Records Retention and Disposal Policy

Change history

Version numberDate of releasePolicy ownerAuthorised by
1.008/09/2023Naomi da Silva, Head of Business AssuranceBoard of Trustees

Policy statement

Central YMCA (‘the Charity’) defines records as any data or information in all physical forms or media, created or received by the organisation while carrying out its business activities. Accurate and relevant information is vital to the efficient running and management of the organisation. It is important to balance our statutory and contractual obligations (for example, annual reporting requirements), with our duties of confidentiality for personal and sensitive records.

The Charity will comply with all relevant legislation, including the UK GDPR and the Data Protection Act, as updated from time to time, and aims to achieve standards of best practice by adopting principles from bodies such as the International Organisation for Standardisation (ISO). 

This Policy outlines the Charity’s commitment to maintain records of its activities, the key principles for managing and disposing of records in all media, and the roles of all Central YMCA stakeholders in the Charity’s management of its records.

The Charity will ensure that staff have access to information management training and will encourage staff to manage records properly by providing supporting standards, procedures and guidelines. The Charity’s retention schedules outline the retention periods for a range of records relating to the personal data of individuals who come into contact with the Charity, whether as employees, service users, volunteers etc. This policy aims to ensure that these records are managed consistently and are only retained for as long as necessary to meet operational and business needs, and to demonstrate compliance with legal and regulatory requirements. It applies to all the listed categories in whatever format they are held (i.e. paper or electronic). 

The Charity is aware that information held for longer than is necessary carries an additional degree of risk and cost and that records and information should only be retained for legitimate business use and be kept accurate and secure. The Charity will ensure that information is not kept longer than is necessary and will only retain the minimum amount of information that it requires.


The Records Retention and Disposal Policy operates alongside and supplements the Charity’s Data Protection Policy. This policy applies to the management of all records, data and information in all physical forms or media, created or received by the Charity while carrying out its business activities.

Examples of types of record include (but are not limited to):

  • documents (including written, typed or annotated copies);

  • paper files;

  • photographs;

  • electronic files (including word-processed documents, emails, instant messages (Microsoft Teams), internet/intranet pages, databases, spreadsheets and presentations) including on disks, CDs, DVDs, SD (secure digital) devices;

  • reports & annual monitoring forms (including accounts and audits); and

  • faxes

This policy and any procedures associated with it apply to anyone who has access to Central YMCA records, in whatever form and can include:

  • permanent staff members, Trustees and Committee Members;

  • temporary staff members;

  • contractors;

  • consultants; and

  • volunteers.

Related Legislation 

This policy complies with the following acts, regulations and best practice standards:

Charities Act 2011

Financial regulations
The Companies Act 2006; Finance Act 2008; Finance Act 1998; Finance Act 2003; Finance Act 1994; Value Added Tax Act 1994; Taxes Management Act 1970; HMRC guidance; Occupational Personal Pension Schemes (Disclosure of Information) Regulations 2013; Income Tax (Pay as You Earn) Regulations 2003; National Minimum Wage Regulations 2015; Charitable Deductions (Approved Schemes) Regulations 1986

Employer regulations
Employment Relations Act 1999 Collective Redundancies and Transfer of Undertaking (Protection of,) 1999 Maternity and Parental Leave Regulations 1999
Employment Rights Act 1996; Information Commissioner’s Employment Practices Code; Immigration (Restrictions on Employment) Order 2007; Statutory Maternity Pay (General) Regulations 1986; Working Time Regulations 1998; 

Equalities and Human Resources
Equalities Act 2010

Health and Safety
Health and Safety at Work Act 1974 with regulations enforceable under the Act including the Management of Health and Safety at Work Regulations 1999 (the Management Regulations), Workplace (Health, Safety and Welfare) regulations, Environmental Protection Act

Corporate Manslaughter and Corporate Homicide Act 2007; Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013

Information Commissioner
Data Protection Act of 2018; UK General Data Protection Regulation

Other legislation
Civil Evidence Act 1995; The Limitation Act 1980; Bribery Act 2010; Copyright Designs and Patents Act 1988; Trade Marks Act 1994

Best practice
Retention and disposal schedules recommended by the National Archives (former Public Records Office)


Board of Trustees
Overall responsibility for the policies and procedures that govern the work at Central YMCA.

Chief Executive
Overall responsibility for ensuring Central YMCA’s resources are used effectively and appropriately.

Policy Owner and Senior Information Risk Owner (SIRO)
Responsible for understanding how the strategic business goals of the organisation may be impacted by any information risks, and for taking steps to mitigate them. The SIRO is accountable and responsible for information risk across the Charity. Responsible for ensuring guidelines are in place and that policies and procedures reflect our charitable ethos and commitment to equality and diversity.

Data Protection Officer (DPO)
Accountable to the Executive Team and responsible for giving advice about the management of personal data within Central YMCA and for ensuring that compliance with data protection legislation and good practice is achieved and can be demonstrated.

Information Asset Owners
Senior /responsible individuals usually running an operation or central service function. Their role is to understand what information is held, what is added and what is removed, how information is moved, and who has access and why.   

All Line Managers
Responsible for ensuring all employees are aware of and follow this policy.

All Employees and Volunteers
To follow policies and procedures, promoting best practice throughout the organisation.


1. Principles

Records and information are owned by the Charity, not by an individual or team.

Keeping records is an integral part of all business activities.

A complete record of all activities must be securely stored in a shared location, easily identified and accessible to those who need to see it.

The complete record may be in any format, but preferably electronic – significant emails are held alongside other information and must not be stored solely in personal mailboxes.

Information will be held only if required and disposed of in accordance with the record retention policy and retention schedules.

Practical guidance is made available to enable teams to manage their information.

2. Process

All records created by or on behalf of Central YMCA belong to the Charity. This includes any rights or copyrights in the context, except where specifically provided under copyright legislation.

All records received on behalf of the Charity as part of its business will be its property, which may be disposed of or released as the Charity sees fit or as required by law. Originators’ and owners’ rights will be fully respected in accordance with legislation.

Responsibility for depositing and disposing of archive records lies with the Information Asset Owners (usually the heads of each operation or central service function). It is their responsibility to ensure that complete and accurate records are retained in line with legislative requirements and agreed best practice.

Responsibility for managing and tracking records lies with the Information Asset Owners, supported by the Head of Business Assurance and the IT department.

Information Asset Owners will determine if a file is no longer required for current business usage which can then be added to the archive.

Information Asset Owners may choose to retain records for longer than the indicative periods given in the retention schedule, provided that they can demonstrate a legitimate business need for doing so, for example, if they consider records to be of significant historical value or if the issue they are concerned remains ‘live.

3. Data Protection

This policy helps ensure that the Charity is complying with the Data Protection Act 2018 which requires that we do not collect and/or retain information that has no business use and collect personal and sensitive information in accordance with UK General Data Protection Regulation (‘UK GDPR’) principles and the Data Protection Act 2018.

To comply with the UK GDPR principles the Charity must:

  • only keep information for as long as necessary for the purpose for which it was collected;
  • ensure records are accurate and up-to-date
  • keep records secure, whether electronic or paper
  • ensure records are retrievable and easily traced
  • allow a person access to information held about them, should they request it
  • prove accountability

It therefore follows that the Charity must:

  • destroy papers and electronic data for which there is no continuing business need and send papers that cannot be destroyed to archive for as short a time as possible
  • keep data secure while it remains in any office
  • keep track of where information is stored
  • continue to apply these good practices to avoid stockpiling papers in the future
  • regularly audit the data assets

4. Policy Implementation

Each year as a minimum, the records which are no longer required under the Charity’s data retention schedule should be securely and permanently destroyed, unless specific legislation requires formal review before destruction.

Documents must be destroyed securely; paper files containing details about persons and /or holding sensitive information should be shredded. Responsibility for ownership and destruction of files rests with the Information Asset Owners supported by the DPO, Head of Business Assurance and the IT department once the identified timescales (confirmed by the Information Asset Owners and DPO) for keeping archived items is reached.

Effective implementation of the Records Retention and Disposal Policy requires the retention schedules to be adhered to rigidly. To maintain a consistent archive, staff are required to follow strict protocols about naming of and storage of files so that they are safely stored and catalogued/labelled if in physical condition and can readily be retrieved. If staff have retained a document beyond the time required beyond the schedule for business purposes, the responsibility for destroying the document will lie with the individual when they no longer hold business purposes.

Retention schedules should be reviewed annually (and otherwise as required) to ensure these comply with the law and any other external requirements (such as funding guidelines).

Any concerns relating to the storage or destruction of data should be raised with the Charity’s Head of Business Assurance and DPO.