UK GDPR: retention and disposal of records

Find out how long you need to retain school records for, and why and how you should establish a retention schedule. Plus, learn how to dispose of data securely.

Last reviewed on 16 June 2022

See updates

School types: All · School phases: All

Ref: 35249

Contents

You must not retain personal data for 'longer than necessary'
Be clear on statutory retention periods
Establish your own retention schedule
How to dispose of data securely

You must not retain personal data for 'longer than necessary'

This is one of the 7 principles of the UK GDPR.

You’ll need to work out what ‘necessary’ means for the personal data you hold. Consider why you need to keep any pieces of personal data, and make sure you’re able to justify the decision you take. And remember that some types of data must be kept for a specific amount of time.

Make sure staff know what they can and cannot keep

Data protection is the responsibility of all staff. Download our UK GDPR cheat sheet to help staff understand what they need to know, and display our UK GDPR posters in staff rooms and offices to make sure everyone is informed.

Be clear on statutory retention periods

See pages 66 to

UK GDPR: retention and disposal of records

Find out how long you need to retain school records for, and why and how you should establish a retention schedule. Plus, learn how to dispose of data securely.

You must not retain personal data for 'longer than necessary'

Make sure staff know what they can and cannot keep

Be clear on statutory retention periods

Read next

Also in "Retaining records"

You are here:

You must not retain personal data for 'longer than necessary'

Make sure staff know what they can and cannot keep

Be clear on statutory retention periods

Read next

Also in "Retaining records"