What happens to confidential paperwork when businesses close or relocate
Moving office or closing a business generates an enormous to-do list, and confidential paperwork rarely sits near the top of it. That is where things tend to go wrong.
UK GDPR and the Data Protection Act 2018 contain no “business closure” exemption. The rules that govern how you hold, secure and dispose of personal information apply right through to the last box leaving the building, and beyond it if records remain in storage afterwards. Handing back the keys does not end your obligations.
The law does not pause for a relocation
The ICO’s storage limitation principle requires personal data to be kept only for as long as necessary for the purpose it was originally collected. The ICO expects organisations to have defined retention periods, not vague intentions to sort things out at some point. Data that has served its purpose should be erased or anonymised, and keeping it indefinitely just in case is not a compliant approach.
But that principle does not mean everything can be shredded the day you vacate. Tax law, company law and sector regulation all impose their own retention requirements that run independently of when you move or close. GOV.UK guidance states that a limited company must keep accounting records for six years from the end of the financial year they relate to. Employment records, client files and regulated documents will each carry their own timescales on top of that.
In an insolvency the position becomes more specific. The Insolvency Service says a liquidator may destroy a company’s books and records one year after dissolution, but any records subject to other statutory retention requirements must still be held for their full period. Closing the business does not alter the obligations attached to individual categories of document.
The ICO’s security principle is relevant here too, and it covers physical security just as much as cyber security. Records waiting to be destroyed must be stored securely. Disposal must be documented. If a third party handles the destruction, you need a written contract and evidence that disposal actually took place.
Being the controller does not stop at the point of closure. If you still have legal reasons to hold personal data, you are still the controller of that data. Where a company goes into liquidation or administration, the liquidator or administrator steps into those responsibilities. If records are transferring to a buyer or a successor business, that transfer needs a lawful basis, proper documentation and consideration of how individuals are to be informed.
The retain, transfer or destroy decision
Most businesses approaching a closure or relocation do not need a complicated system. They need someone to sit down with the filing and answer three questions: what do we still have to keep, what has to go somewhere else, and what can we legitimately get rid of now?
Retain, transfer, destroy
Records with continuing legal or operational obligations should be boxed, labelled and moved into secure storage in a way that keeps them accessible for however long the retention period runs.
Records that need to move to a buyer, incoming provider or other controller should be transferred under documented authority. The lawful basis, scope and any transparency obligations need to be resolved before the files leave.
Records that genuinely have no further purpose should be isolated for secure confidential waste disposal as soon as that is confirmed. Leaving them to accumulate in an unlocked storeroom while the rest of the move happens around them is precisely the situation that causes problems.
The physical removal of waste has its own requirements. GOV.UK guidance on business waste requires waste to be stored in suitable containers and secured properly. For each load of non-hazardous waste leaving your premises, a waste transfer note is required and both parties must retain a copy for two years. For confidential paper the sequence is: secure containment first, authorised transfer second, destruction third, and recycling only once the information is no longer recoverable.
On-site or off-site shredding for an office clearout
For businesses clearing an office before a move or at closure, the choice usually comes down to on-site or off-site shredding. Neither is inherently better than the other. The ICO does not prescribe one model. What matters is whether the method prevents disclosure, whether the paperwork stays under control throughout, and whether you can demonstrate that with documentation.
| Aspect | On-site shredding | Off-site shredding |
|---|---|---|
| Security | Documents are destroyed at your premises and never leave your sight before shredding. | Documents travel in locked, GPS-tracked vehicles and are processed within a documented chain of custody. |
| Cost | Higher, because a mobile shredding truck attends the site. | Typically 30 to 40% lower, as there is no need for a mobile vehicle visit. |
| Speed | Immediate. A typical clearout of 20 to 30 boxes takes around 45 minutes. | Material is shredded within 24 hours of collection. |
| Suitability | Best where witnessed destruction is required, or where the nature of the documents makes any delay before destruction unacceptable. | Best where cost efficiency matters more and witnessed destruction is not a contractual or regulatory requirement. |
Shredsec’s on-site shredding service brings a mobile truck to your premises and destroys documents before the vehicle leaves your site. The off-site shredding service collects material in locked, GPS-tracked vehicles and shreds everything at a secure facility within 24 hours. Both services operate to DIN Level 3 cross-cut standard. Our guide to shredding security levels explains what that classification means in practice and when a higher level might be appropriate.
Regardless of which service you use, a certificate of destruction should record the collection date, shredding date, weight processed, security level and a destruction reference number. The ICO says organisations should obtain exactly this kind of evidence from third-party providers, and someone in the organisation should check it against what was actually sent.
What landlords, receivers and agents need to know
Property handovers regularly produce paperwork that nobody planned for. A locked filing cabinet that was supposed to be empty. Archive boxes in a cupboard the previous tenant left behind. A drawer full of personnel files at the reception desk. These discoveries are common, and responsibility for them is less clear than most people assume.
The ICO’s position is that responsibility depends on who is deciding what happens to the data, not simply who is physically holding it. A landlord, receiver, administrator or clearance contractor who handles confidential paperwork during a handover does not automatically become the data controller, but they are not outside the picture either.
For insolvency situations the answer is clearer. The closing business remains the controller while statutory retention obligations continue. Once a company is in liquidation or administration, the liquidator or administrator takes over those practical decisions. Any transfer of personal data as part of a restructure or sale needs to be treated as a data-sharing exercise, with lawful basis, security and transparency obligations all addressed.
For everyone else who encounters abandoned paperwork during a handover, the sensible approach is to secure the material, document where it was found, avoid reading more of it than necessary, establish who has authority over it and then make a decision about retention, transfer or destruction. If it leaves the building as commercial waste, duty of care rules apply and an authorised carrier must be used.
Why these mistakes keep happening
The 2023 ICO reprimand of the Ministry of Justice is worth looking at if you want to understand how these failures actually occur. The ICO published the reprimand after 14 bags of confidential waste were found in an unsecured prison holding area accessible to both staff and prisoners. The bags had been sitting there for 18 days. Some had not been properly sealed or shredded. Up to 44 people may have viewed documents containing medical data and security vetting records. The findings pointed to weak storage arrangements, no pre-agreed secure areas, poor disposal processes and inadequate staff awareness.
The Ministry of Justice is not a small organisation operating without resources. The problem was not ignorance of data protection law. It was the gap between having a policy and actually managing the physical logistics of confidential waste during a busy operational period.
The same gap appears in most closure and relocation failures. Confidential files go into a general skip because someone assumed it was acceptable. Archive boxes sit exposed while contractors work around them. A disposal provider is engaged without a written contract because there was no time to arrange one. The certificate of destruction is filed without anyone checking what it actually covers.
None of these are dramatic failures. They are what happens when document security is treated as someone else’s problem during a very busy week.
A practical checklist before you hand back the keys
Someone needs to own the records workstream before a move or closure, running it as a parallel project alongside the logistics rather than as a last-minute task.
Before the handover date, review all retention obligations across tax, accounting, employment and any sector requirements. Physically separate retain, transfer and destroy material rather than leaving everything commingled in unlabelled boxes. Use locked consoles or sealed sacks for destruction material and keep a log of what has been sent and when. Confirm that the written contract with your shredding provider is in place and that you will receive a certificate of destruction to check against your own records.
If your business is continuing in some form after the move, or if you are still holding personal data during a winding-up period, your obligations as controller continue. Vacating the premises does not end your responsibilities.
For a one-off clearout ahead of a move, Shredsec provides document destruction at short notice with no minimum volume. If you have a steady flow of confidential waste in the weeks before a move, a regular shredding contract can be arranged on a rolling basis. Our frequently asked questions page covers what a certificate of destruction includes and how the chain of custody works from collection through to recycling.
Arrange your clearout
If you are planning a relocation, winding down a business or managing a property handover that has produced confidential paperwork, contact Shredsec to talk through your requirements. We provide confidential waste disposal across London, East Anglia and the East Midlands, with certificates of destruction for every job and no minimum volume.
This article is general information and is not legal advice.
Contact Shredsec to discuss your shredding requirements.