A. Purpose
This Data Retention Policy (the “Policy”) sets out how Fourth operates in relation to data storage, retention and destruction, including the default and other retention periods applicable to Customer data that Fourth has possession of through the provision of the Fourth Solutions (as defined in the Subscription Agreement). This Policy is compliant with Applicable Privacy Law, and Fourth is registered with the Information Commissioner’s Office under number ICO: Z2278121.
Terms used in this Policy and not otherwise defined shall have the meanings given to them in the Subscription Agreement or Data Processing Agreement and Privacy Policy (EU).
B. Types of Data Covered
This Policy covers all electronic data processed by Fourth through the Customer’s (and its Group Companies’) use of the Fourth Solutions and Services which are uploaded to the Fourth Solution and which are hosted by its Authorised Processor(s). Fourth processes personal information about its Customers’ data subjects (i.e. their employees, suppliers and other individuals) in order to provide the Fourth Solution and as otherwise described in our Data Processing Agreement and Privacy Policy (EU).
This Policy does not cover any personal data controlled by Fourth which relates to Fourth’s own employees and suppliers.
Fourth processes personal data for the following purposes: (i) on behalf of its Customers to allow them to use the Fourth Solution; and (ii) for Fourth’s legitimate interests of developing and managing its corporate relationships and running its business. Fourth may also process sensitive categories of personal data on behalf of its Customers that may include health information; racial or ethnic origin; religious or other beliefs.
C. Retention Period
The Applicable Privacy Law requires that our Customers must ensure that personal data processed by or on their behalf shall be kept for “no longer than is necessary for the purposes for which the personal data are processed”. To allow Customers to comply with this requirement, Fourth has introduced default periods for which certain data is retained within its Workforce Management Solution. These will initially be set to the default periods listed below, however, each of these periods for each category of information may be customised by a Customer to allow it to apply longer or shorter retention periods as the Customer deems appropriate to its business.
Fourth is specifically instructed by its Customers to keep the applicable Customer data for the default periods set out below, or such other period as is configured by the Customer in its Workforce Management Solution.
The retention periods apply only in relation to data subjects who have been terminated as employees in Fourth’s Workforce Management Solution (except as set out in Category 2 below). From time to time Fourth may change the retention periods and/or introduce additional retention periods to apply to different categories of, or subsets of, Customer data. Any such changes would be implemented through Fourth’s standard update procedure (including release notes) and Fourth’s Customers instruct it to apply such additional retention periods to its data by their continued use of the Fourth Solution after receipt of the relevant release notes.
Category | Type of information | Default Retention Period |
1 | Basic personnel information e.g. name, employee number, national insurance number
Financial information e.g. payroll data, pension data, tax data, expense data, P11D information HR related information e.g. employment contract, absence records, holiday records, educational qualifications, maternity/paternity information |
7 years from the end of the applicable tax year in which termination date occurs. |
2 | Physical documents including:
(i) external documents which are automatically uploaded to an employee’s record; (ii) files which are automatically extracted from the Fourth Solution; (iii) FTS documents, which are sent to HMRC after each payroll run and contain the personal data of all employees during that period in one document. |
7 years from the end of the applicable tax year in which termination date occurs.
In relation to FTS documents, the document will be deleted 7 years after the end of the applicable tax year to which the document relates. Due to the nature of this document, this will affect both existing and terminated employees whose data is contained within this document. |
3 | Other non-financial information which includes personal data | 2 years from the date of termination (rounded up to the nearest calendar month). |
The retention periods may be changed from time to time and data will be kept in accordance with the terms of the prevailing privacy policy and documentation which apply upon the date of deletion or archiving.
Data that is made anonymous by Fourth may be kept permanently. Fourth will take all appropriate steps to ensure that the data that has been anonymised cannot be re-identified.
In accordance with our Subscription Agreement and Data Processing Agreement and Privacy Policy, Fourth will also delete data upon the termination of the Customer’s Subscription Agreement.
D. Destruction and Disposal
The technical means by which Fourth Customers instruct Fourth to “delete” data are:
(a) physical documents will be confidentially destroyed;
(b) physical disks and media will be subject to a secure wipe prior to reissue and securely disposed of and a certificate obtained when end-of-life;
(c) CDs, DVDs and Blu-ray discs will be destroyed;
(d) virtual documents will be deleted;
(e) Customer personal data within databases (ie. the Fourth Solutions) will be overwritten according to a configured retention cycle (see paragraph C above for Retention Periods); and
(f) Customer personal data within backups will be phased out through rotation.
E. Limitations
At the expiry of the applicable retention period referred to at paragraph C above, or upon the termination of a Customer’s Subscription Agreement (for further information on this please refer to our Data Processing Agreement and Privacy Policy), Fourth will delete the data. Fourth will delete the personal data, in accordance with its normal backup cycle and whilst this may be deleted immediately, archive copies may remain for up to 13 months after the data of deletion, either on its live platform or as part of its standard backup and archiving procedures.
This Policy only applies to structured data which are stored within appropriate data fields. Fourth will use reasonable technical efforts to delete non-structured data in accordance with this Policy.
Save time, reduce costs, and increase profitability with Fourth’s intelligent solutions.