| Document Number | POL-GL-COM-DATARD-V1.0 |
| Target audience | InfoSec, DevSecOps, DevOps, GRC, IT Ops, Legal & Privacy |
| Effective Date |
Cover page layout
This policy defines the principles, responsibilities, retention schedules, and disposal requirements governing the lifecycle of LEAP information assets. It mitigates risks of non-compliance with regulatory, legal, contractual, and audit obligations, and aligns with business, privacy, and security objectives across all LEAP entities.
This policy applies to all LEAP data assets regardless of format or location, including:
Covered data includes, without limitation: Intellectual Property (IP), customer and employee Personally Identifiable Information (PII), Personal Health Information (PHI), Cardholder Data (CHD), Business-Sensitive Information (BSI), financial records, logs, audit trails, and product/system configurations.
It covers all LEAP employees, contractors, vendors, and partners who create, store, process, or dispose of LEAP information assets, across all LEAP legal entities and operating regions.
| Term | Definition |
|---|---|
| Data Owner | The accountable business leader for a dataset who defines, documents, and enforces retention and disposal requirements for their information asset |
| Data User | Any person or system accessing, processing, or storing LEAP data under authorisation of the Data Owner. |
| Record | Information created or received and maintained as evidence of activities and obligations (e.g. contracts, invoices, audit logs, security events). |
| Retention | The mandated period a record or dataset must be preserved in accessible form to meet legal, regulatory, contractual, or business requirements. |
| Disposal | The irreversible, secure destruction or deletion of data once the retention period ends, including removal from backups where feasible and required. Must be verifiable and auditable |
| Legal Hold | A suspension of normal disposal processes due to litigation, regulatory investigation, or internal audit. Overrides all retention schedules. |
| RTO / RPO | Recovery Time Objective / Recovery Point Objective |
| Data Classification | LEAP's framework for categorising information by sensitivity (e.g. Public, Internal, Confidential, Restricted/Sensitive), which governs applicable controls. |
| Certificate of Destruction | Written evidence from an authorised party confirming irreversible disposal of a media asset or dataset. Required for Confidential and above classifications. |
| Role | Responsibilities |
|---|---|
| CISO | Policy Owner. Accountable for policy maintenance, review, and enforcement. Reviews data lifecycle risk posture at management review |
| Data Owners | Classify data and document legal, regulatory, and contractual retention and disposal requirements. Approve system-level retention configurations. Coordinate with Legal on legal holds and with GRC on audits and policy reviews. |
| GRC / Information Security | Maintain this policy and map controls to ISO 27001 Annex A and SOC 2 Trust Services Criteria. Monitor adherence, conduct periodic reviews, and coordinate evidence for certification audits. |
| IT Operations / DevOps / Infrastructure | Implement and maintain technical retention and disposal controls across infrastructure, SaaS, endpoints, and backups. Operate secure media sanitisation and destruction processes. Retain certificates of destruction. |
| Legal | Advise on statutory and contractual retention obligations. Trigger, manage, escalate, and release legal holds. Ensure disposal processes honour applicable privacy rights |
| All Staff / Data Users | Handle data consistent with its classification and applicable retention and disposal rules. Report suspected policy breaches to GRC. |
Operational requirements:
| Data/Record Type | Owner/System of Record | Retention Period | Trigger/Event |
|---|---|---|---|
| General Ledger, Annual Audit Reports, Financial Statements, Board Minutes, Chart of Accounts | Finance | Permanent | Creation/Approval |
| Accounts Payable/Receivable Ledgers & Schedules, Bank Statements, Insurance Records, Risk Assessments, Internal Audit Reports, Employee Payroll, Contractor Payments, Employee Expense Reports | Finance, Risk | Seven years | Fiscal year end, Report issuance |
| Contracts and Leases | Legal, Procurement | Seven years after expiration | Contract end/termination |
| Legal Correspondence, Legal Files/Papers | Legal | Permanent (correspondence), Seven years after matter close (files) | Matter closure |
| Emails (internal/external business records) | All Functions, M365 | Two years (baseline) | Message date |
| Electronic Documents (business records) | SharePoint/OneDrive/Confluence | Aligned to record type | As per classification |
| Business-Sensitive Information (BSI) not above | Respective Owners | As defined by Owner, typically 3--7 years | Business event |
| PII and PHI (employees, customers, third parties) | HR, Product, Support | For as long as a business purpose or legal requirement exists | Employment end, contract end, purpose fulfilled |
| Cardholder Data (CHD) | Payments/Finance | Minimum necessary, delete when no longer required | Transaction/Settlement complete |
| System Logs and Audit Trails | IT/DevOps/SecOps/Infra | Per control needs | Log creation |
| Backups (AWS resources, databases, snapshots) | DevOps | Per backup policy | Backup creation |
Exceptions in this policy will be risk-assessed by LEAP's Leadership Committee with valid business justification and Policy Owner's approval. Exceptions will be time bound
Any LEAP employee, contractor, third-party found to have violated any part of this policy may be subject to HR disciplinary action, up to and including termination of employment
Compliance with this policy will be monitored through periodic reviews, audits, and management oversight.
This policy is an organisational record. A copy of LEAP security policies is made available to all staff/business units currently employed, or when they join LEAP. Employees requiring further information on any aspects of this Policy should discuss their needs with Trust at LEAP Legal Software trust@leaplegalsoftware.com. Any changes or updates to the policy are immediately communicated to Team Governance, Risk and Compliance (GRC).
| Version Number | Date | Section Changes | Author | Approver |
|---|---|---|---|---|
| 1.0 | <<enter date>> | Initial Release | Manager of GRC | CISO |