Security firms: destroying screening and incident reports
A private security firm or investigation agency processes data that is all about trust: screening documents of staff, incident reports, access logs, CCTV footage and sometimes investigation files. An organisation that guards the safety of others should above all have its own data housekeeping in order. This guide shows, by type of data, what you keep, when it may go and how to destroy it confidentially.
The quick answer: the administration you keep for seven years for the tax retention obligation. Screening data and CCTV footage you keep as briefly as possible, CCTV footage in principle a maximum of four weeks. Incident reports you keep until they are handled and limitation has expired. What may go disappears confidentially and with a certificate.
Why a security firm should set the example
A security firm works under the rules for private security organisations and investigation agencies. Staff are screened and the firm gets access to sensitive places and situations. That creates a heightened expectation: an organisation that sells safety should manage and destroy its own files exemplarily. An old screening file or incident report that ends up on the street is extra damaging for this industry in particular.
In addition, security files often contain information about third parties: visitors, suspects in an incident, people on CCTV footage. Those people did not hand over the data themselves, which makes care even more important. So do not keep longer than necessary and destroy at the right level.
Retention periods by type of data
The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from completion or the end of employment.
| Type of data | Starting point | Period |
|---|---|---|
| Administration and invoicing | Tax retention obligation | 7 years |
| Screening documents (conduct, ID) | As briefly as possible, purpose-bound | clear out after screening |
| Personnel files | Own periods per part | see HR rules |
| Incident reports | Until handling and limitation | purpose-bound |
| CCTV footage | Limited retention | in principle 4 weeks |
| Access logs | As briefly as possible | purpose-bound |
Use this as a guideline, not a final legal ruling. When in doubt about a specific file, consult your data protection officer or legal adviser. The tax side is in the 7-year tax retention obligation.
Screening data and the certificate of conduct
To screen staff you process documents such as a certificate of good conduct and a copy of the identity document. This data is sensitive and should be kept as briefly as possible. As soon as the screening is completed and the purpose has been served, you clear it out, unless a legal ground requires keeping it longer. Keeping just in case is not a valid ground.
Keep screening data recognisably separate from the rest of the personnel file. That way you can clear it out specifically without the whole file suffering. The copy of the identity document also has its own tax rules, as described in our broader explanation of retention periods.
CCTV footage and incident reports
CCTV footage is a separate category with a short retention period. In principle you keep footage for a maximum of four weeks, and longer only if it shows a concrete incident still being handled. After that the footage is erased or, if physical recording carriers are involved, destroyed. You read more about that in how long to keep CCTV footage.
Incident reports you keep until the incident has been fully handled and any limitation period has expired. Such a report often contains data of third parties and sometimes a description of behaviour, which makes it sensitive. As soon as the purpose lapses, you clear it out confidentially, not into the paper bin.
How to handle it in 6 steps
- Split the file into administration, screening, personnel and incidents.
- Clear out screening data as soon as the screening is completed.
- Erase CCTV footage after the retention period or destroy the carriers.
- Assess incident reports for handling and limitation.
- Collect what may go in sealed containers, not in the paper bin.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Security files are destroyed confidentially, because they contain screening data, data of third parties and sometimes sensitive reports. The paper and the data carriers, including old recording carriers and hard drives of CCTV systems, travel sealed and stay that way until destruction, so the chain is closed.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR and fits the exemplary conduct that may be expected of a security firm. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Security files to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Keeping screening data too long. A conduct certificate and ID copy should be kept as briefly as possible.
- Keeping CCTV footage indefinitely. The retention period is in principle four weeks.
- Keeping incident reports just in case. After handling and limitation the purpose lapses.
- Forgetting recording carriers. Old hard drives of CCTV systems still contain footage.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long does a security firm keep screening data?
Screening data such as a certificate of good conduct you keep as briefly as possible and tied to the purpose. After the screening is completed or employment ends you clear it out, unless a legal ground requires keeping it longer.
How long may I keep CCTV footage?
In principle you keep CCTV footage for a maximum of four weeks, longer only for a concrete incident still being handled. After that it is erased or the carriers destroyed.
How long do I keep incident reports?
Until the incident has been fully handled and any limitation period has expired. After that the purpose lapses and you clear the report out confidentially.
How do I destroy security files in line with the GDPR?
Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.
Conclusion
A security firm should have its own data housekeeping in order, precisely because it sells trust. Keep the administration seven years, clear out screening data as soon as the screening is completed, erase CCTV footage after the short retention period and handle incident reports. What may go you have destroyed confidentially with a certificate as proof. That way you set the example that suits the industry and stand with proof in hand in an audit.
Read also: energy and utilities: destroying customer data, funeral directors: destroying records confidentially, how long to keep CCTV footage and the GDPR retention periods cheatsheet.
Have security files collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.