This policy sets the required retention periods for specified categories of personal data and sets out the minimum standards to be applied when destroying certain information within Lifeline Alarm Systems Ltd.
This Policy applies to all business units, processes, and systems in all countries in which Lifeline Alarm Systems Ltd conducts business. It applies to all officers, directors, employees, agents, affiliates, contractors, consultants, advisors, or service providers that may collect, process, or have access to data.
This policy applies to all information used at Lifeline Alarm Systems Ltd, including:
Emails
Hard copy and soft copy documents
Video and audio recordings
Data generated by physical access control systems
EU GDPR 2016/679
UK Data Protection Act
Personal Data Protection Policy
Retention General Principle For any category of documents not specifically defined in the Data Retention Schedule, the required retention period is 3 years from the date of creation, unless otherwise mandated by applicable law.
Retention General Schedule The Data Protection Officer defines specific retention periods through the Data Retention Schedule. Exemptions to prolong retention may occur during:
Ongoing investigations from legal authorities to prove compliance.
The exercise of legal rights in lawsuits or court proceedings.
Lifeline Alarm Systems Ltd considers the potential for data media to wear out. Procedures are in place to ensure information remains accessible despite technological changes. The responsibility for secure electronic storage and readability falls to the outsourced IT provider.
Employees must regularly review data to decide whether to destroy or delete it once the purpose for its creation is no longer relevant. Overall responsibility for destruction falls to Lifeline Alarm Systems Ltd.
Once the decision is made to dispose of data, it must be deleted, shredded, or destroyed based on its level of confidentiality:
Sensitive personal data must be treated as confidential waste with secure electronic deletion.
Expired contracts may warrant in-house shredding.
The outsourced IT provider must document the destruction process, providing evidence of the security of the destruction.
The Data Protection Officer (DPO) is responsible for ensuring compliance and assisting with enquiries from governmental authorities. Any suspected breach must be reported immediately to the DPO.
Failure to comply may result in:
Loss of customer confidence and litigation.
Financial loss and damage to reputation.
Disciplinary proceedings or termination of employment/contracts.
Routine Disposal Schedule The following may be routinely destroyed unless subject to an ongoing legal inquiry:
Announcements and notices of day-to-day meetings.
Requests for ordinary information (e.g., travel directions).
Transmission documents (fax cover sheets, email routing slips, compliment slips).
Superseded address lists and duplicate documents (CC/FYI copies).
Obsolete trade magazines and vendor catalogues.
Destruction Methods
Level I (Highest Security): Contains personal data. Must be cross-cut shredded, recycled/incinerated, and subject to secure electronic deletion with proof of destruction.
Level II (Proprietary): Contains confidential info (names/addresses) but no personal data. Must be cross-cut shredded and placed in locked bins for approved disposal firms.
Level III (General): Non-confidential published documents (flyers/newsletters). Strip-shredded or disposed of normally without an audit trail.
Record Name: Data Retention Schedule
Storage Location: Lifeline Server
Person Responsible: Data Protection Officer
Access Control: Authorised persons only
Retention Time: Permanently
Appendix – Data Retention Schedule (See FSQ 121 / SSQS101)
January 2025 Lifeline Alarm Systems Ltd
