ATTICS International Document Retention and Secure Storage Policy

Document Number

ATTICS-POL-008

Version Number

1.0

Document Control

DC08

Effective Date

06-01-2026

Document Status

Approved

Approval Date

06-01-2026

ATTICS International Document Retention and Secure Storage Policy

These policies are developed exclusively for ATTICS International. Any copying, sharing, or reuse without written consent is not permitted.

Purpose

ATTICS International is committed to maintaining accurate, reliable, and secure records to support service integrity, regulatory compliance, accreditation requirements, and stakeholder confidence.

The purpose of this policy is to define the principles and procedures for document creation, retention, storage, protection, retrieval, and disposal, ensuring confidentiality, integrity, availability, and traceability of all records.

Scope

This policy applies to:

  • All ATTICS International employees, management, and representatives
  • Auditors, trainers, assessors, inspectors, and laboratory personnel
  • Approved centres and external partners handling ATTICS International records

It covers all document types including:

  • Quality management system documents
  • Audit, inspection, testing, and calibration reports
  • Training, assessment, and examination records
  • Certification and qualification records
  • Client contracts and correspondence
  • Complaints, appeals, and investigation records
  • Financial and administrative records
  • Personnel records
  • Digital and physical records

International Legal Considerations

Retention periods are established to comply with the most stringent requirements across all jurisdictions where ATTICS International operates, ensuring global compliance without reference to specific national legislation, with particular attention to GDPR requirements for personal data and ISO standards for technical records.

Policy Statement

ATTICS International shall:

  • Retain documents for defined periods to meet legal, regulatory, accreditation, and operational needs
  • Store records securely to prevent loss, damage, unauthorized access, or alteration
  • Ensure controlled access to sensitive and confidential documents
  • Maintain backup and disaster recovery measures
  • Dispose of records securely at the end of retention periods

Document Classification

Documents are classified as:

Confidential / Restricted

(e.g., examination papers, assessment results, client data, personnel records)

Controlled Internal Documents

(e.g., procedures, manuals, audit reports, internal communications)

Public Documents

(e.g., published policies, marketing materials, website content)

Retention Periods

Retention periods are defined based on legal and accreditation requirements. Typical minimum retention periods include:

  • Certification and examination records: 5–10 years
  • Laboratory and calibration test records: 5–10 years
  • Audit and inspection reports: 5 years
  • Complaints and appeals records: 5 years
  • RPL and assessment evidence: 5 years
  • Personnel and contract records: Duration of engagement + 5 years
  • Financial records: 7 years

(Exact retention durations are detailed in the ATTICS International Record Retention Schedule.)

Retention Schedule Maintenance

The ATTICS International Record Retention Schedule is reviewed annually and updated to reflect changes in international standards, accreditation requirements, and legal developments, with version control and change history maintained to demonstrate ongoing compliance.

Secure Storage Controls

Physical Records

  • Stored in locked cabinets or secured archive rooms
  • Access limited to authorized personnel
  • Fire and environmental protection measures applied

Electronic Records

  • Stored on secure servers or encrypted cloud systems
  • Password-protected and access-controlled
  • Regular data backups
  • Antivirus and cybersecurity protection

Cloud Storage Security Requirements

All cloud-based document storage solutions must provide end-to-end encryption, data residency controls allowing selection of geographical storage locations, audit trails of access and modifications, and certification against ISO 27001 or equivalent information security standards.

Access and Retrieval

  • Only authorized personnel may access controlled documents
  • Document retrieval shall be logged where required
  • Confidential documents shall not be shared without proper authorization

Data Protection and Confidentiality

All document handling complies with:

  • ATTICS International Data Protection Policy (GDPR aligned)
  • Confidentiality agreements
  • Applicable national and international data protection laws

Secure Disposal

At the end of retention periods:

  • Paper records shall be shredded or incinerated securely
  • Electronic records shall be permanently deleted
  • Disposal actions shall be logged

Certificate of Destruction Process

For confidential documents, a Certificate of Destruction is issued following secure disposal, documenting the date, method, personnel involved, and specific records destroyed, with certificates retained for three years as evidence of compliance with data protection principles.

Backup and Disaster Recovery

ATTICS International maintains:

  • Regular data backup schedules
  • Secure off-site or cloud backup systems
  • Disaster recovery procedures to restore records if lost

Recovery Time and Point Objectives

Document recovery objectives are defined as Recovery Time Objective (RTO) of 24 hours for critical records and Recovery Point Objective (RPO) of 24 hours, verified through annual disaster recovery testing with results documented in management review records.

Responsibilities

Top Management

  • Approve document retention policy
  • Provide resources for secure storage systems

Quality / Document Control Manager

  • Maintain document registers
  • Monitor compliance with retention schedules

All Personnel

  • Follow document handling procedures
  • Protect confidential information
  • Report any record loss or breach immediately

Monitoring and Review

Document management processes are reviewed through:

  • Internal audits
  • Accreditation assessments
  • Management review meetings

Compliance with International Standards

This policy aligns with:

  • ISO 9001:2015 – Documented information control
  • ISO/IEC 17024:2012 – Certification record retention
  • ISO/IEC 17025 – Laboratory record traceability
  • ISO 21001:2025 – Educational record management
  • GDPR – Personal data protection

Related Documents


This policy should be read in conjunction with:

  • ATTICS International Quality Management System Manual
  • Applicable ISO standards referenced herein

Distribution


This policy is distributed to all employees via the company intranet and is available to stakeholders upon request. All personnel are responsible for reviewing and complying with the latest version available in the document management system.

Approved By: Mr. Zaib Ali

Authorized Position: Head of Operations

Signature:

zaib signaure

Date: 06-01-2026