Document Management and Retention and Disposal Policy

1. Scope

HMRC is committed to effectively managing our records for the efficient delivery of our services, documenting our key activities and maintaining corporate memory.

The benefits of effective document management are:

  • protect our critical records and improve the resilience of our business
  • ensure that our information can be found and retrieved quickly and efficiently
  • comply with legal and regulatory requirements
  • reduce the risk of litigation, audit and government investigations
  • minimize storage needs and reduce costs

The principles set out in this policy have been developed to provide a consistent approach to managing records throughout their life cycle and regardless of their format.

This policy also applies to records that third parties manage on behalf of HMRC.

The policy has been approved by management at board level and is aligned with the Lord Chancellor’s Code of Practice on the Management of Records issued under Section 46 of the Freedom of Speech Act 2000 information. The department is required to comply with legal retention and disposal requirements. documents in accordance with relevant legislation, in particular the Public Records Act 1958 (ARP 1958), the Freedom of Information Act 2000 (FOIA 2000), the Data Protection Act 2018 (ODA 2018) and the UK General Data Protection Regulation (UK GDPR).

You can read about legislation that concerns or affects archives, records management or public sector information at National Archives website.

2. Roles and responsibilities

The Departmental Records Officer (scrutineer) is a mandatory appointed position within the Group Chief Digital and Information Officer (CDIOs), who reports to the Chief Information Risk Officer (SIRO). The scrutineer is responsible for maintaining effective and efficient record keeping procedures at HMRC.

HMRC is responsible for transferring selected documents for permanent preservation to the National Archives and other repositories. Business areas are responsible for managing and disposing of all other records they create. Our Estates Directorate supports the business lines by managing HMRC’s outsourced paper document centres. Corporate Communications is responsible for HMRC’s internet and intranet governance.

Within business lines, day-to-day information and records management responsibilities will be delegated by appointed general managers as information asset owners to information specialists within each branch.

Public requests for information about HMRC should be handled by business lines in accordance with applicable law.

In accordance with this policy, all staff members are responsible for the management, proper storage and disposal of information they create and receive in the course of their normal day-to-day work activities.

3. Records and Information Management Policy

A record can be defined as information created, received, and retained as evidence and information by an organization, pursuant to legal obligations, or as part of a business transaction.

You can find more information on what comprises a record in the National Archives Introductory Guide What is Records Management?

Information created by staff on behalf of HMRC belongs to the department and should be reviewed and disposed of regularly and in accordance with business retention and disposal schedules.

All systems and records must have named owners throughout their lifecycle, whether named individuals or named business areas. Records and information must be stored and handled in accordance with the requirements of the government security classification system.

Digital continuity should be considered for the systems and formats used to store digital records. All records should be supported by metadata that documents their authority, status, structure, and integrity to demonstrate their administrative context and relationship to other records.

All records must be traceable and retrievable. File movements and data movements must be tracked, including for files migrated to or from the department via the machinery of government is changing.

Recordings should be stored under environmental conditions that protect them from deterioration. For more information, see National Archives guidelines:

4. Retention and Disposal Policy

4.1 HMRC Retention Policy

Information held longer than necessary carries additional risks and costs. Records and information should only be retained when there is a business need to do so. Under United Kingdom GDPR and the ODA 2018, personal data processed by HMRC should not be kept longer than necessary for its legitimate purpose.

The default standard retention period for HMRC records is 6 years plus current, otherwise known as 6 years + 1. This is defined as 6 years after the last entry in a record followed by the first review or destruction to be carried out in the current additional (+ 1) accounting year.

Records should only be kept beyond HMRC’s default retention period if their retention can be justified for statutory, regulatory, legal or security reasons or for their historical value. Disposal periods for records retained for an extended period should be included in business line retention schedules.

The maximum retention period for HMRC records identified as having historical value is set at 20 years after the last entry in the record, with an additional calendar year for final review and transfer or destruction.

4.2 Business Line Responsibilities for Retention and Disposal

Business lines will identify, appraise and offer records identified as having historical value through CDIOs, and if necessary transfer to the National Archives at 20 years + 1 or before. Historical documents can be transferred earlier with the agreement of all parties affected by the decision. Records of historical value, kept beyond 20 years +1 will be with the permission of the Lord Chancellor.

Business areas are responsible for maintaining and publishing their own records retention and disposal schedules.

Data processing, storage and destruction of records may be undertaken by contracted third parties for these purposes, provided they comply with UK regulations. GDPR, ODA 2018 and HMG relocation policy. All parties must agree on who owns the data, what data is shared, what levels of information security, who can access it, and how it is disposed of, such as destroying or returning the data.

Processes should be in place to ensure that records awaiting audit, litigation or investigation are not destroyed.

Records must be securely destroyed in accordance with departmental security policy. Processes must be in place to ensure that all backups and copies are included in the destruction of records, or data is rendered unusable.

4.3 Personal Data Retention Requirements

UK GDPR Article 5(1)(e) on storage limitation specifies that personal data should not be stored longer than necessary for the purposes for which the personal data is processed. Personal data may be retained for longer periods insofar as it will be processed only for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 , paragraph 1, of the United Kingdom. GDPR.

HMRC’s legal basis for processing personal data is set out in our Privacy Notice.

Personal data should be periodically reviewed in accordance with HMRC retention schedules and if no longer required, deleted or anonymised as appropriate. Anonymised data is not submitted in the UK GDPR or the Data Protection Act 2018.

Any challenge to the retention of personal data should be considered in accordance with UK GDPR Article 17 (Right to erasure)or the equivalent sections of the ODA 2018 if the processing is for law enforcement purposes. The right to erasure does not apply where we are legally obliged to process personal data or where the processing is necessary for the performance of our functions.

Where HMRC would be required to erase personal data but the personal data needs to be retained as evidence for legal purposes or for reasons of important public interest, HMRC shall (instead of erasing the personal data) restrict its processing.

4.4 Business Line Assessment Reports

Lines of business should develop and maintain their own assessment reports to identify groups or series of key departmental records that are required for day-to-day administrative, legal or tax purposes. The report will serve as the basis for evaluating records that have short, medium and long-term value and for developing detailed schedules for retention and disposal activities. It will allow the sectors of activity to identify the documents to be transferred to the National Archives for permanent preservation. The National Archives has developed an appraisal template and guidance for completing the appraisal report template for these purposes.

Staff should refer to HMRC’s Key Events List to help identify appropriate records for permanent retention. The National Archives Document Collection Policy provides an overview of the types of documents that are and are not collected from public bodies. The National Archives Operational selection policies are guides on what to select based on government function and type of activity or case.

5. Audit and Compliance

The scrutineer is responsible for providing an annual progress report on the management of information and records to the HMRC Executive Committee.

HMRC business areas are responsible for developing their own assurance programs to ensure that the fundamental principles of this policy and related activities are met.

HMRC business areas should verify and monitor the secure disposal of their own records as well as those of third parties who share or produce records on their behalf. Business areas are responsible for maintaining an audit trail of their review, destruction and disposal decisions.