Data retention

Explains how to carry out an audit to check what personal data your school holds. You can use a data retention schedule to document how long you'll keep different types of data for.

The Data Protection Act 2018 and UK GDPR says you should only keep data for as long as you need it. You should check each year what data you hold and if you still need to keep it.

If you identify any information you no longer need, you should dispose of it safely.

It’s important to put in place policies and measures so you can prove and evidence that you’re not keeping data for longer than necessary.

Develop a data retention policy

Your data retention policy should explain how long you need to keep information. It should set out:

  • why you’re holding this data
  • your justification for keeping the data
  • the lawful basis for processing and keeping the data
  • if you’ll pass this data on and, if so, once you’ve passed it on, if you need to keep it
  • the steps you’ll take when you destroy any personal data

A good data retention policy includes how long you’ll keep data items within the different areas of administration of school life. For example, you may need to keep pupil names in your safeguarding system longer than in your catering system.

When setting a data retention policy, consider:

  • why you’re holding this data
  • if there’s a legal duty to keep the information for a set period of time
  • whether you’ll need to share the data and, if so, whether you need to keep it after sharing it
  • if it’s more appropriate for another organisation such as the local authority to keep the information in the long term
  • if you’ll need the data to meet Ofsted’s requirements
  • whether you can delete or depersonalise some of the information
  • if you have a justification to keep the data

Carry out a personal data audit

You should carry out an audit of all the personal data you hold each year to check it is up to date and still needed. You must not keep any data longer than is necessary.

As part of your audit, include pupil and staff data in:

  • paper records
  • databases
  • online systems
  • videos and photos

Reviewing the personal data you hold will help you to identify what data you need to:

  • keep
  • destroy
  • change from a paper format to an electronic format
  • keep for research or litigation purposes

Consider grouping your data items about pupils into these areas:

  • admissions
  • attainment
  • attendance
  • behaviour
  • exclusions
  • personal identifiers, contacts and pupil characteristics
  • identity management and authentication
  • catering and free school meal management
  • trips and activities
  • medical information and administration
  • safeguarding and special educational needs

Document the decision you make against each data item. Find out how to create a record of processing activity.

Share the results of your audit with your school leaders, governors and trustees. They are responsible for making sure the school is compliant with the Data Protection Act 2018 and only keeps data it needs.

Create a data retention schedule

Once you have your list of data item groups, consider creating a data retention schedule. This should state how long you’ll hold certain types of personal data before destroying it.

How long you keep different types of data will depend on whether you’re keeping it for operational needs or to comply with legal requirements.

IRMS has published a toolkit for academies and a toolkit for schools. It includes more guidance about information management. The toolkits also give recommended retention periods for personal data.

Depersonalise personal data

As data becomes older, there are steps you can take to keep data about pupils for analytical purposes. Before deleting the data completely, remove names and personal identifiers. For example, once the pupil has left your school, you could remove their name and date of birth. This will remove some of the risks around personal data. It will also allow you to use it for long-term analysis of trends.

Another option is to replace the personal information with non-personal identifiers. For example, you could replace the:

  • name with a random ID
  • date of birth with year of birth
  • postcode with locality or town name

For some records, you may only need to keep summary statistics.

Dispose of personal data

When records have reached the end of their retention period, data must be disposed of securely and confidentially.

All records containing personal information or sensitive policy information must be made either unreadable or so you cannot reconstruct it.

Your data retention policy must include your procedures for safely destroying personal data. All staff should be aware of these procedures to help prevent any data breaches.

Do not dispose of records with the regular waste or in a skip.

You should:

  • shred paper records using a cross-cutting shredder, or get an external company to shred them
  • destroy storage media and hard disks to particles no larger than 6mm
  • dismantle and shred audio and video tapes

If you use an external company to destroy records, it must:

  • shred all records on-site in the presence of an employee
  • be able to prove that the records have been destroyed and provide a certificate of destruction
  • have trained its staff in the handling of confidential documents

The Freedom of Information Act 2000 requires you to maintain a list of records that have been destroyed and who authorised their destruction.

  1. A senior leader has approved the record to be destroyed.

  2. You must document the destruction. Record a brief description of the data, the number of files and who authorised the destruction.

  3. Shred the records as soon as you’ve documented them as having been destroyed.

Further guidance is available on record keeping and retention for academies and academy trusts.