How to develop a data retention schedule

A data-retention schedule can help your school document how long you keep different types of data for which can save endless confusion and keep you GDPR-compliant – here is how best to develop one 

CREDIT: This is an edited version of an article that originally appeared on gov.uk

The Data Protection Act 2018 and UK GDPR says you should only keep data for as long as you need it. You should check each year what data you hold and whether you still need to keep it; if you identify any information you no longer need, you should dispose of it safely.

It’s important to put in place policies and measures so you can show evidence that you’re not keeping data for longer than necessary – and a data retention policy is a great way to do this. Your data retention policy should explain how long you need to keep information and should set out:

  • why you’re holding the data – and is there a legal duty to keep the information for a set period of time?;
  • your justification for keeping the data;
  • the lawful basis for processing and keeping the data;
  • whether it’s more appropriate for another organisation, such as the local authority, to keep the information in the long term;
  • if you need to keep it – can delete or depersonalise some of the information?
  • whether you intend to pass this data on and, if so, whether you need to continue to keep it once you’ve passed it on;
  • whether youl need the data to meet Ofsted’s requirements;
  • the steps you’ll take when you destroy any personal data to carry this out safely.

A good data retention policy includes how long you’ll keep data items within the different areas of administration of school life – for example, you may need to keep pupil names in your safeguarding system longer than in your catering system. When setting a data retention policy, consider:

Carrying out a personal data audit

You should carry out an audit of all the personal data you hold each year to check it is up-to-date and still needed – remember, you must not keep any data longer than is necessary. As part of your audit, include pupil and staff data in:

  • paper records;
  • databases;
  • online systems;
  • videos and photos.

Reviewing the personal data you hold will help you to identify what data you need to:

  • keep;
  • destroy;
  • change from a paper to an electronic format;
  • keep for research or litigation purposes.

Consider grouping your data items about pupils into these areas:

  • admissions;
  • attainment;
  • attendance;
  • behaviour;
  • exclusions;
  • personal identifiers, contacts and pupil characteristics;
  • identity management and authentication;
  • catering and free school meal management;
  • trips and activities;
  • medical information and administration;
  • safeguarding and special educational needs.

Document the decision you make against each data item and share the results of your audit with your school leaders, governors and trustees because they are responsible for making sure the school is compliant with the Data Protection Act 2018.

Creating a data retention-schedule

Once you have your list of data item groups, consider creating a data retention-schedule. This should state how long you’ll hold certain types of personal data before destroying them. How long you keep different types of data will depend on whether you’re keeping it for operational needs or to comply with legal requirements. The IRMS has published a toolkit for academies and a toolkit for schools. These include more guidance about information management. The toolkits also give recommended retention periods for personal data.

Depersonalising personal data

As data becomes older there are steps you can take to keep data about pupils for analytical purposes. Rather than deleting data completely, remove names and personal identifiers. For example, once the pupil has left your school, you could remove their name and date of birth; this will remove some of the risks around personal data but will allow you to use it for long-term analysis of trends. Another option is to replace personal information with non-personal identifiers. For example, you could replace the:

  • name with a random ID
  • date of birth with a year of birth
  • postcode with locality or town name

For some records, you may only need to keep summary statistics.

Disposing of personal data

When records have reached the end of their retention period, data must be disposed of securely and confidentially. All records containing personal information or sensitive policy information must be made either unreadable or in a condition such that it cannot be reconstructed. Your data-retention policy must include your procedures for safely destroying personal data; all staff should be aware of these procedures to help prevent any data breaches. It goes without saying that you should NEVER dispose of records in regular waste or in a skip. You should:

  • shred paper records using a cross-cutting shredder, or get an external company to shred them;
  • destroy storage media and hard disks to particles no larger than 6mm;
  • dismantle and shred audio and video tapes.

If you use an external company to destroy records, it must:

  • shred all records on-site in the presence of an employee;
  • be able to prove that the records have been destroyed and provide a certificate of destruction;
  • demonstrate that it has trained its staff in the handling of confidential documents.

The Freedom of Information Act 2000 requires you to maintain a list of records that have been destroyed and who authorised their destruction.

  • A senior leader should have approved the material to be destroyed.
  • You must document the destruction. Record a brief description of the data, the number of files and who authorised the destruction.
  • Shred the records as soon as you’ve documented them as having been destroyed.

Further guidance is available can be found here: Record-keeping and retention for academies and academy trusts.

Don’t forget to follow us on Twitter like us on Facebook or connect with us on LinkedIn!

Be the first to comment

Leave a Reply