You must not retain personal data for 'longer than necessary'
This is one of the 7 principles of the UK General Data Protection Regulation (UK GDPR).
You’ll need to work out what ‘necessary’ means for the personal data you hold. Consider why you need to keep any pieces of personal data, and make sure you’re able to justify the decision you take. And remember that some types of data must be kept for a specific amount of time.
Make sure staff know what they can and cannot keep
Data protection is the responsibility of all staff. Download our UK GDPR cheat sheet to help staff understand what they need to know, and display our UK GDPR posters in staff rooms and offices to make sure everyone is informed.
Look at the Information and Records Management Society's (IRMS) records management toolkit for schools to find out statutory and best practice retention periods