Company number: 12497951
6 Sutton Park Road, Sutton, SM1 2GD

Retention Schedule and Policy

Policy Statement

The School is committed to managing records responsibly through the systematic retention and secure disposal of documents. This policy ensures adherence to legal requirements and best practices, maintaining the integrity and confidentiality of information. It applies to all staff, supporting effective information governance and safeguarding the School’s reputation and operational effectiveness.

Principles

Compliance: Adhering to legal and regulatory requirements governing record retention.
Transparency: Providing clear guidance on record retention periods and disposal procedures.
Confidentiality: Ensuring the confidentiality of sensitive records throughout their lifecycle.
Accessibility: Facilitating appropriate access to records during retention periods.
Efficiency: Retaining records only for as long as operationally necessary or legally required.
Security: Safeguarding records against unauthorised access, loss, or damage.
Review: Periodically reviewing retention schedules to reflect changes in legislation and operational practices.
Accountability: Assigning clear ownership and responsibility for record management.
Environmental Considerations: Disposing of records in an environmentally responsible manner.
Data Minimisation: Limiting the volume of data retained to the minimum necessary.
Auditability: Enabling effective audits of record-keeping practices and compliance.
Continuous Improvement: Actively seeking to refine record retention and disposal practices.

Regulatory Context

This Policy has been developed in line with the applicable laws, regulations, regulatory advice, and sector best practices, including the following:

Authority	Name	Url
UK Government	Data Protection Act 2018 Legislation aimed at controlling the processing of personal data, laying down principles with respect to the processing of personal data, and the rights of data subjects
Office for Students (OfS)	Regulatory Notices and Advice Regulatory notices are additional information about OfS' regulatory requirements and are part of the regulatory framework. Regulatory advice helps providers understand and meet OfS requirements.
Quality Assurance Agency (QAA)	The Quality Code This code represents a shared understanding of quality practice across the UK higher education sector, protecting public and student interests and championing the UK's reputation for quality.
Quality Assurance Agency (QAA)	Advice - Learning and Teaching
Information Commissioner's Office (ICO)	Guide for higher education institutions Provides guidance for higher education providers on their obligations under data protection law.
JISC (Joint Information Systems Committee)	Digital Infrastructure Guidelines Guidelines for universities and colleges in the UK on how to manage their digital infrastructure.

Authority

Name

Url

UK Government

Data Protection Act 2018
Legislation aimed at controlling the processing of personal data, laying down principles with respect to the processing of personal data, and the rights of data subjects

Office for Students (OfS)

Regulatory Notices and Advice
Regulatory notices are additional information about OfS' regulatory requirements and are part of the regulatory framework. Regulatory advice helps providers understand and meet OfS requirements.

Quality Assurance Agency (QAA)

The Quality Code
This code represents a shared understanding of quality practice across the UK higher education sector, protecting public and student interests and championing the UK's reputation for quality.

Quality Assurance Agency (QAA)

Advice - Learning and Teaching

Information Commissioner's Office (ICO)

Guide for higher education institutions
Provides guidance for higher education providers on their obligations under data protection law.

JISC (Joint Information Systems Committee)

Digital Infrastructure Guidelines
Guidelines for universities and colleges in the UK on how to manage their digital infrastructure.

Retention Period

Title
Rule Timeframe We may retain your personal data for a period of up to 6 years following the conclusion of your association with the School, unless otherwise specified. A core record of your data will be retained indefinitely to facilitate the verification of your academic history and to provide references after graduation. This policy ensures compliance with applicable data retention regulations under English law, including the General Data Protection Regulation (GDPR) and the Freedom of Information Act 2000. It supports the verification of academic credentials and the provision of references long after your association with the School has ended, in accordance with best practices for record-keeping in higher education institutions.
Rule Roles and Responsibilities Compliance and the implementation, management, and review of the retention policy shall be the responsibility of the Director of Technology. The Director of Technology will oversee all aspects of data retention and security, ensuring that the policy is adhered to across the institution and that all staff are informed of their responsibilities regarding record management. This centralised approach clarifies accountability and promotes effective management of the retention policy. By assigning the Director of Technology as the primary responsible party, we ensure that all technological aspects of data retention and compliance with legal requirements, including data protection regulations, are comprehensively addressed. This responsibility fosters a culture of diligence and awareness within the institution, ensuring that staff understand their obligations regarding the retention and management of personal data.

Title

Rule
Timeframe

We may retain your personal data for a period of up to 6 years following the conclusion of your association with the School, unless otherwise specified. A core record of your data will be retained indefinitely to facilitate the verification of your academic history and to provide references after graduation.

This policy ensures compliance with applicable data retention regulations under English law, including the General Data Protection Regulation (GDPR) and the Freedom of Information Act 2000. It supports the verification of academic credentials and the provision of references long after your association with the School has ended, in accordance with best practices for record-keeping in higher education institutions.

Rule
Roles and Responsibilities

Compliance and the implementation, management, and review of the retention policy shall be the responsibility of the Director of Technology. The Director of Technology will oversee all aspects of data retention and security, ensuring that the policy is adhered to across the institution and that all staff are informed of their responsibilities regarding record management.

This centralised approach clarifies accountability and promotes effective management of the retention policy. By assigning the Director of Technology as the primary responsible party, we ensure that all technological aspects of data retention and compliance with legal requirements, including data protection regulations, are comprehensively addressed. This responsibility fosters a culture of diligence and awareness within the institution, ensuring that staff understand their obligations regarding the retention and management of personal data.

Review and Disposal Process

Title
Rule Regular Review and Secure Disposal Procedures shall be established for the regular review of records to ensure that retention schedules remain current and also in compliance with law. Once the retention period has passed, records will be disposed of securely using methods such as shredding paper documents and secure digital deletion. This process ensures compliance with data retention regulations and promotes effective data management. By regularly reviewing records and implementing secure disposal methods, we minimise the risk of unauthorised access to outdated information and protect sensitive data from potential breaches.

Title

Rule
Regular Review and Secure Disposal

Procedures shall be established for the regular review of records to ensure that retention schedules remain current and also in compliance with law. Once the retention period has passed, records will be disposed of securely using methods such as shredding paper documents and secure digital deletion.

This process ensures compliance with data retention regulations and promotes effective data management. By regularly reviewing records and implementing secure disposal methods, we minimise the risk of unauthorised access to outdated information and protect sensitive data from potential breaches.

Data Security and Access

Title
Rule Secure Storage and Controlled Access Records will be securely stored in designated systems, with access restricted to authorised personnel only. Measures will be implemented to protect sensitive data throughout the retention period. This policy ensures that personal data is safeguarded against unauthorised access and breaches. By clearly defining storage protocols and access controls, we create a secure environment that protects sensitive information and upholds the institution's commitment to data protection.

Title

Rule
Secure Storage and Controlled Access

Records will be securely stored in designated systems, with access restricted to authorised personnel only. Measures will be implemented to protect sensitive data throughout the retention period.

This policy ensures that personal data is safeguarded against unauthorised access and breaches. By clearly defining storage protocols and access controls, we create a secure environment that protects sensitive information and upholds the institution's commitment to data protection.

Version Control and Review Cycle

Title
Rule Policy Review and Version Control The retention policy will be reviewed annually, or more frequently if necessary, to ensure compliance with evolving regulations and institutional requirements. A version control system will be implemented to track updates and revisions. Regular reviews of the policy ensure that it remains relevant and compliant with current legal standards. By maintaining version control, we promote transparency and accountability in record management practices, ensuring all staff are informed of the most up-to-date procedures.

Title

Rule
Policy Review and Version Control

The retention policy will be reviewed annually, or more frequently if necessary, to ensure compliance with evolving regulations and institutional requirements. A version control system will be implemented to track updates and revisions.

Regular reviews of the policy ensure that it remains relevant and compliant with current legal standards. By maintaining version control, we promote transparency and accountability in record management practices, ensuring all staff are informed of the most up-to-date procedures.

Disaster Recovery

Title
Rule Data Recovery Provisions Comprehensive provisions for disaster recovery will be established to ensure that records can be restored in the event of system failures or disasters. This policy ensures that vital records are protected against loss due to unforeseen circumstances. By implementing robust disaster recovery measures, we safeguard the integrity of our data and maintain continuity in operations, thereby ensuring that essential information remains accessible when needed.

Title

Rule
Data Recovery Provisions

Comprehensive provisions for disaster recovery will be established to ensure that records can be restored in the event of system failures or disasters.

This policy ensures that vital records are protected against loss due to unforeseen circumstances. By implementing robust disaster recovery measures, we safeguard the integrity of our data and maintain continuity in operations, thereby ensuring that essential information remains accessible when needed.

Other Relevant Policies

Title
Rule Retention Policy Integration This Retention Policy must be read in conjunction with other School policies, including the Information Technology (IT) Regulations, Automated Governance System (AGS) Policy, Information Technology (IT) Infrastructure Management Policy, Website Privacy Policy, and Data Protection Policy Integrating this policy with the IT and Data policies ensures comprehensive management and understanding of data retention practices, aligning with the School’s broader governance and compliance framework.

Title

Rule
Retention Policy Integration

This Retention Policy must be read in conjunction with other School policies, including the Information Technology (IT) Regulations, Automated Governance System (AGS) Policy, Information Technology (IT) Infrastructure Management Policy, Website Privacy Policy, and Data Protection Policy

Integrating this policy with the IT and Data policies ensures comprehensive management and understanding of data retention practices, aligning with the School’s broader governance and compliance framework.

Changes to this Privacy Notice

Title
Advice Policy Review This policy is subject to regular review. Regular reviews ensure the policy remains current, effective, and aligned with best practices and legal requirements, thereby maintaining its relevance and accuracy over time.

Title

Advice
Policy Review

This policy is subject to regular review.

Regular reviews ensure the policy remains current, effective, and aligned with best practices and legal requirements, thereby maintaining its relevance and accuracy over time.

Other Notices

Title
Advice Privacy Notices We strive to protect your privacy diligently. Please note that additional privacy notices are available on our website, covering various aspects such as enquiries, applications, current students, alumni, and website usage. These notices ensure transparency and inform you about how your data is managed across different activities, helping you understand our comprehensive approach to privacy protection.

Title

Advice
Privacy Notices

We strive to protect your privacy diligently. Please note that additional privacy notices are available on our website, covering various aspects such as enquiries, applications, current students, alumni, and website usage.

These notices ensure transparency and inform you about how your data is managed across different activities, helping you understand our comprehensive approach to privacy protection.

Metrics and KPIs

The following metrics will be measured and regularly reviewed as key performance indicators for the School to ensure the effectiveness of this policy and associated operations.

Title
Accuracy of Document Disposal Percentage of documents disposed of securely and in compliance with the policy annually. Ensures that confidential information is properly destroyed, protecting data integrity and confidentiality.
Incident Reporting Frequency Number of incidents related to improper retention or disposal of documents reported each year. Monitors issues related to policy adherence and helps address weaknesses in the system.
Percentage of Records with Defined Retention Periods Percentage of records for which retention periods are clearly defined and documented. Ensures that all records have appropriate retention periods assigned, supporting systematic record management.

Title

Accuracy of Document Disposal
Percentage of documents disposed of securely and in compliance with the policy annually.
Ensures that confidential information is properly destroyed, protecting data integrity and confidentiality.

Incident Reporting Frequency
Number of incidents related to improper retention or disposal of documents reported each year.
Monitors issues related to policy adherence and helps address weaknesses in the system.

Percentage of Records with Defined Retention Periods
Percentage of records for which retention periods are clearly defined and documented.
Ensures that all records have appropriate retention periods assigned, supporting systematic record management.