UK GDPR: retention and disposal of records

Learn what to consider when you’re deciding how long to keep records for to comply with UK GDPR. See examples of retention schedules from schools and trusts. Plus, find out how to dispose of data securely.

Last reviewed on 10 March 2026See updates

School types: All•School phases: All•Ref: 35249

Contents

You must not retain personal data for 'longer than is necessary'
Statutory retention periods
Establish your own retention schedule for anything else
Get more guidance on specific types of records
Depersonalise personal data where possible
How to dispose of data securely
See examples of retention schedules

You must not retain personal data for 'longer than is necessary'

This is one of the 7 principles of the UK General Data Protection Regulation (UK GDPR).

You’ll need to work out what ‘necessary’ means for the personal data you hold – this will depend on your purposes for holding the data. Consider why you need to keep any pieces of personal data, and make sure you’re able to justify the decision you take.

To help you decide, read more about how to identify the 'lawful basis' for processing personal data.

Statutory retention periods

Pupil records Document type Retention period Action at end of retention period Guidance/legislation Primary school pupil records Until the pupil leaves the school. You should keep the pupil’s data on your MIS for 2 terms after the pupil leaves

You must not retain personal data for 'longer than is necessary'

Statutory retention periods

Want to continue reading?