Policy Statement

The Fitted Horse maintains records necessary for effective business operation, legal compliance, and client service. This policy outlines what records we keep, how long we retain them, and how we dispose of them securely.

We are committed to:

• Retaining records for appropriate periods
• Complying with legal and regulatory requirements
• Protecting confidential and personal information
• Disposing of records securely when no longer needed
• Maintaining accessible, organised records

This policy complies with:

• UK GDPR and Data Protection Act 2018
• HMRC tax legislation requirements
• Health and Safety regulations
• Equality Act 2010
• Industry best practices

General Principles

Why We Retain Records

Records are retained to meet legal obligations, maintain business continuity, provide quality client service, defend against potential claims, and demonstrate professional accountability.

Data Minimisation

We only retain records that are necessary for legitimate purposes, required by law, or relevant to ongoing business needs. Records are not kept indefinitely "just in case" or beyond their useful and legal retention period.

Storage and Security

All records are stored securely with appropriate protection against unauthorised access, loss, or damage. Digital records are password-protected and backed up regularly. Physical records are kept in locked, secure storage with restricted access.

Retention Periods

Client Records

Client consultation records including contact details, horse information, assessments, fitting recommendations, equipment details, and follow-up notes are retained for seven years from the last appointment or interaction. This period covers the limitation period for potential liability claims (six years plus one year margin) and allows continuity of care for returning clients.

Payment and purchase records including invoices, receipts, product purchases, gift voucher transactions, and refunds are retained for seven years from the end of the financial year to meet HMRC requirements and consumer rights protection obligations.

Client correspondence including emails, messages, letters, and booking confirmations is retained for seven years for important communications and two years for routine scheduling correspondence.

Consent forms for photography, social media content, and data processing are retained for seven years after consent is withdrawn or indefinitely whilst consent remains active and content is in use.

Financial and Tax Records

All accounting records including sales and purchase invoices, bank statements, expense receipts, profit and loss accounts, and VAT records (if applicable) are retained for seven years from the end of the relevant financial year to comply with HMRC statutory requirements (minimum six years) and allow for potential tax investigations.

Payroll records including PAYE, National Insurance, and pension records (if applicable) are retained for seven years from the end of the tax year.

Business and Operational Records

Insurance policies and certificates are retained permanently for current policies and seven years for expired policies and claims because future claims may arise from past work and evidence of continuous coverage may be required.

Health and safety records including accident reports are retained for seven years from the incident or until the person reaches twenty-one years old if a child was involved. Risk assessments are kept permanently for current versions and three years for superseded versions.

Contracts and agreements with suppliers, partners, or clients are retained for seven years after the contract ends to cover the limitation period for breach of contract claims.

Professional development records including CPD logs and certificates are retained for seven years, whilst professional qualifications are kept permanently.

Business policies are retained permanently for current versions and seven years for superseded versions to provide evidence of compliance at specific points in time.

Marketing and Content Records

Social media and website content is retained whilst active or published plus two years. Consent records for content use are kept for seven years from consent withdrawal. Analytics and marketing materials are retained for three years.

Photography and video of clients and horses (with consent) is retained whilst consent is active and content is in use, then seven years after consent is withdrawn or content is removed from publication.

Complaints and Incidents

Complaint records including investigation notes, findings, and resolutions are retained for seven years from resolution for learning, service improvement, and defence against claims.

Incident reports are retained for seven years from the incident.

Safeguarding records involving children are retained until the child reaches twenty-five years minimum. Safeguarding records involving adults are retained for seven years minimum, possibly longer depending on circumstances, due to the serious nature of such matters.

Secure Disposal of Records

When Records are Disposed

Records are disposed of when the retention period has expired, they are no longer needed for business purposes, they are not subject to legal hold, and the annual review identifies them for destruction.

Disposal Methods

Digital records are permanently deleted using secure deletion methods, not just moved to the recycle bin. Cloud storage items are permanently removed and backup copies are also deleted. When disposing of devices, hard drives are wiped or physically destroyed, with professional data destruction services used for highly sensitive data.

Physical records containing confidential information are cross-cut shredded. Highly sensitive records use professional shredding services with certificates of destruction. Non-confidential materials without personal data may be recycled. Records are never simply thrown away in regular bins or left in recycling without shredding.

Disposal Documentation

We maintain a permanent disposal log recording what records were destroyed, when destruction occurred, the method used, who authorised and carried out the destruction, and the reason for disposal.

Subject Access Requests

Under UK GDPR, individuals have the right to request copies of personal data we hold about them. When we receive a subject access request, we verify the requester's identity, search all records for relevant personal data, and provide the information within one month free of charge (unless the request is manifestly unfounded or excessive).

See our Privacy Policy for full details on data subject rights.

Legal Holds and Litigation

If records may be relevant to current or anticipated litigation, regulatory investigation, insurance claims, or serious disputes, we suspend normal disposal of relevant records and preserve all potentially relevant information until the legal hold is lifted.

Responsibilities

Emma (business owner) is responsible for implementing and maintaining this policy, ensuring retention periods are followed, authorising secure disposal, responding to subject access requests, and conducting regular policy reviews.

All staff and contractors (if applicable) must follow this retention policy, store records securely, not dispose of records without authorisation, report data breaches, and maintain organised filing systems.

Annual Records Review

Every January, we conduct a records review to identify records due for disposal, check for legal holds or ongoing relevance, authorise destruction of eligible records, securely dispose of approved records, and document the disposal in our disposal log.

Backup and Business Continuity

Critical business records are backed up regularly through automated cloud storage, external hard drive backups stored securely off-site, and tested restoration procedures. Critical physical documents are scanned and stored digitally with copies kept in separate locations.

In the event of data loss or disaster, we restore from the most recent backup, notify affected parties if personal data is compromised, report to the ICO if required under GDPR, and review backup procedures for improvement.

Data Protection Compliance

Our retention practices comply with UK GDPR principles including storage limitation (personal data kept no longer than necessary), data minimisation (only essential data retained), accuracy (out-of-date data updated or deleted), and integrity and confidentiality (records stored securely and protected).

We incorporate data protection into record-keeping through regular reviews of what data is necessary, automatic deletion procedures where feasible, restricted access to personal data, encryption of sensitive records, and clear communication of retention periods.

Policy Review

This policy is reviewed annually (minimum) each January, when legislation changes, after data breaches or incidents, following audit or compliance reviews, and when business operations change significantly.

Updates reflect changes in legal requirements, new record types or business activities, best practice developments, lessons learned from experience, and feedback. Version control is maintained and changes are documented.

Contact Information

Questions about record retention or to submit a subject access request:

📧 Email: emma@thefittedhorse.co.uk
📱 Phone: 07359 205538

For subject access requests, please provide:

• Your full name
• Contact details
• Description of information requested
• Proof of identity

We will respond within one month.

Related Policies

This Record Retention Policy should be read alongside our Privacy Policy, Data Protection Policy, Anti-Discrimination and Equal Opportunities Policy, Safeguarding Policy, and Health and Safety Policy.

"Keeping the right records for the right time, then disposing of them securely and responsibly."