Records & Retention Policy

1. Purpose

The purpose of this policy is to establish consistent rules for the creation, storage, retention, and secure disposal of employee-related records. This ensures compliance with legal, regulatory, and contractual requirements while protecting sensitive information and upholding employee privacy.

Outcome:

Guarantees that HR and Admin teams manage records systematically, minimizing risk of data breaches, legal non-compliance, or loss of critical information.

2. Scope

This policy applies to:

• All employee records (digital and physical) maintained by HR and Administration.
• All employees across locations where the company operates.
• All stages of the employee lifecycle: recruitment, onboarding, employment, exit, and post-exit compliance.
• Vendors/third parties handling employee data on behalf of the company.

Exclusions: Non-employee data (e.g., vendor contracts, client agreements) are governed under separate company policies.

3 Definitions

• Employee Records – All information created, received, or maintained during employment (personal details, contracts, payroll, performance, compliance, medical, disciplinary, etc.).
• Retention Period – The legally or organizationally defined time frame for preserving specific categories of records.
• Secure Disposal – Permanent deletion or destruction of records to prevent unauthorized access (e.g., shredding, digital wipe).

4. Policy Statements

1. Employee records must be accurate, complete, and updated regularly.
2. Records shall be stored securely (HRIS, locked cabinets for physical files).
3. Access to records will be role-based, following the Identity & Access Management Policy.
4. Retention periods will comply with:
   • Local labor laws.
   • Tax and audit requirements.
   • Client contractual obligations (where stricter).
5. Upon expiry of retention period, records must be securely disposed of.
6. Data privacy principles (consent, minimal use, confidentiality) must always be followed.

5. Roles & Responsibilities

• HR – Maintain employee lifecycle records, ensure timely updates, track retention periods, initiate disposal.
• Admin/IT – Ensure secure digital/physical storage, backup, and access controls.
• Managers – Submit performance, disciplinary, and compliance-related documents in line with policy.
• Employees – Provide accurate personal and compliance information.
• Compliance/Legal Team – Review and update retention schedules as per regulatory changes.

6. Record Categories & Retention Periods

(Retention periods may vary based on jurisdiction; HR must adapt this table for each region of operation.)

7. Storage & Access

• Digital records must be maintained in HRIS/secure cloud storage with access control and audit logs.
• Physical records must be stored in locked cabinets in restricted HR/Admin offices.
• Access to sensitive records (medical, disciplinary, compensation) will be strictly limited to authorized HR staff.

8. Secure Disposal

• Physical Records: Shredding, pulping, or incineration by authorized vendors.
• Digital Records: Permanent deletion, secure wipe from servers, ensuring backups are also removed.
• HR must document disposal with a “Record Disposal Log” noting type, date, and approver.

9. Compliance & Audit

• Annual internal audit to check completeness and adherence to retention schedules.
• Non-compliance may result in disciplinary action against responsible staff.
• Legal and compliance teams will update retention periods as laws evolve.

10. Review & Ownership

• Policy Owner: HR Department.
• Review Cycle: Annually, or sooner if laws or client obligations change.
• Approval Authority: Head of HR in consultation with Legal & Compliance.
• All versions must be dated, versioned, and published in the HR Policy Repository.