Kosh - Community Finance

Kosh

DATA AND RECORD RETENTION POLICY

Revision History

Version

1.0

Date of Version

12-01-2024

Created By Vaibhavi Singh

Reviewed By Abhishek Pathak

Approved By Aayush Goel

Document Classification Internal

Version

No.

Revision

Date

Description of Change Author Reviewer Approver

1.0

12-01-

2024

Initial Release

Vaibhavi

Singh

Abhishek

Pathak

Aayush

Goel

1) SCOPE

The scope of this policy is applicable to all information, data and records, whether in electronic or

non-electronic form, which are created, stored, retained, exchanged and disposed by Kosh.

2) PURPOSE

To ensure storage and retention of information, data and records as per contractual and legal

requirements and protection from loss, falsification, destruction, unauthorized access and

unauthorized release.

3) TERMS AND DEFINITIONS

Following is an explanation of various terms used within this document –

Kosh: Adhikosh Financial Advisory Private Limited

ISMS: Information Security Management System

Information Security: Confidentiality, Integrity, Availability of information.

CEO: Chief Executive Officer

LT: Leadership Team

ISG: Information Security Group

Information: Meaningful Data

Electronic Data: Emails, Database, Files, Scanned Images, Data in storage devices such as

Hard Disks, USB Drives, Tapes etc.

Non-Electronic Data: Hard Copy Documents, Printed Documents.

Record: Can be paper files, electronic documents, correspondence (including letters, faxes

and emails) and data used in business applications and databases.

Retention: Records retention is the term applied to the safeguarding of important records that

document decisions, policies, financial activities and internal controls.A retention period is an

aspect of records that identifies the duration of time for which the information should be

maintained or "retained," irrespective of format (paper, electronic, or other).

Archival: Archival means the process of taking records that are no longer actively utilized and

separating them from active records. For hard-copy records this usually means moving them

to an offsite storage facility. For digital records archiving may involve updating the status,

moving the record to a separate data storage.

4)RESPONSIBILITIES

The primary ownership of implementing this policy is with All Departments and Teams

handling Data and Records

The ISG shall implement this Procedure under guidance of Leadership Team and in

coordination with Department Heads

5)POLICY

5.1)Identification and Classification of Data and Records

All Departments shall identify the data and records which are created or handled by them.

All data and records, which belong to Customers, External Person, Entity or Organization

shall also be identified under External Origin Data or Records.

Organizational Classification shall be applied to all types of Data and Records as below. For

more details refer concerned Policy / Procedure are per reference section.

Confidential

Internal Use

Public

External Origin

All types of data and records, existing within Kosh, shall be identified and documented within

prescribed format along with Custodian information and classification applied to the same.

(Ref: Data and Records Register)

5.2)RETENTION PERIOD OF DATA AND RECORDS

The retention period for each type of data and record shall be defined and applied by the

concerned Department who creates or handles the data or record.

While deciding the retention period, following sequence shall be followed –

Check Statutory or Regulatory or Legislative requirement of retention for each type of

Data or Record,

Check if any Contractual requirement exists for retention of each type of data or record,

Check Organizational policy about retention of data or records,

Select the highest applicable retention period and apply to concerned data or record.

In case of externally provided data or records, which are provided by an external person or

entity, the retention period as specified by external person or entity shall be referred in

addition to the above listed sequence.

The retention period defined and applied for each type of data and record shall also be

applied to the backups / archival of concerned data or record.

Electronic and Non-electronic data and records shall be appropriately archived during the

retention period.

The retention period, once applied to any data or record, shall not be changed without prior

approval from InfoSec Team.

The retention period, for all types of data and records within Kosh, shall be defined and

documented in prescribed format. (Ref: Data and Records Register)

5.3)PROTECTION OF DATA AND RECORDS

Access to each type of Data or Record shall be provided basis classification applied to such

data or record.

The access provision and revocation to all types of data and records shall be governed by

corresponding policies as listed in the Reference section.

Risks for electronic and non-electronic data and records shall be assessed and mitigation

controls shall be put in place to protect the data and records.

Physical (non-electronic) data and records shall be protected from loss or damage.

Environmental and natural factors such as fire, water, corrosion, pests etc. shall be

considered while applying controls for protection. Similarly, man-made disasters such as theft,

misplacement, destruction etc. shall also be considered while applying protection.

Electronic data and records shall be protected from unauthorized access, theft, disclosure,

corruption, changes, destruction etc. Adequate provisions about backup and redundancy of

data and records shall be made in case of disasters.

5.4)DISPOSAL OF DATA AND RECORDS

Data and records, when no longer required or at the end of retention period, shall be

destroyed or disposed securely to avoid any unauthorized access.

All non-electronic (physical) data and records shall be destroyed using paper shredders and

the trash shall be carefully disposed.

All electronic data and records shall be disposed / destroyed using secure controls such as –

Degaussing or Physical Destruction of Hard Disks

Physical destruction of Tapes

Physical destruction of Optical Storage Disks, Flash Drives etc.

Delete + Purge of Electronic Data and Records

In case of rented or leased systems, secure wiping / formatting of Hard Disks and

Medias before returning back

Wherever the data and records are provided or originated from an external person or entity,

the same shall either be returned back to the originator at the end of retention period or

destroyed using secure methods as mentioned above.

The destruction or disposal of data or records shall also be applied to backup or archived

copies at the end of retention period.

Records of destruction / disposal of Personal Data / PII / Confidential Information shall be

retained by concerned Department for future audits and reference.

6)REFERENCE

Template – Data and Records Register

Data & Document Classification Policy

Access Control Policy

Compliance Register

Records of data and information disposal / deletion.