UK GDPR: retention and disposal of records

Find out how long you need to retain school records for, and why and how you should establish a retention schedule. Plus, learn how to dispose of data securely.

Last reviewed on 3 May 2024See updates
School types: AllSchool phases: AllRef: 35249
  1. You must not retain personal data for 'longer than necessary'
  2. Be clear on statutory retention periods
  3. Establish your own retention schedule
  4. How to dispose of data securely

You must not retain personal data for 'longer than necessary'

This is one of the 7 principles of the UK General Data Protection Regulation (UK GDPR). 

You’ll need to work out what ‘necessary’ means for the personal data you hold. Consider why you need to keep any pieces of personal data, and make sure you’re able to justify the decision you take. And remember that some types of data must be kept for a specific amount of time.

Make sure staff know what they can and cannot keep

Data protection is the responsibility of all staff. Download our UK GDPR cheat sheet to help staff understand what they need to know, and display our UK GDPR posters in staff rooms and offices to make sure everyone is informed.

Look at the Information and Records Management Society's (IRMS) records management toolkit for schools to find out statutory and best practice retention periods

The Key has taken great care in publishing this article. However, some of the article's content and information may come from or link to third party sources whose quality, relevance, accuracy, completeness, currency and reliability we do not guarantee. Accordingly, we will not be held liable for any use of or reliance placed on this article's content or the links or downloads it provides. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence v3.0.