A M Water Services Ltd — Integrated Management System

SOP 4.7 Control of Records

Issue 3 | 1 May 2026
Document ReferenceSOP_4.7
Issue Number3
Issue Date01/05/2026
Next Review01/05/2027
Approved ByAaron Mason, Director
Controlled ByAaron / Leanne Mason · Sean Ashton

Control of Records

ISO 9001:2015 Clause 7.5.3 · ISO 14001:2015 Clause 7.5.3 · ISO 45001:2018 Clause 7.5.3 — Control of documented information; protection, retention and disposal of records

Procedure overview
A M Water Services keeps every record legible, indexed, protected against loss or unauthorised access, and retained for at least its minimum statutory or contractual retention period. Records cover three populations with slightly different controls: file records (paper or scanned office records, indexed by content and project); electronic records (data backed up regularly to cloud storage with retrieval testing to confirm the back-up works); and personal data (employee details, customer details — protected under the Data Protection Act 2018 / UK GDPR with access limited to the Director (Finance & Admin) and the Managing Director). The Director (Finance & Admin) is the records custodian. Records that have exceeded their retention period are sanctioned for disposal by the Directors and disposed of by an appropriate method (shredding for paper, secure deletion for electronic, specialist disposal for confidential or contractually-controlled records).

Control of Records — Process Flow

File Records
Director (Finance & Admin)
Leanne Mason
Index, Retain & Dispose
Set up new files to store records; ensure all entries are legible and maintained
Identify files by content and use indexing to separate different record types in the same file
Retain records for at least the minimum statutory or contractual retention period
Archive records when files become full or unmanageable; clearly label by content / project / contract number
Sanction disposal of records that have exceeded the retention period; choose method (shred / secure deletion / specialist disposal)
Electronic Records
Director (Finance & Admin)
Leanne Mason
Back Up & Verify
Save data from local hardware to cloud storage on a regular basis
Identify back-up media; store in protective environment, separate from the source PC / device
Back up company records to main cloud storage system(s)
Undertake regular retrieval test on back-up data to confirm restorability
Personal & Customer Data
Aaron Mason (MD)
Leanne Mason (Director)
Protect (DPA / UK GDPR)
Employee personal details protected under the Data Protection Act 2018 / UK GDPR; not transferred or disclosed to outside parties without lawful basis
Sensitive personal data managed by the Director (Finance & Admin) per the Data Protection Policy
Customer information held in secure location, accessed only by the Managing Director or by named delegate
Records protected against damage, deterioration, loss and unauthorised access
Process / Activity
Document / Cross-reference
Verification / Compliance
Minimum retention periods (BMS, regulatory and contractual)
Records are retained for at least the longest applicable period from the table below. Where a record falls under multiple categories, the longest period applies.
Record categoryMinimum retentionSource
Accident / RIDDOR records, accident book entries3 years from date of last entryRIDDOR 2013 reg. 12
Health surveillance records40 years from date of last entryCOSHH 2002, Control of Asbestos Regs 2012
Asbestos exposure records40 yearsControl of Asbestos Regulations 2012
Risk assessments & method statements (in force)Indefinite while in force + 3 yearsMHSWR 1999
BMS management records, IA reports, customer complaints, corrective actions7 yearsISO 9001 / 14001 / 45001 expectation
Training certificatesLifetime of employment + 3 yearsHSE expectation
Employment records6 years after employment endsLimitation Act 1980
Financial records (HMRC)6 yearsCompanies Act 2006
Customer / client contract recordsPer contract terms or 6 years minimumLimitation Act 1980

Related Documents

R
MDRI
Master Document & Record Index
R
APP_10
Legal & Compliance Register
P
SOP 4.6
Document Control
P
SOP 8.1
Accident, Incident & Near Miss Reporting
P
SOP 8.7
Health Surveillance
P
SOP 8.14
Asbestos
P
POL_HSQE_09
Data Protection Policy