How many of your email conversations, site photos, site attendance logs and delivery tickets would you still have access to in 2yrs/5yrs/15yrs time if a claim came in? Could you prove who was on site at a given time? Could you prove how long it took you to respond to a request to remedy a problem from the initial fault being logged? Could you show a photograph of what “it” looked like when you left site? Would you have the email showing the client insisted on “that” item? If the answer is “I don’t know” you are not alone.
HR Records and Compliance Risks
How about your HR records?
How long are you keeping the data on workers removed from site for health and safety breaches?
What about modern slavery reviews and processes to ensure right to work permits are in place?
Many contracts now require contractors and subcontractors to produce documents up to six years after project completion to prove compliance with statutes under audit clauses. Would your HR data destruction and GDPR policy leave you in the lurch for a term which might be tied to an indemnity?
Balancing GDPR with Business Needs
We’ve been living with GDPR and the Data Protection Act requirements for years and most companies have robust procedures to manage the data they receive and process. However, if compliance teams take an overly-cautious approach as to the risks of data breach, there is a risk that organisations can inadvertently erase documents and data which could be valuable evidence. Data protection laws require that personal information is not retained for longer than is necessary and is only processed for lawful reasons - such as legitimate business purposes or as part of ongoing litigation. Figuring out what that means in YOUR business is vital.
Why Operational Records Matter
A good example of this is the ticket raised for a maintenance issue. It will have the date, time, contact details for the person raising the ticket and details of the problem. The next will be the response to that, corresponding information about the person who is going to inspect the issue. These items contain personal information about an individual (in their job role) but also the time and date of when something was logged and what information was provided. You do not need to know it was “X” that logged the issue, but it is good to know the details they had given and the time and to compare how fast “Y” got back to them. That could be important if you end up in a position whereby the accusation is that your service is always substandard; a response that took 15 min compared to 15 hours. If you have those contemporaneous records and your opponent does not who has the more credible position?
Impact of Building Safety Act on Retention Policies
Since the changes to the limitation periods in the construction industry following the Building Safety Act there needed to be a review on document destruction policies for anyone involved with building “dwellings” - if you have not done one, do it now! Even documents without concerns on data protection can be lost in the cleanup of old job files and they may contain an item that makes the difference between a large insurance payout and an increase in annual premiums, following an out of the blue claim where your statutory liability has not run out.
The Risk of Over-Simplified Data Deletion
Erasing all but the essential documents at the end of a project, or periodically, can be easier than going through filtering individual data, but what you are left with may not be the information needed to successfully defend (or even bring) a claim or be able to comply with the requirements of the contracts you have signed up to. It is a difficult task developing a process which allows for both the retention of a document while removing the data deemed sensitive or not necessary for the longer term, but time spent on analysing what your business might need to rely on now will make the difference if it is required in the future.
Collaborate Before You Commit
If you are agreeing contracts with clauses relating to auditing, record retention and access for the other party speak to your compliance managers/data protection team/IT and HR so you can have a discussion as to whether this is something that will cause a gigantic headache… if the moment arises where you are asked to do it.