Data Retention Schedule and Policy

The School maintains a Data Retention Schedule that defines retention periods by record category and purpose, in line with the School’s legal, regulatory, academic, and operational obligations and the storage limitation principle under the UK GDPR and Data Protection Act 2018. Retention periods are not applied as a single blanket timeframe. The Schedule specifies, as a minimum, retention rules for: student records; assessment evidence; complaints and appeals; safeguarding and Prevent evidence; finance and audit records; human resources records; supplier and contract records; IT and security logs where applicable; and governance records including committee minutes, approvals, registers, issue logs, assurance packs, and policy version history. Where the School must retain long-term academic record evidence to verify awards and academic history, the Schedule defines precisely what is retained long-term, the minimum data required for that purpose, the safeguards applied, the system-of-record in which the record is held, and the retention rationale. All retention decisions must be documented and defensible.

Accountability for retention rules sits with the School’s Data Owners for their respective domains, in line with the Information Governance Policy. Data Owners are responsible for ensuring that retention periods, disposal expectations, and evidence requirements are defined for the records and personal data within their domains, that staff follow those requirements, and that exceptions or legal holds are identified and managed appropriately. The Director of Technology, as Information Governance Lead and Senior Information Risk Owner (SIRO), is responsible for operating the governance machinery that enables retention and disposal to work in practice, including ensuring systems-of-record support retention controls, access controls, secure deletion capability, audit logging where required, and that evidence of disposal is captured and retained. The Internal Data Protection Lead coordinates privacy compliance activity, including alignment between retention rules, RoPA documentation where applicable, DSAR handling, and personal data breach response requirements. Oversight and assurance are provided through the Executive Committee and the Quality, Compliance and Audit Committee, with Board oversight where required.

The School operates a regular review cycle for the Data Retention Schedule to ensure it remains aligned to legal requirements, regulatory expectations, and operational practice. Disposal occurs only when the applicable retention period has ended and there is no lawful reason to retain the information longer, such as an ongoing complaint, appeal, investigation, audit, safeguarding matter, legal claim, or other legal hold requirement. Secure disposal must use approved methods appropriate to the format and classification of the information, including confidential waste processes for paper records and secure deletion for digital records within systems-of-record and approved repositories. Where required, the School retains evidence that disposal occurred, including what was disposed of, when, by what method, and under whose authority, so that disposal is auditable and defensible.

Records must be stored only in the School’s designated systems-of-record and governed repositories, with role-based access control applied so that users access only what they need for their role. Classification and handling rules apply throughout the record lifecycle, including during retention and disposal. Records must not be duplicated into unmanaged local trackers, personal cloud services, or informal shared drives that bypass auditability and retention controls. The School maintains technical and organisational safeguards to protect confidentiality, integrity, and availability, including access lifecycle controls, logging where required, secure backup and restoration capability for systems-of-record, and security monitoring proportionate to risk.

This policy and the Data Retention Schedule are reviewed at least annually, and sooner following material changes to systems, regulatory requirements, processing activities, or the School’s risk profile. Changes are version-controlled, approved in line with the School’s delegation arrangements, and archived so the School can evidence what applied at any point in time. The authoritative record of policy versions, schedule versions, approvals, and supporting evidence is maintained in the governance and assurance system-of-record.

The School maintains backup, restoration, and resilience controls for systems-of-record so that records can be recovered following accidental deletion, system failure, cyber incident, or other disruption. Backup and restoration arrangements are monitored, restoration is tested for critical systems, and recovery objectives are reviewed. Disaster recovery arrangements must support the integrity and availability of authoritative records without creating uncontrolled parallel datasets that undermine retention controls, auditability, or systems-of-record governance.

This policy must be read in conjunction with the School’s Information Governance Policy and Data Protection Policy, which define systems-of-record, Data Owner accountability, assurance expectations, and operational privacy controls. It also operates alongside the School’s Information Technology and Digital Safeguarding Policy, Information Technology Infrastructure Management Policy, and any relevant records management, safeguarding, assessment, academic regulations, and risk management policies that create record-keeping obligations. Where a conflict arises, the School’s Information Governance Policy and Data Protection Policy take precedence for governance, lawful processing, retention, and disposal requirements.

This policy is reviewed at least annually, and sooner following material changes to systems, regulatory requirements, processing activities, or the School’s risk profile. Reviews, approvals, version history, and archived copies are maintained in the governance and assurance system-of-record so the School can evidence what applied at any point in time.

Privacy notices provide transparency information to individuals about specific processing activities and are maintained separately from this internal retention policy. Retention expectations stated within privacy notices must align to the School’s Data Retention Schedule and must not create inconsistent or conflicting retention commitments. The authoritative retention rules for operational use are those set out in the Data Retention Schedule governed under the School’s Information Governance framework.

The table below forms part of this policy and is the authoritative statement of minimum retention periods and disposal requirements for operational use.

Retention periods reflect legal, regulatory, academic, safeguarding, contractual, and operational requirements. Records must not be retained longer than necessary and must be securely disposed of in accordance with this policy.

Where litigation, complaints, appeals, safeguarding matters, audits, investigations, or regulatory requests are ongoing, disposal must be suspended under a documented legal hold until the matter is concluded.