Records Management & Retention Policy

Status: v1.0
Tier: Tier 1 – Core Corporate & Platform Policy
Owner: Governance and Compliance Function
Approval Authority: Board of Directors
Effective Date: 5 January 2026
Next Review: 12 months from approval

1. Purpose

This policy defines how Global Talent Pathway creates, stores, retains, accesses, and disposes of records to ensure lawful, secure, and consistent information management.

Its purpose is to:

  • support compliance with privacy, security, and regulatory obligations,

  • ensure records are available when required,

  • reduce unnecessary data retention and risk,

  • enable defensible deletion and destruction practices, and

  • support audits, investigations, and dispute resolution.

2. Scope

This policy applies to:

  • all records created or received by Global Talent Pathway,

  • all formats (digital, physical, audio, video, system logs),

  • all systems, platforms, and repositories,

  • all staff, contractors, consultants, and representatives,

  • all jurisdictions in which Global Talent Pathway operates.

3. Policy Statement

Global Talent Pathway manages records in a structured, secure, and risk-based manner.

Records are:

  • created only where necessary,

  • retained only for defined and lawful purposes, and

  • securely disposed of when no longer required.

4. What Is a Record

A record is any information created, received, or maintained by Global Talent Pathway that:

  • documents a decision, transaction, activity, or obligation, or

  • is required to be retained by law, policy, or contract.

Records include, but are not limited to:

  • candidate and worker records,

  • identity and verification documents,

  • employer and supplier records,

  • contracts and agreements,

  • complaints, disclosures, and investigation files,

  • financial and transactional records,

  • system and security logs,

  • Board and governance records.

5. Record Creation and Quality

Records must be:

  • accurate and complete,

  • created in a timely manner,

  • attributable to a responsible person or system,

  • stored in approved systems or repositories.

Unofficial or duplicate records should be avoided.

6. Access and Security

Access to records is:

  • role-based,

  • restricted to authorised persons,

  • logged and monitored where appropriate.

Records containing personal, sensitive, or confidential information must be handled in accordance with:

  • the Privacy Policy,

  • the Information Security Policy.

7. Retention Principles

Records are retained:

  • for as long as required to meet legal, regulatory, contractual, operational, or audit needs,

  • no longer than reasonably necessary once those needs have been met.

Retention periods are:

  • defined by record type,

  • documented in a retention schedule maintained by the Governance and Compliance Function,

  • reviewed periodically.

8. Indicative Retention Categories

Retention periods vary by record type and jurisdiction. As a general guide:

  • Candidate and worker records: retained for a defined period after last activity to support compliance, integrity, and dispute resolution.

  • Identity and verification materials: retained only as long as necessary to complete verification and meet compliance obligations.

  • Employer and supplier records: retained for the duration of the relationship and a defined period thereafter.

  • Complaints, disclosures, and investigations: retained to support accountability, legal defence, and trend analysis.

  • Financial and transactional records: retained in accordance with accounting and tax requirements.

  • System, access, and security logs: retained for security monitoring, audit, and incident response purposes.

  • Board and governance records: retained permanently or as otherwise required by law.

Specific retention periods are set out in the Records Retention Schedule.

9. Legal Holds and Suspension of Disposal

Where records are subject to:

  • litigation,

  • investigation,

  • audit,

  • regulatory inquiry,

normal disposal processes are suspended.

Records subject to a legal hold must not be altered or destroyed until the hold is lifted.

10. Disposal and Destruction

Records are disposed of when:

  • retention requirements are met, and

  • no legal hold applies.

Disposal must be:

  • authorised,

  • documented,

  • secure and irreversible.

Methods may include:

  • secure deletion,

  • de-identification,

  • physical destruction.

11. Backup and Archival Systems

Records may exist temporarily in backup or disaster recovery systems.

Backups:

  • are used for system restoration only,

  • are not primary records,

  • are overwritten in accordance with defined cycles.

Deletion from active systems does not imply immediate deletion from backups.

12. Responsibilities

Governance and Compliance Function

  • Maintain the retention schedule.

  • Provide guidance on record handling and disposal.

  • Approve destruction where required.

Staff and Representatives

  • Create and manage records appropriately.

  • Store records in approved systems.

  • Not destroy records outside authorised processes.

13. Monitoring and Audit

Compliance with this policy may be:

  • monitored through audits,

  • reviewed during investigations,

  • assessed during regulatory or procurement reviews.

14. Breaches

Failure to comply with this policy may result in:

  • disciplinary action,

  • contractual consequences,

  • other remedial action.

15. Relationship to Other Policies

This policy operates alongside:

  • Privacy Policy,

  • Information Security Policy,

  • Data Breach Response Procedure,

  • Complaints Policy,

  • Whistleblower Policy.

In the event of inconsistency, Tier 1 policies prevail.

16. Review

This policy will be reviewed annually and updated as required.