top of page
  • dpadviceservice

Records Management and Retention

6 February 2021

What is a Records Management and Retention Policy?

A policy that sets out how personal data records are managed/stored and how long the records should be kept for.

Why do we need a Records Management and Retention Policy?

The GDPR and DPA 2018 states that personal data should not be kept for longer than is necessary and should not be kept just in case it is required in the future.

You should only keep information for the purpose you originally obtained it for. If you later wish to do something else with the personal data, then you will need to review the lawful basis for processing and potentially obtain consent for further processing.

The Records Management and Retention Policy should help you to keep track of, and set out the retention periods for, the personal data you hold.

What information should be included in our Records Management and Retention Policy?

You should include the following information:

  • The person(s) responsible for your records management,

  • Your storage arrangements for personal data,

  • Your processes in place for handling pupil information

  • Your process for the safe disposal of your records.

You should also refer to your data flow map (information audit). It is important to understand the connection between your data flow map and your retention policy.

The data flow map documents what personal data you hold in school, where it is stored, the lawful basis for processing and who it is shared with. You should identify the retention period for all personal information you hold and document this in your data flow map.

Your policy should include your retention schedule.

What are the retention periods set out by the GDPR and DPA 2018?

There are no set retention periods or limits on data storage periods set out in the legislation.

Organisations can set their own retention time periods but must justify why they have set such a timescale.

How do we know how long to store our records for?

There are several different factors that will determine the retention period for the different personal information that you hold.

There may be legal and/or regulatory time periods that dictate your retention periods e.g. financial records kept for a certain period for tax/audit purposes.

Anonymised data can be kept for as long as you want.

The retention periods should be included in your data flow map to assist you with retrieving and deleting data when the retention period expires.

What should we do at the expiry of the retention period?

Once the retention period expires, you will need to either, permanently delete the data and shred any paper records or anonymise the data. It is important to ensure that the anonymised data cannot be paired with other data you still hold to reveal the identity of any individuals.

If you require a Records Management and Retention Policy or any assistance with your data flow map, you can contact

11 views0 comments


bottom of page