UK GDPR: retention and disposal of records

Find out how long you need to retain school records for, and why and how you should establish a retention schedule. Plus, learn how to dispose of data securely.

Last reviewed on 23 June 2023See updates
School types: AllSchool phases: AllRef: 35249
  1. You must not retain personal data for 'longer than necessary'
  2. Be clear on statutory retention periods
  3. Establish your own retention schedule
  4. How to dispose of data securely

You must not retain personal data for 'longer than necessary'

This is one of the 7 principles of the UK General Data Protection Regulation (UK GDPR). 

You’ll need to work out what ‘necessary’ means for the personal data you hold. Consider why you need to keep any pieces of personal data, and make sure you’re able to justify the decision you take. And remember that some types of data must be kept for a specific amount of time.

Make sure staff know what they can and cannot keep

Data protection is the responsibility of all staff. Download our UK GDPR cheat sheet to help staff understand what they need to know, and display our UK GDPR posters in staff rooms and offices to make sure everyone is informed.

Look at the Information and Records Management Society's (IRMS) records management toolkit for schools to find out statutory and best practice retention periods