© Crown copyright 2019
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: firstname.lastname@example.org.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/hmrc-records-management-and-retention-and-disposal-policy/records-management-and-retention-and-disposal-policy
HMRC is committed to the efficient management of our records for the effective delivery of our services, to document our principle activities and to maintain the corporate memory.
The benefits of effective records management are:
- protecting our business critical records and improving business resilience
- ensuring our information can be found and retrieved quickly and efficiently
- complying with legal and regulatory requirements
- reducing risk for litigation, audit and government investigations
- minimising storage requirements and reducing costs
The principles outlined in this policy have been developed to provide a consistent approach to managing records throughout their lifecycle and regardless of their format.
This policy also applies to records that third parties manage on behalf of HMRC.
The policy has been endorsed by Board level Management and is aligned with the Lord Chancellor’s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000. The department is obliged to meet the legal requirements for the retention and disposal of records in accordance with relevant legislation, particularly the Public Records Act 1958 (PRA 1958), the Freedom of Information Act 2000 (FOIA 2000), the Data Protection Act 2018 (DPA 2018) and the General Data Protection Regulation (GDPR).
You can read about legislation that relates to, or affects archives, records management or public sector information on The National Archives website.
2. Roles and responsibilities
The Departmental Records Officer (DRO) is a mandatory role appointed within Chief Digital and Information Officer Group (CDIO), who reports to the Senior Information Risk Owner (SIRO). The DRO is accountable for maintaining effective and efficient record keeping procedures in HMRC.
HMRC is responsible for transferring records selected for permanent preservation to The National Archives and other places of deposit. Lines of business are accountable for the management and disposal of all other records that they create. Our Estates directorate supports lines of business by managing HMRC’s outsourced paper records centres. Corporate Communications are responsible for HMRC’s internet and intranet governance.
Within lines of business, day-to-day responsibilities for Information and Records Management will be delegated by director generals appointed as information asset owners to information specialists within each directorate.
Public requests for HMRC information must be actioned by lines of business in accordance with relevant legislation.
In accordance with this policy, all staff are responsible for managing, storing appropriately and disposing of the information they create and receive as part of their normal daily business activities.
3. Records and information management policy
A record can be defined as information created, received and maintained as evidence and information by an organisation, in pursuance of legal obligations or in the transaction of business.
You can find more information about what comprises a record in The National Archives introductory guide What is records management?
Information created by staff on behalf of HMRC belongs to the department and must be reviewed and disposed of routinely and in accordance with line of business retention and disposal schedules.
All systems and records must have designated owners throughout their lifecycle, whether that is named individuals or nominated business areas. Records and information must be stored and handled in accordance with the requirements of the Government Security Classification System.
Digital continuity must be considered for the systems and formats that are used to store digital records. All records must be supported by metadata that documents their authority, status, structure and integrity to demonstrate their administrative context and relationship with other records.
All records must be traceable and retrievable. File movements and movements of data must be tracked, including for files migrated into or out of the department through machinery of government changes.
Records must be stored in environmental conditions that protect them from deterioration. For more information refer to The National Archives guidance:
4. Retention and disposal policy
4.1 HMRC retention policy
Information held for longer than is necessary carries additional risk and cost. Records and information should only be retained when there is a business need to do so. Under GDPR and the DPA 2018, personal data processed by HMRC must not be retained for longer than is necessary for its lawful purpose.
The default standard retention period for HMRC records is 6 years plus current, otherwise known as 6 years + 1. This is defined as 6 years after the last entry in a record followed by first review or destruction to be carried out in the additional current (+ 1) accounting year.
Records must only be retained beyond the default HMRC retention period if their retention can be justified for statutory, regulatory, legal or security reasons or for their historic value. The disposal periods for records retained for extended duration must be included within line of business retention schedules.
The maximum retention period for HMRC records identified as having historic value is defined as 20 years after the last entry in the record, with an additional one calendar year for final review and transfer or destruction.
4.2 Line of Business retention and disposal responsibilities
Lines of Business will identify, appraise and offer records identified as having historic value through CDIO, and if applicable transfer to The National Archives at 20 years + 1 or earlier. Historic records can be transferred earlier by agreement of all parties affected by the decision. Records with historic value, retained beyond the 20 year +1 will be with Lord Chancellor authorisation.
Lines of business are responsible for maintaining and publishing their own record retention and disposal schedules.
Data processing, storage and destruction of records can be undertaken by third parties contracted for those purposes, provided that it is compliant with GDPR, DPA 2018 and HMG Offshoring Policy. All parties must agree on who owns the data, what data is shared, levels of information security, who should have access and what the disposal arrangements are, for example, destruction or return of data.
Processes must be in place to ensure that records pending audit, litigation or investigation are not destroyed.
Records must be securely destroyed in accordance with departmental security policy. Processes must be in place to ensure that all backups and copies are included in the destruction of records, or that data is put beyond use.
4.3 Retention requirements for personal data
GDPR Article 5(1)(e) about storage limitation specifies that personal data shall be kept for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of GDPR.
HMRC’s lawful basis for processing personal data is set out in our Privacy Notice.
Personal data must be periodically reviewed in accordance with HMRC’s retention schedules and if it is no longer needed it should be deleted or anonymised as appropriate. Anonymised data is not subject to GDPR or the Data Protection Act 2018.
Any challenges to the retention of personal data must be considered in accordance with GDPR Article 17 (Right to erasure), or the equivalent sections in the DPA 2018 if the processing is for law enforcement purposes. The right to erasure does not apply where we are legally obliged to process personal data or where the processing is necessary for performing our functions.
Where HMRC would be required to erase personal data but the personal data must be maintained as evidence for legal purposes or for reasons of important public interest, HMRC must (instead of erasing the personal data) restrict its processing.
4.4 Line of Business Appraisal Reports
Lines of Business must develop and maintain their own Appraisal Reports to identify groups or series of key departmental records which are required for ongoing administrative, legal or fiscal purposes. The report will act as the basis for appraising records that have short, medium and long term value and for developing detailed line of business retention and disposal schedules. It will enable Lines of Business to identify records to be transferred to The National Archives for permanent preservation. The National Archives has developed an appraisal template and guidance on completing the appraisal report template for these purposes.
Staff should refer to the HMRC key events list to help identify appropriate records for permanent preservation. The National Archives Records Collection Policy sets out an overview of the types of records which are and are not collected from public bodies. The National Archives Operational Selection Policies are guides about what to select according to government function and type of activity or record.
5. Audit and compliance
The DRO is responsible for providing an annual Information and Records Management progress report to HMRC’s Executive Committee.
HMRC Lines of Business are accountable for developing their own assurance programmes to ensure that the core principles in this policy and related activities are being complied with.
HMRC Lines of Business must audit and monitor the secure disposal of their own records as well as those of any third parties that share or produce records on their behalf. Lines of Business are responsible for maintaining an audit trail of their review, destruction and disposal decisions.