful basis for processing personal data is set out in our Privacy Notice.
6.5 Retention of Personal Data
Personal data must be periodically reviewed in accordance with the CPS retention schedules and if it is no longer needed it should be deleted or anonymised as appropriate. Anonymised data is not subject to UK GDPR or the DPA 2018.
6.6 Challenges to the Retention of Personal Data
Any challenges to the retention of personal data must be considered in accordance with UK GDPR Article 17 (Right to erasure), or the equivalent sections in the DPA 2018 if the processing is for law enforcement purposes. The right to erasure does not apply where we are legally obliged to process personal data or where the processing is necessary for performing our functions.
6.7 Restriction of Processing
Where the CPS would be required to erase personal data, but the personal data must be maintained as evidence for legal purposes or for reasons of important public interest, CPS must (instead of erasing the personal data) restrict its processing.
7. Sensitive personal data
7.1 The UK GDPR refers to sensitive personal data as “special categories of personal data”. The special categories specifically include genetic data, and biometric data where it is processed to uniquely identify an individual.
For example, ‘sensitive personal data’ includes information about an individual’s:
- race;
- ethnic origin;
- politics;
- religion;
- trade union membership;
- genetic;
- biometrics (where used for ID purposes);
- health;
- sex life; or
- sexual orientation.
8. Roles and Responsibilities
8.1 Departmental Records Officer (DRO)
The Departmental Records Officer (DRO) is a mandatory role who reports to the Deputy Director, Security and Information/Data Protection Officer and the Senior Information Responsible Owner (SIRO). The DRO is accountable for maintaining effective and efficient record keeping procedures in the CPS.
All information created in government is managed through the provisions of the Public Records Act and related legislation.
The DRO leads on departmental compliance with the Public Records Act.
The DRO maintains the department’s statutory relationship with The National Archives and the Advisory Council on National Records and Archives.
The DRO needs to follow guidance from The National Archives on appraising records as part of good practice for information management under the Code of Practice (FOI s46).
Identify information worthy of historical preservation under supervision of the Keeper and in line with The National Archives’ Records Collection Policy.
8.2 CPS Areas and Directorates
- CPS Areas and Directorates are accountable for the management and disposal of all records that they create. They are responsible for ensuring that records that fall under the department's Long-Term Interest criteria are considered and transferred to the RMT.
- Commercial/HQ Chief Finance Officer Directorate are responsible for contracts with third party suppliers.
- HQ Communications are responsible for CPS’ internet and intranet governance.
- The Security and Information Assurance Division (SIAD) provide holistic advice and guidance on all aspects of security and information assurance to the organisation. They are part of the Digital and Information Directorate (DID) which brings together professional experts in digital technology, security, information management and operational process transformation to deliver high quality services to the CPS. Chief Crown Prosecutors/Heads of Directorates are appointed as Information Asset Owners (IAO) and will delegate day-to-day responsibilities for information and records management to information specialists within each Area/Directorate.
8.3 Responding to Information Requests
Public requests for CPS information must be actioned by Areas/Directorates in accordance with Information Management Policies. For example, requests under the FOI Act, such as Right of Access Requests (RoARS), should be referred to the Information Access Team (IAT).
8.4 All CPS Employees
In accordance with this policy, all staff are responsible for managing, storing appropriately, and disposing of the information they create and receive as part of their normal daily business activities. All CPS staff as well as contractors, must take responsibility for ensuring that information and records are created with appropriate retention periods in line with the R&DSP, and that these are adhered to. Long-Term Interest (LTI)
Records that fall under the Long-Term Interest (LTI) criteria must be sent to the Records Management Team soon after the case has concluded.
9. Definitions of Disposal Action Terms Used
A - Archive or Permanent Retention
This information has historical value. Public records and information may be offered to TNA for permanent preservation and be made available to the public. Non-public records and information may need to be permanently retained by the CPS for administrative purposes.
D - Destroy
This information is of a routine business nature and can be destroyed when the business need for retaining the information has expired and no longer required.
R - Review
This information may have long term business value or could potentially be of historical interest. A more thorough review therefore will be undertaken to determine its ongoing value before a destruction decision is made.
10. Lines of Business and Appraisal reports
10.1 Selection of Historic Records
CPS Areas/Directorates will identify, appraise, and offer records identified as having historic value to the RMT, who will carry out the selection of records for transfer to TNA at 20 years or earlier. Historic records can be transferred earlier by agreement of all parties affected by the decision. Records with historic value, retained beyond the 20 year will require an application to be made to the Secretary of State for Digital, Culture, Media and Sport (previously Lord Chancellor) via the Advisory Council for authorisation.
10.2 Appraisal Reporting
CPS Areas/Directorates must maintain Appraisal Reports to identify groups or series of key departmental records which are of Long-Term Interest value. The report will take the form of an Excel spreadsheet and act as the basis for appraising records that have long-term value. It will enable CPS Areas/Directorates to identify records they hold that may be considered by the RMT for transfer to TNA for permanent preservation and national interest.
10.3 Long-Term Interest Criteria
The CPS has in place a LTI criteria that gives guidance on the types of cases and policy development areas that should be sent to the RMT. This can be located in the Records Management Team section of the Security SharePoint hub. Records identified as LTI are held on an independent IT application solely for the use of the Records Management Team and form part of the corporate record. The metadata for these records is held indefinitely for archiving and research purposes in line with Article 5(1)(e) of UK GDPR. Reviews are undertaken to minimise metadata when appropriate.
10.4 The National Archives’ Records Collection Policy
TNA Records Collection Policy (revised 2019) sets out an overview of the types of records which are and are not collected from public bodies.
11. Audit and Compliance
11.1 CPS Area/Directorate Assurance and Compliance Processes
CPS Areas/Directorates are accountable for developing their own assurance and compliance processes to ensure that the core principles in this policy and related activities are being complied with.
11.2 CPS Area/Directorate Records Disposal
CPS Areas/Directorates must audit and monitor the secure disposal of their own records as well as those of any third parties that share or produce records on their behalf and are responsible for maintaining an audit trail of their review, destruction, and disposal decisions.
11.3 Moratorium on Destruction
The CPS has had a moratorium on the destruction of all its information due to the Independent Inquiry into Child Sexual Abuse (IICSA) (aka Goddard). This was put in place in April 2015 and lifted on non-casework in July 2020. IICSA concluded in October 2022 and Government had to respond to its recommendations by the end of April 2023. A decision was made by CPS Executive Group that the moratorium on destructions of casework could be lifted, this was effective from 6 August 2023, which included some caveats. Communications from the CMS Archive/Case Destruction Oversight Group were issued in June and July 2023. A Gateway Notice was issued to staff 12 October 2023.
11.4 Inquiries
There are two other national inquiries in which the Department is involved.
11.4.1 The Undercover Policing Inquiry (UCPI) (aka Pitchford/Ellison QC Review) (May 2014)
UCPI was set up in 2015 to get to the truth about undercover policing in England and Wales since 1968 and provide recommendations for the future. This was in response to independent reviews by Mark Ellison QC which found appalling practices in undercover policing. Due to the reviews the CPS had a moratorium on destructions for LTI cases since 2014. This was lifted in accordance with item 12.3.
11.4.2 UK COVID-19 Inquiry (June 2023)
Covid-related prosecutions and pre-charge discussions, and related internal communications, may be required by the inquiry and therefore will need to be retained in line with the projected time period of the inquiry of seven years from June 2023.
12. Revision of the Retention and Disposal Policy
12.1 This Retention and Disposal Schedule Policy supersedes and replaces all previous versions.
The previous version was published in June 2020 with the prior version to this published in 2008.
12.2 Review Period
The Security Information and Assurance Division (SIAD) will undertake a full review of the R&DSP no less than every five years. The revised R&DSP will be submitted to the Policy Review Board (PRB) for approval prior to its implementation. Minor changes/updates will be incorporated into the R&DSP as and when required.
12.3 Policy Queries
For information which is not covered by this R&DP, the Records Management Team (RMT) must be contacted to discuss amendment of the R&DP. Do not destroy this type of information. Unauthorised destruction of information goes against s46 FOIA 2000 & 2009.