HORNE ENGALL & FREEMAN LLP – Data Retention Policy


In the course of carrying out its various functions, Horne Engall and Freeman LLP creates and holds a wide range of recorded information. Data needs to be properly retained to enable us to meet our business needs, legal requirements, to evidence events or agreements in the event of allegations or disputes and to ensure that any data of historic value are preserved.

We are committed to complying with the law and regulations in all our business activities, including applicable Data Protection Laws.

We are committed to using all appropriate technical and organisational measures to ensure the protection of both customer and employee personal data.

The untimely destruction of Data could affect:

  • the conduct of our business and our reputation;
  • the ability of us to defend legal actions against us;
  • Our ability to comply with statutory obligations;

It is not our aim to permanently retain data. This is unnecessary, not appropriate and unlawful under the GDPR. Deletion of unnecessary data is done to free up storage space both physically electronically, minimise administrative time and cost of storage and to ensure we are legally compliant with the personal data that we store.

Our data retention policy is designed to ensure Horne Engall and Freeman are accountable for ensuring the data we hold is properly retained and that when data is removed from our records it is done for the right reasons and completed under proper processes.  The policy also sets out the way that we expect our employees, contractors and any third parties who handle data to store and destroy it when necessary.

Date is protected through regular online backups, firewalls, anti-virus, passwords and where applicable encryption. These measures enable us to keep your data from being accessed, used or lost. We must advise however, that there is always risks with online and physical data and we cannot guarantee security of data transferred via the internet. Electronic data is stored on the cloud server. Physical data is protected with alarmed and locked offices and secure off-site storage.  All staff are trained on cyber security and data protection training and third party contractors are advised of their obligations.

The policy covers all personal data that is defined by GDPR as:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Personal Data Any information (including opinions and intentions) which relates to an identified or identifiable natural person.
Identifiable natural person Anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as name, and identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Controller A natural or legal person, Public Authority, Agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
Data Subject The identified or identifiable natural person to which the data refers.
Process, processed, processing Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means.  Operations performed may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Protection The process of safeguarding Personal Data from unauthorised or unlawful disclosure, access, alteration, Processing, transfer or destruction.
Data Protection Authority An independent Public Authority responsible for monitoring the application of the relevant Data Protection regulations – in the UK this is the ICO.
Data Processors A natural or legal Person, Public Authority, Agency or other body which Processes Personal Data on behalf of a Data Controller.
Consent Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
Special Categories of Data Personal Data pertaining to or revealing racial or ethnic origin, political opinions, religious beliefs, data concerning health or sex life and sexual orientation, genetic data or biometric data.
Third Country Any country not recognised as having an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.
Personal Data Breach A breach of security leading to the accidental or unlawful; destruction, loss, alteration, unauthorised disclosure of, of access to, Personal Data transmitted, stored or otherwise Processed.
Encryption The process of converting information or data into code, to prevent unauthorised access.
GDPR The General Data Protection Regulation

Specifically for Horne Engall and Freeman LLP, this data is likely to include data that is within all client matters, their related files and records, staff matters and third party supplies and any other parties we deal with in the process of normal business.

Our data retention policy applies to all members of staff, employees, contractors, consultants, agency staff and locums.

Only data that is marked for permanent storage, is retained for 20 years and then reviewed. All other data is stored for a limited period of time only. There is no minimum time period for personal data to be stored given the variety of data held by Horne Engall and Freeman LLP and trying to define this for each type of matter that we deal with would cause confusion within the firm.

We have a legal duty to retain staff and job applicant personal data for a period of time once they have left the firm, primarily for statutory purposes but also for other reasons such as providing references, dates of employment, pensions, taxation etc. The maximum period that this data will be stored is 15 years.

Client data relating to any client matter that we held, will beheld for at least 6 years once the file has been closed and archived. We will comply with our regulatory requirements in all areas of law in which we operate. The maximum period we will hold data is 15 years.

Our data retention policy is reviewed on an annual basis to ensure compliance with the most up to date laws and our business needs.

Physical data that we destroy is done in a way so as to ensure the data confidentiality is not risked. All confidential data is shredded through a third party provider approved to complete the required destruction.

Electronic data will either by physically destroyed or deleted in accordance with the government standard.

We keep a record or all physical and electronic data files that are destroyed.

This policy should be read alongside Horne Engall and Freemans LLPs Privacy Policy.