UK GDPR: retention and disposal of records

Learn what to consider when you’re deciding how long to keep records for to comply with UK GDPR. See examples of retention schedules from schools and trusts. Plus, find out how to dispose of data securely.

Last reviewed on 6 January 2025See updates
School types: AllSchool phases: AllRef: 35249
Contents
  1. You must not retain personal data for 'longer than necessary'
  2. Statutory retention periods
  3. Establish your own retention schedule for anything else
  4. Get more guidance on specific types of records
  5. Depersonalise personal data where possible
  6. How to dispose of data securely
  7. See examples of retention schedules

You must not retain personal data for 'longer than necessary'

This is one of the 7 principles of the UK General Data Protection Regulation (UK GDPR). 

You’ll need to work out what ‘necessary’ means for the personal data you hold. Consider why you need to keep any pieces of personal data, and make sure you’re able to justify the decision you take.

To help you decide, read more about how to identify the 'lawful basis' for processing personal data.

Statutory retention periods

Pupil records Document type Retention period Action at end of retention period Guidance/legislation Primary school pupil records Until the pupil leaves the school. Transfer to secondary school or other primary school when the pupil leaves. See The Education (Pupil Information) (England) Regulations 2005 for details of what to keep in the pupil record and guidance on how to transfer information to another school. Secondary school pupil