It is Waldorf Risk Solutions’ policy to maintain complete, accurate and high quality records. Records are to be retained for the period of their immediate use, unless longer retention is required for historical reference, contractual, legal or regulatory requirements or for other purposes as may be set forth below. Records that are no longer required, or have satisfied their required periods of retention, shall be destroyed. (ask client if they want copies to keep. This may mitigate a number of potential problems, but is NOT required)
No officer, director, employee, contractor or volunteer of Waldorf Risk Solutions shall knowingly destroy a document with the intent to avoid retaining a document that should be retained under the policies set forth herein. This policy covers all records and documents of Waldorf Risk Solutions. Failure to knowingly or carelessly strictly follow the policies set forth below may lead to disciplinary action.
The organization directs and expects all officers, directors, employees, contractors and volunteers to follow the rules and procedures set forth herein. Please be aware that “documents” includes not only documents in paper form, but e‐mail messages and all other forms of electronically stored information. Also be aware that the rules and procedures apply to all computers and other electronic devices provided to you by the organization for use in the business of the organization, regardless of whether those computers or devices are used on the organization’s premises or elsewhere.
The purpose of this Data Retention Policy (“Policy”) is to ensure that the data collected, maintained and used by Waldorf Risk Solutions, including sensitive personal data, is adequately protected and maintained, and to ensure that data that is no longer needed by Waldorf Risk Solutions is discarded at the proper time and in the proper manner. This Policy is designed to ensure compliance with U.S. federal and local laws and regulations to eliminate accidental or innocent destruction of documents, and to facilitate Waldorf Risk Solutions’ operations by promoting efficiency and freeing up valuable storage space. This Policy is also for the purpose of aiding employees of WALDORF RISK SOLUTIONS in understanding their obligations in retaining information. Waldorf Risk Solutions expects all employees to fully comply with this Policy.
Waldorf Risk Solutions reserves the right to amend, alter and terminate any of these policies, or all of them, at any time.
Responsibility for Administration
The Operations Officer of Waldorf Risk Solutions shall be responsible for administering these policies.
“Data” is defined as any written, recorded or graphic material of any kind existing in any tangible or electronic form that is in the custody, possession or control of Waldorf Risk Solutions or any of its directors, officers or employees, contractors and/or volunteers which in any way concerns Waldorf Risk Solutions’ operations, business activities or legal requirements, including, but not limited to customer personal data. Data may be as obvious as a memorandum, an email, a contract, or something not as obvious, such as a computerized desk calendar, an appointment book, or an expense record.
“Archiving” is the process of moving data that is no longer actively used to a separate storage device or location for retention.
“Destruction” is defined as physical or technical destruction sufficient to render the information contained in the document irretrievable by ordinary commercially available means.
“Document” as used in this Policy, is any medium which holds Data used to support an effective and efficient organizational operation or has been retained to assist a client of Waldorf Risk Solutions or to document actions of the client or Waldorf Risk Solutions. Examples of Documents include:
“Retention Period” is defined as the period of time during which Data must be retained. Unless otherwise specified, Retention Periods are measured from the date of Data creation or modification.
All Data will be stored in the physical locations or in the electronic systems that Waldorf Risk Solutions has provided and designated for such Data. Data shall be retained in a manner that reasonably protects the Data from damage, destruction, or intrusion and facilitates the location and retrieval of the Data efficiently and with minimal expense and effort, and complies with other Waldorf Risk Solutions policies and procedures, to the extent applicable.
Before Data is disposed of or destroyed, Waldorf Risk Solutions Operations Officer must verify that the Data (i) has met its Retention Period and (ii) is not the subject of any pending/imminent/threatened litigation or audit. Data will be disposed of in a manner that is reasonable considering the content of the Data, but which assures that the information has been destroyed.
Email and other electronic Documents Archival Practices
This section is designed to ensure compliance with federal and state laws and regulations, to eliminate accidental or innocent destruction of emails and other electronic Documents and to facilitate Waldorf Risk Solutions’ operations by promoting efficiency and freeing up valuable storage space. This section sets general guidelines, recognizing the impracticality of under some circumstances adhering to rigid rules, and the massive volume of records created by the ever-growing use of digital devices and services used within Waldorf Risk Solutions.
Waldorf Risk Solutions strives to keep emails and electronic Documents as follows:
Litigation Exception Process and How to Respond to Discovery Requests
In the event that Waldorf Risk Solutions is served with any subpoena or request for Data or any employee becomes aware of a governmental investigation or audit concerning Waldorf Risk Solutions or one of its clients or the commencement of any litigation against or concerning Waldorf Risk Solutions, or one of its clients, such employee shall inform Operations Officer and any further disposal of Data shall be suspended until such time as Operations Officer, with the advice of legal counsel, determines otherwise. The Human Resource Director shall take such steps as are necessary to promptly inform all employees of any suspension in the further disposal of relevant Data. This exception supersedes any previously or subsequently established destruction schedule for those Data. If you believe this exception may apply, or have any questions regarding the possible applicability of this exception, or if you believe, for any reason, that Data or category of Data should not be destroyed, please contact the Operations Officer.
Definitions in Context of Data Processing
The creation, collection, transformation, accessing, updating, transferring, destruction and any other manipulation of data is termed “Data Processing”.
“Retention” is the continued processing of data, after the initial “Active Use” has either achieved the purpose for which the data was originally created, or the purpose for which the procured data has been terminated.
Data Retention for Data Processing may be required to meet applicable legal or contractual obligations or meet business objectives. Retention Periods are determined accordingly. For Personal Data they must be no longer than necessary to protect the rights and freedoms of individuals.
In some cases, retention may be in the form of “Archival”, to preserve storage space or bandwidth on the system or container originally employed for Active Use processing.
Throughout the Data Processing, for Information Security and Disaster Recovery/Business Continuity purposes, regular back-ups or copies may be created of the data. Retention periods of such back-ups should be only as long as required to fulfil this purpose. Back-ups should not serve as a replacement for data retention.
It is impossible to designate a Retention Period for each and every type of Data that may exist or come to exist. However, this Policy sets forth Retention Periods for certain common types of Data in the chart below. If certain Data does not fall within a class for which there is a designated Retention Period in this Policy, WALDORF RISK SOLUTIONS will consult with legal counsel to determine the proper classification of the Data or to establish a Retention Period for the Data in question. To the extent Data is subject to more than one Retention Period, the Data will be retained for the longer of the specified time frames in order to comply with this Policy.
Breaches of this Policy may have serious legal and reputation repercussions and could cause material damage to International SOS. Consequently, breaches can potentially lead to disciplinary action that could include summary dismissal and to legal sanctions, including criminal penalties.
All employees are expected to promptly and fully report any breaches of the Policy. A report may be made to the Human Resource Director. Reports made in good faith by someone who has not breached this Policy will not reflect adversely on that person or their career at Waldorf Risk Solutions. Reports may be made using the following e-mail address: firstname.lastname@example.org