The policy defines the scope, obligations and responsibilities of Citadel Accounting UK Limited (referred to as Citadel, hereinafter) towards its business and the Clients data handling, security and retention.
Citadel recognises that effective management of data and records is essential to the success of its operations. Proper control of information enables the business to function efficiently, comply with legal and regulatory requirements, protect personal data, and maintain strong organisational governance.
This policy, supported by related documents, has been developed to align with legal, statutory, and contractual obligations while also reflecting recognised best practice in records management. Its purpose is to provide a clear, structured framework for document control and information systems across the organisation.
Efficient records and data management help Citadel to:
Operate in a structured, transparent, and accountable manner
Improve the quality and accessibility of information while reducing duplication
Demonstrate compliance and provide evidence to clients, regulators, and stakeholders
Ensure continuity of services in the event of disruption or disaster
Protect the rights and interests of staff, clients, and stakeholders
Safeguard personal data and minimise risks associated with misuse or retention of unnecessary information
Information retained longer than required creates risks, increases costs, and may breach data protection principles. Citadel therefore retains records only where there is a clear business, legal, or regulatory requirement, in full compliance with UK data protection legislation.
The purpose of this policy is to set out Citadel’s approach to the management of data and records, ensuring a structured, compliant, and consistent system across the organisation.
For the purposes of this policy, records include all documents, in any format (paper or electronic), which support the organisations activities and provide evidence of transactions, decisions, or obligations.
Records management is the discipline concerned with the systematic control of records throughout their lifecycle: creation, receipt, storage, use, distribution, retention, and disposal. It ensures that the organisation maintains accurate and reliable evidence of its activities while meeting all applicable legal and regulatory standards. Unless otherwise stated, this policy applies to both hard copy and digital records.
This policy applies to all individuals engaged with Citadel, including permanent and fixed-term employees, temporary staff, contractors, agency workers, interns, volunteers, and third-party representatives, whether based in the UK or overseas.
It sets out the responsibilities of staff in managing information in accordance with the organisations legal, regulatory, contractual, and operational obligations. All staff are expected to comply fully with the requirements of this policy and associated procedures.
Citadel must collect and process certain personal information about employees, clients, partners, and other individuals in order to carry out its business activities. This information may include names, addresses, contact details, dates of birth, identification numbers, IP addresses, bank details, and other confidential or sensitive data.
In some cases, Citadel is also legally required to collect and use personal information to meet statutory or regulatory obligations. We are committed to ensuring that all personal information is collected, stored, processed, shared, and deleted in full compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any other relevant laws or codes of practice that apply to our business.
Citadels Data Retention Policy and practices comply fully with the UK GDPRs Article 5 principle of data processing (storage limitation):
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (storage limitation).
A record is any piece of information, in any format, that provides evidence of Citadels activities, decisions, or compliance with legal, regulatory, financial, or business requirements. Records may be created, received, or maintained in either physical or digital form and represent a vital resource for the organisation.
Citadels objective is to have clear and consistent records management processes that ensure:
1. Proper creation and capture of records
2. Compliance with legal, regulatory, and contractual requirements
3. Secure and reliable storage of records
4. Protection of the integrity and authenticity of records
5. Controlled and appropriate use of records
6. Confidentiality and security of information at all times
7. Timely access to records, and secure disposal once no longer required
Records are an essential organisational asset. They preserve evidence of business functions and decisions, protect the rights of individuals, and support accountability. A systematic approach to managing records helps Citadel to safeguard this information and ensure it remains reliable and accessible.
Citadels guiding principles for Data Retention and Records Management are to:
1. Operate in an orderly, efficient, and transparent manner
2. Improve the quality and flow of information across the organisation
3. Provide evidence of compliance and effective service delivery to clients, regulators, and other stakeholders
4. Meet all legislative, statutory, and regulatory requirements
5. Deliver services consistently and fairly to staff, clients, and stakeholders
6. Maintain continuity of business operations during disruptions or disasters
7. Protect the rights and interests of staff, clients, and stakeholders, both current and future
8. Ensure secure and appropriate disposal of confidential records and data
9. Retain records only for the period required by law, regulation, or contractual obligation
10. Prevent records from being kept longer than necessary, in line with data protection principles
11. Reduce risks of data breaches or misuse of confidential information
Citadel manages records in a structured and consistent way, in line with UK GDPR requirements.
Records are created, maintained, and retained to provide reliable evidence of the organisation’s activities, including transactions, client work, and employment matters. Retention schedules set out how long records should be kept and are detailed in the Retention Register at the end of this policy.
Citadel ensures that all records and the information they contain are:
Accurate : records must fully and correctly reflect the activity, transaction, or process they document
Accessible : records must be retrievable when required, with security controls in place where access needs to be restricted
Complete : records must include the necessary content, context, and structure to allow activities to be properly understood and reconstructed if needed
Compliant : records must meet all applicable legal and regulatory record-keeping requirements
Monitored : compliance with this policy and related retention schedules is regularly checked to ensure adherence to legal, contractual, and regulatory obligations
Retention Period Protocols
All records are stored in a way that ensures they can be traced, retrieved, and accounted for. Any access, movement, or transfer of records is logged, including transfers between departments. Both company and employee records are managed and disposed of in line with relevant legal and regulatory rules.
For all records created, received, or stored, Citadel will:
Carry out periodic reviews to confirm whether data is still needed, valid, and accurate
Establish and apply defined retention periods, based on business need, type of data, purpose of processing, and applicable legal or regulatory requirements
Provide data subjects with information about retention periods or criteria upon request, in accordance with transparency requirements under UK GDPR
Ensure records required for audits, investigations, or legal proceedings are not altered or destroyed until the matter is resolved
Where long-term storage is required, consider transferring paper records to digital format, ensuring the chosen media remains usable and secure over time
Suspension of Record Disposal
If Citadel receives notice of an audit, legal request, regulatory investigation, or litigation, any planned destruction of relevant records will be suspended. Records will be preserved until it is confirmed that they are no longer required for the matter in question.
Storage & Access of Records
Records are stored in an organised manner by category and in date order where appropriate. All documents are retained in secure facilities or systems, with access limited to authorised staff only. When the retention period expires, records will be reviewed, archived, or securely destroyed, depending on their classification and purpose.
When a record reaches the end of its retention period, the responsible record owner must check the retention register to determine the correct action. Not all data or records are expected to be deleted upon expiration; sometimes it is sufficient to anonymise the data in accordance with the UK GDPR requirements or to archive records for a further period.
Destruction and Disposal of Records & Data
All confidential or sensitive information, whether on paper, card, microfiche, or digital media, must be securely destroyed once it is no longer required.
Citadel is committed to the safe and secure disposal of confidential records and information assets, in compliance with UK GDPR and contractual obligations. All staff receive guidance on secure disposal practices and must follow the approved procedures.
Electronic & IT Records and Systems
Citadel uses a range of IT systems and devices to run its operations. When IT equipment or electronic media is no longer needed, it must be securely wiped and disposed of.
Only directors are authorised to approve the disposal of IT equipment
Before disposal, data must be erased using secure methods to prevent recovery
Where necessary, physical destruction of hardware will also be carried out
Directors are responsible for updating the Information Asset Register once an asset is removed
Asset owners and directors must ensure all required data is backed up and securely removed before disposal
Internal Correspondence and Memoranda
Unless specified otherwise, internal correspondence and memoranda (such as emails, meeting notes, or general communications) should be retained for the same period as the main document or process they relate to.
Where correspondence is unrelated to specific documents, it should be deleted or destroyed once it is no longer needed, or within a maximum of two years.
Examples include:
Routine emails
General inquiries and responses
Internal meeting agendas or notes
Minor communications of no lasting significance
Citadel is committed to ensuring this policy and all related legal and regulatory requirements are followed consistently across the organisation.
Regular audits and monitoring are carried out to check that records are being created, maintained, stored, archived, and disposed of correctly.
Information Asset Owners are responsible for reviewing and overseeing the records within their area, ensuring compliance with this policy and confirming that all data is managed in line with legal, contractual, and regulatory obligations.
Citadel applies clear retention periods for all records. These periods are based on legal, statutory, regulatory, and business requirements. Once the retention period has ended, appropriate action will be taken, which may include destruction, archiving, or review.
Where no legal or regulatory timeframe is specified, Citadel applies a default retention period of six years plus the current year (6 + 1).
The Retention Register at the end of this document sets out the required periods for different types of records and the corresponding actions once those periods expire. This includes:
Employment records (e.g., personnel files, payroll, recruitment documents)
Financial and tax records (e.g., accounting documents, tax returns, payroll records)
Operational records (e.g., contracts, supplier agreements, business policies)
Health and safety records (e.g., accident logs, equipment testing records)
Customer and regulatory records (e.g., client communications, compliance reports)
Marketing and business development materials (e.g., campaigns, press releases)
The retention schedules ensure that information is not kept longer than necessary while still allowing Citadel to meet its legal, contractual, and operational obligations.
Copyright © 2025 Citadel Accounting. All Rights Reserved.
