Data Protection Policy
3. What information falls within the scope of this policy
4. Your obligations
5. Personal Data must be processed fairly, lawfully and transparently
6. You must only process Personal Data for limited purposes and in an appropriate way
7. Personal Data held must be adequate and relevant for the purpose
8. You must not hold excessive or unnecessary Personal Data
9. The Personal Data that you hold must be accurate
10. You must not keep Personal Data longer than necessary
11. You must keep Personal Data secure
12. You must not transfer Personal Data outside the EEA without adequate protection
13. Sharing Personal Data outside the School – dos and don’ts
14. Sharing Personal Data within the School
15. Individuals’ rights in their Personal Data
16. Requests for Personal Data (Subject Access Requests)
17. Data breaches
18. What is a data breach?
19. Immediate action following a data breach
20. Roles and responsibilities
21. Containment and recovery
22. Establishing and assessing the risks
24. Contacting affected individuals
25. Internal Breach Register
27. Breach of this policy
a) This policy is relevant to all staff and explains the School’s expectations of staff under data protection
legislation. It provides an explanation of key data protection principles as well as detailed guidance on what to
do in the event of a data breach.
b) Data protection is about regulating the way that the School uses and stores information about identifiable
people (Personal Data). It also gives people various rights regarding their data – such as the right to access the
Personal Data that the School holds on them.
c) As a school, we collect, store and process Personal Data about our staff, pupils, parents, suppliers and other
third parties. We recognise that the correct and lawful treatment of this data will maintain confidence in the
d) You are obliged to comply with this policy when processing Personal Data on our behalf. Any breach of this
policy may result in disciplinary action.
e) All queries concerning data protection matters should be raised with the school’s nominated Privacy Office
who is Jane O’Halloran.
a) This policy is for all staff working in the School (whether directly or indirectly), whether paid or unpaid,
whatever their position, role or responsibilities. It includes employees, contractors, people on work experience
b) This policy does not form part of your contract of employment and may be amended by the School at any time.
3. What information falls within the scope of this policy:
a) Data protection concerns information about individuals.
b) Personal Data is data which relates to a living person who can be identified either from that data, or from the
data and other information that is available. Information as simple as someone’s name and address is their
c) In order for you to do your job, you will need to use and create Personal Data. Virtually anything might include
d) Examples of places where Personal Data might be found are:
✓ on a computer database;
✓ in a file, such as a pupil report;
✓ a register or contract of employment;
✓ pupils’ exercise books and mark books;
✓ health records; and email correspondence.
Examples of documents where Personal Data might be found are:
✓ a report about a child protection incident;
✓ a record about disciplinary action taken against a member of staff;
✓ photographs of pupils;
✓ details of a job interview;
✓ contact details and other personal information held about pupils, parents and staff and their families;
✓ contact details of a member of the public who is enquiring about placing their child at the School;
✓ information on a pupil’s performance;
✓ a report from an outside agency.
These are just examples – there may be many other things that you use and create that would be considered
You must be particularly careful when dealing with Personal Data which falls into any of the categories
✓ information concerning child protection matters;
✓ information about serious or confidential medical conditions and information about special educational needs;
✓ information concerning serious allegations made against an individual (whether or not the allegation amounts
to a criminal offence and whether or not the allegation has been proved);
✓ financial information (for example about parents and staff);
✓ information about an individual’s racial or ethnic origin;
✓ political opinions;
✓ religious beliefs or other beliefs of a similar nature;
✓ trade union membership;
✓ physical or mental health or condition;
✓ sexual orientation;
✓ genetic information;
✓ information relating to actual or alleged criminal activity;
These categories are referred to as special categories of personal data in this policy. If you have any questions
about your processing of these categories of Personal Data please speak to the Privacy officer.
4. Your obligations
a) Have strong passwords that are kept safe and confidential
b) Encrypt emails that contain personal data
c) Ensure devices and screens are locked if personal data is accessible
d) Any data or devices taken out of school should be encrypted, pass worded and kept securely
e) Paper data should be COVERED, LOCKED AWAY or SHREDDED
f) Data, including photos should be deleted from personal devices within 72 hours
5. Personal Data must be processed fairly, lawfully and transparently
a) “Processing” covers virtually everything which is done in relation to Personal Data, including using, disclosing,
copying and storing Personal Data.
b) People must be told what data is collected about them, what it is used for and who it might be shared with,
unless it is obvious. They must also be given other information, such as what rights they have in their
information, how long we keep it for and about their right to complain to the Information Commissioner’s
Office (the data protection regulator).
c) This information is provided in a document known as a data privacy notice. Copies of the School’s privacy
notices can be accessed on the School’s website. You must familiarise yourself with the School’s privacy notice.
d) If you are using Personal Data in a way which you think an individual might think is unfair please speak to the
School’s privacy officer.
e) You must only process Personal Data for the following purposes:
✓ ensuring that the School provides a safe and secure environment;
✓ providing pastoral care;
✓ providing education and learning for our pupils;
✓ providing additional activities for pupils and parents (for example activity clubs);
✓ protecting and promoting the School’s interests and objectives e.g fundraising, liaising with ‘Old Boys’ and
prospective parents, and parent communication.
✓ safeguarding and promoting the welfare of our pupils;
✓ to fulfill the School’s contractual and other legal obligations; or
✓ as outlined in the relevant privacy notices(s).
If you want to do something with Personal Data that is not on the above list, or is not set out in the relevant
privacy notice(s), you must speak to the Privacy Officer or, in their absence, the Deputy Privacy Officer,
before you do anything outside of the areas listed. This is to make sure that the School has a
lawful reason for using the Personal Data.
We may sometimes rely on the consent of the individual to use their Personal Data. This consent must meet
certain requirements and therefore you should speak to the Privacy Officer if you think that you may need to
6. You must only process Personal Data for limited purposes and in an appropriate way.
a) For example, if pupil photographs are taken for the School’s Newsletter then they cannot then be used on
social media without this granulated consent from a parent or guardian.
7. Personal Data held must be adequate and relevant for the purpose
a) This means not making decisions based on incomplete data. For example, when writing reports you must make
sure that you are using all of the relevant and correct information about the pupil.
8. You must not hold excessive or unnecessary Personal Data
a) Personal Data must not be processed in a way that is excessive or unnecessary. For example, you should only
collect information about a pupil’s siblings if that Personal Data has some relevance, such as where the sibling
is also a pupil, allowing the School to determine if a sibling fee discount is applicable or the parent has
indicated the sibling may join the school in the future.
9. The Personal Data that you hold must be accurate
a) You must ensure that Personal Data is complete and kept up to date. For example, if a parent notifies you that
their contact details have changed, you must ensure that the data is passed directly to Vicky Curtis to update all
10. You must not keep Personal Data longer than necessary – see guidance in Appendix 1
a) The School has a Retention and Deletion Schedule which gives details of how long different types of data
should be kept and when data should be destroyed. This applies to both paper and electronic documents. You
must be particularly careful when you are deleting data.
b) Please speak to the Privacy Officer or, in their absence her deputy, for guidance on the retention periods and
11. You must keep Personal Data secure
a) You must comply with the following School policies and guidance relating to the handling of Personal Data:
✓ Data Security Policy (within E Safety Policy)
✓ ICT Acceptable Use Policy for Staff
✓ E-Safety policy
✓ Recruitment Policy;
✓ Social Media Policy (within E Safety Policy)
✓ Code of Conduct;
✓ Retention and Deletion Schedule.
12. Sharing Personal Data outside the School – dos and don’ts
a) DO share Personal Data on a need to know basis but consider why it is necessary to share this data outside of
the School. If in doubt always ask the School’s Privacy Officer or in matters relating to a pupil’s well-being, the
Designated Safeguarding Lead.
b) DO NOT send emails which contain special categories of personal data described above without taking steps to
ensure that the data cannot be accessed by anyone other than the intended recipient.
c) DO make sure that you have permission from the Privacy Officer to share Personal Data on the school website.
d) DO be aware of “blagging”. This is the use of deceit to obtain Personal Data from people or organisations. You
should seek advice from the Privacy Officer where you are suspicious as to why the information is being
requested or if you are unsure of the identity of the requester (e.g. if a request has come from a parent but
using a different email address).
e) DO be aware of “phishing”. Phishing is a way of making something (such as an email or a letter) appear as if it
has come from a trusted source. This is a method used by fraudsters to access valuable personal details, such
as usernames and passwords.
f) Don’t reply to email or pop-up messages that ask for personal or financial information or click on any links in
an email from someone that you don’t recognise.
g) Report all concerns about phishing to the Head Teacher.
h) DO NOT disclose Personal Data to the Police without permission from the Privacy Officer or, in their absence,
her Deputy Officer.
i) DO NOT disclose Personal Data to contractors without permission from the Privacy Officer.
13. Sharing Personal Data within
a) Personal Data must only be shared within the School on a “need to know” basis.
b) Examples of sharing which are likely to be compliant with data protection legislation include:
✓ a teacher discussing a pupil’s academic progress with other members of staff (for example, to ask for advice on
how best to support the pupil)
✓ disclosing details of a teaching assistant’s allergy to bee stings to colleagues so that you/they will know how to
respond (but more private health matters must be kept confidential).
Examples of sharing which are unlikely to be compliant with data protection legislation include:
✓ disclosing personal contact details for a member of staff (e.g. their home address and telephone number) to
other members of staff (unless the member of staff has given permission or it is an emergency).
You may share Personal Data to avoid harm, for example in child protection and safeguarding matters.
14. Individuals’ rights in their Personal Data
a) Individuals have various rights regarding the information we hold on them.
b) Staff must be able to recognise when someone is exercising their rights so that you can refer the matter to the
Privacy Officer. Please let the Privacy Officer as soon as possible as there is a need to have a clear log if
personal data is requested, either for themselves or on behalf of another person, such as their child.
The types of request that may be made by an individual:
✓ wants to know what information the School holds about them or their child;
✓ asks to withdraw any consent that they have given to use their information or information about their child;
✓ wants the School to delete any information;
✓ asks the School to correct or change information (unless this is a routine updating of information such as
✓ asks for electronic information which they provided to the School to be transferred back to them or to another
✓ wants the School to stop using their information for direct marketing purposes. Direct marketing has a broad
meaning for data protection purposes and might include communications such as the School newsletter or
events inviting past pupils; or
✓ objects to how the School is using their information or wants the School to stop using their information in a
particular way: for example, if they are not happy that information has been shared with a third party.
15. Requests for Personal Data (Subject Access Requests)
a) Individuals are entitled to request a copy of the Personal Data which the School holds about them or in some
cases, their child. This is termed a “subject access request”.
b) Subject access requests do not have to be labelled as such and do not even have to mention data protection.
For example, an email which simply states “Please send me copies of all emails you hold about me” is a valid
subject access request. You must always immediately let the Privacy Officer know. The Privacy Officer will then
log this request.
c) Receiving a subject access request is a serious matter for the School and involves complex legal rights. Staff
must never respond to a subject access request themselves unless authorised to do so.
d) When a subject access request is made, the School must disclose all of that person’s Personal Data to them
which falls within the scope of his/her request. There are only very limited exceptions.
16. Data breaches
a) The School understands the importance of keeping Personal Data secure and of effectively dealing with data
breaches. This is essential for maintaining the trust of staff, pupils and their parents when the School uses their
b) This policy and procedure is to be used in the event of a data breach at the School (or a suspected data
c) All staff receive training on how to recognise a data breach.
d) The School is required to report certain breaches to the Information Commissioner’s Office and to data
subjects under the General Data Protection Regulation. There are strict timescales for reporting breaches. The
School also has responsibilities to report certain incidents to other regulators on occasions. This policy gives
more information about how the School will ensure that timely and compliant reports are made.
17. What is a data breach?
a) A data breach is a breach of security which leads to any of the following:
✓ the loss of Personal Data;
✓ the accidental or unlawful destruction of Personal Data;
✓ the disclosure of Personal Data to an unauthorised third party;
✓ the unlawful or accidental alteration of Personal Data; or
✓ unauthorised access to Personal Data.
If staff are in any doubt as to whether an incident constitutes a data breach they must speak to the Privacy
Officer or, in their absence, the Deputy Privacy Officer.
In the event of a data breach:
✓ Inform the School’s privacy Officer/ Deputy.
✓ Identify what Personal Data is at risk.
✓ Take measures to prevent the breach from worsening e.g. changing password/access codes.
✓ Recover any of the compromised Personal Data e.g. use back-ups to restore data.
✓ Consider whether outside agencies need to be informed as a matter of urgency e.g. the police in the event of a
burglary or Children’s Services where the breach may lead to serious harm being caused to a pupil.
✓ Consider whether any affected individuals should be told about the breach straight away e.g. so that they may
take action to protect themselves or because they would find out about the breach from another source.
18. Roles and responsibilities
a) The following staff form the School’s Data Privacy Committee and have certain responsibilities:
19. Role Responsibility
a) The Privacy Officer – Jane O’Halloran
The Privacy Officer will chair the Committee and is responsible for co-ordinating the School’s response to any
breach. In addition, the Privacy Officer will lead on any physical security measures which are required at the School
site to contain the breach.
b) The Deputy Privacy Officer – Emma Tipper
Deputises and assists the Privacy Officer
c) The Head Teacher who is also the Privacy Officer:
will be responsible for any communications with pupils and parents and for any pupil welfare or
d) The Privacy Officer and Deputy Privacy Officer:
will be responsible for ensuring the security of the School’s IT infrastructure. In addition, will take
responsibility for any possible technical measures to recover Personal Data or to contain a data breach.
20. Containment and recovery
a) As soon as a data breach has been identified or is suspected, the School will take steps to recover any Personal
Data and to contain the breach, which may include:
✓ change any passwords and access codes which may have been compromised;
✓ if appropriate in all the circumstances, tell employees to notify their bank if financial information has been lost
(or other information which could lead to financial fraud);
✓ limit staff and/or pupil access to certain areas of the School’s IT network;
✓ use back-up hard-drives and cloud-based storage to restore lost or damaged data;
✓ take any measures to recover physical assets e.g. notifying the police or contacting third parties who may have
found the property;
✓ notify insurers; and
✓ take action to mitigate any loss.
a) The Data Privacy Committee’s will decide what action is necessary and which member(s) of the Committee will
be responsible for the different aspects of the containment and recovery. Where appropriate the Data Privacy
Committee may delegate tasks to other members of staff with the relevant expertise.
b) The Data Privacy Committee may seek assistance from outside experts if appropriate to effectively contain the
breach and recover any Personal Data e.g. legal advice, reputation management advice or specialist technical
21. Establishing and assessing the risks
a) The next stage in the process of dealing with a data breach is to establish and assess the risks presented by the
breach. The Data Privacy Committee’s approach will be shaped by the questions set out in the Data Breach
a) The School is required to report a data breach to the ICO unless the breach is unlikely to result in a risk to the
rights and freedoms of individuals. The Data Privacy Committee’s risk assessment will be used to determine if a
notification to the ICO is required, and the reasons for a decision not to notify the ICO will be documented by
the Data Privacy Committee. A notification to the ICO will be made without undue delay and where feasible
within 72 hours of having become aware of the breach.
b) The School will observe ICO procedures for data breach notifications
c) The School may also prepare a letter to the ICO in addition to following the ICO’s procedures in order to set the
context for the breach.
d) The School’s notification will contain as a minimum:
✓ a description of the nature of the data breach including where possible:
✓ the categories and approximate number of data subjects concerned; and
✓ the categories and approximate number of Personal Data records concerned;
✓ the name and contact details of the Privacy Officer or in their absence, the staff member who can provide more
information to the ICO if required;
✓ a description of the likely consequences of the data breach;
✓ a description of the measures taken or proposed to be taken by the School to address the data breach,
including where appropriate measures to mitigate its possible adverse effects.
✓ If it is not possible to submit the notification to the ICO within 72 hours of becoming aware of the breach, the
School will explain the reason for this delay.
✓ If it is not possible to provide all of the information at the same time, the School will provide the information to
the ICO in phases without further undue delay. For example, the School may make an initial notification within
the 72 hour period with a more detailed response the following week once the School has more information on
✓ The School may also consider reporting the data breach to the other relevant bodies and the Police, where it is
possible that a criminal offence has been committed.
23. Contacting affected individuals
a) The School is required by the GDPR to report a data breach to the individuals whose data has been
compromised (known as data subjects) where the breach is likely to result in a high risk to the rights and
freedoms of individuals. It may not always be clear which individuals should be notified, for example, parents
may need to be notified rather than their children.
b) A notification does not need to be made where:
✓ the School had taken measures so that the data compromised was unintelligible to any person not authorised
to access it (e.g. it was encrypted); or
✓ the School has managed to contain the breach or taken mitigating action so that any high risk to individuals is
no longer likely to materialise (e.g. an unencrypted memory stick has been recovered before anyone was able
to access the data held on it).
a) If the School decides not to notify individuals this decision will be documented.
c) If a notification is sent this will be done without undue delay. The Privacy Officer along with members of the
Data Privacy Committee will decide what is the most appropriate method of communication for the
notification, and factors to consider include the urgency of the notification. For example, it may be appropriate
to telephone individuals followed up with an email.
d) The School may work with external agencies, including the ICO (Information Commissioner’s Office) and the Police to determine when is the most appropriate time to notify the individuals. The ICO may advise or require the School to notify individuals. In
addition, the ICO has the authority to require a more detailed notification to be given to individuals.
e) Notifications to individuals will include the following as a minimum:
✓ the name and contact details of a person at the School who can provide more information. The Data Privacy
Committee should choose the appropriate staff member at the School, which will depend upon which
individuals are affected;
✓ a description of the likely consequences of the data breach; and
✓ a description of the measures taken or proposed to be taken by the School to address the data breach,
including, where appropriate, measures to mitigate its possible adverse effects.
✓ In addition, the School will consider if any additional information would be helpful to data subjects. For
example, instructions on measures which they can take to protect their data now or in the future.
24. Internal Breach Register
a) The School is required to keep a register of all data breaches including those which do not meet the threshold
to be reported. Staff must be regularly trained to report all data breaches to enable the School to meet this
requirement. This training will be part of the Induction process for new staff and then ongoing.
b) The Privacy Officer is responsible for keeping this register up to date.
a) The School regularly evaluates the effectiveness of both its organisational and technical measures to protect
Personal Data. See the Information Security Policy for more details.
Organisational measures include:
✓ policies for staff on their data protection obligations, including when working away from the School site;
✓ guidance for staff on how to use specific computer applications and software securely;
✓ data protection training for staff.
Technical measures include:
✓ limiting access to certain areas of the School’s IT network;
✓ firewalls and virus protection; and
✓ the use of backups.
The Data Privacy Committee will establish how existing measures could be strengthened and what additional
measures should be put in place to guard against future data breaches. The Data Privacy Committee will
consider if breaches of a similar type have previously occurred and the risk of security breaches more broadly.
The Data Privacy Committee may delegate this task to one or more appropriate members of staff and will
consider whether legal and/or technical advice is required.
Key points for the evaluation include:
✓ Was the breach reported to the Privacy Officer immediately? If not, why not and, what action can be taken to
speed up the process in future.
✓ Were all possible measures taken to recover the data promptly?
✓ Could more have been done to contain the breach as quickly as possible?
✓ If one of the School’s processors (e.g. a payroll supplier) was either responsible for the breach, or discovered
the breach, was this notified to the School without undue delay? If not, what measures can be put in place to
improve this communication in the future?
✓ Would improvements in the training given to staff have prevented the breach or lessened the severity of the
✓ Can measures be taken to speed up the process of staff reporting breaches?
✓ Does the School’s Information Security Policy need to be revised?
✓ Are changes required to the School’s IT system?
✓ Should the School’s document management system be made more robust? For example, should staff’s ability to
access certain documents be limited to a greater extent.
✓ Does the physical security of the School, particularly in areas where Personal Data is kept, need to be
✓ Do the School’s remote working practices need to change?
✓ Does the School need more robust procedures around staff using their own devices for School work?
✓ Do the School’s contracts with processors/ICT providers need to be revised?
✓ Does the School need to do more robust due diligence on its processors?
a) The Committee will report the outcome of the evaluation to all staff before implementing any necessary
changes where this is deemed necessary.
26. Breach of this policy
a) Any breach of this policy will be taken seriously and may result in disciplinary action.
b) A member of staff who deliberately or recklessly discloses Personal Data held by the School without proper
authority is guilty of a criminal offence and gross misconduct. This could result in summary dismissal.
Reviewed March 2021
Review due March 2022
Policy adopted by Jane O’Halloran Head Teacher
Guidelines for Independent Schools on the Storage and Retention of Records and Documents
The purpose of this note
Schools will generally seek to balance the benefits of keeping detailed and complete records – for the purposes of good practice, archives or general reference – with practical considerations of storage, space and accessibility. However, whilst independent schools are not as directly regulated as state/maintained schools, there are still legal considerations in respect of retention of records and documents which must be borne in mind. These include:
- statutory duties and government guidance relating to schools
- the law of confidentiality and privacy
- disclosure requirements in the course of litigation
- contractual obligations
- the GDPR
These will inform not only minimum and maximum retention periods, but also what to keep and how
to keep it.
- Meaning of “Record”
In these guidelines, “record” means any document or item of data which contains evidence or information relating to the school, its staff or pupils. Some of this material will contain personal data of individuals as defined in the GDPR: but not all. Many, if not most, new and recent records will be created, received and stored electronically. Others (such as Certificates, Registers, or older records) will be original paper documents. The format of the record is less important than its contents and the purpose for keeping it.
Digital records can be lost or misappropriated in huge quantities very quickly. Access to sensitive data – or any large quantity of data – should as a minimum be password-protected and held on a limited number of devices only, with passwords provided on a need-to-know basis and regularly changed. Where ‘cloud storage’ is used, consider what data needs to be made available in this way. If personal information kept in this way is sensitive, or held in large quantities, digital encryption is advisable.
Emails (whether they are retained electronically or printed out as part of a paper file) are also “records” and may be particularly important: whether as disclosable documents in any litigation, or as representing personal data of the sender (or subject) for data protection/data privacy purposes. Again, however, the format is secondary to the content and the purpose of keeping the document as a record.
It is also worth remembering that a digital document’s original metadata may indicate the date of its
creation, its author or the history of its changes: so it is important that this information is preserved.
Paper records are most often damaged by damp or poor storage conditions; but as well as applying common sense (i.e. dry, cool, reasonable ventilation, no direct sunlight; avoid storing with metals, rubber or plastic which might deteriorate or damage the paper), security is also vital – especially if the materials contain legally or financially sensitive data, as well as data personal to individuals.
- A note on “personal data”
Some records will contain information about individuals eg. staff, pupils, consultants, parents, contractors – or indeed other individuals, whether they are a part of the school or some other third party (for example, another school). Particular legal requirements will therefore come into play. That type of information is “personal data” for the purposes of the GDPR and therefore be subject to data protection laws which may, in places, conflict with aspects of these ‘document retention’ guidelines. Neither the statutory time limits by which legal claims must be made, nor the precise stipulations of private contracts or governmental organisations (eg the Disclosure and Barring Service, the ‘DBS’), were necessarily drawn up with data protection law in mind.
For example, the GDPR requires that personal data is only retained for as long as necessary – that is, necessary for the specific lawful purpose (or purposes) it was acquired. This will of course vary and may be either shorter or longer than the suggested document retention period, according to context. This is a nuanced area which may therefore require tailored, specific advice on a case-by-case basis. As a general rule, statutory legal duties – or the duty to report to safeguard vital interests – will ‘trump’ data protection concerns in the event of any contradiction. Certain personal data may legitimately need to be retained or disclosed subject to a private contractual duty (eg under a parent contract).
However, a higher standard would apply to the processing of “sensitive personal data”. By way of example a contractual duty, or other legitimate interest of the school or third party, would not of itself justify the retention or sharing of sensitive personal data – but ‘protection of vital interests’ might. Sensitive personal data includes data relating to an individual in respect of their health, race, religion, sexual life, trade union membership, politics or any criminal proceedings, offences or allegations.
- Archiving and the destruction or erasure of Records
All staff should receive basic training in data management – issues such as security, recognising and handling sensitive personal data, safeguarding etc. Staff given specific responsibility for the management of records must have specific training and ensure, as a minimum, the following:
- That records – whether electronic or hard copy – are stored securely as above, including if possible with encryption, so that access is available only to authorised persons and the records themselves are available when required and (where necessary) searchable;
- That important records, and large or sensitive personal databases, are not taken home or – in respect of digital data – carried or kept on portable devices (whether CDs or data sticks, or mobiles and handheld electronic tablets) unless absolutely necessary, in which case it should be subject to a risk assessment and in line with an up-to-date IT use policy;
- That questions of back-up or migration are likewise approached in line with general school policy (such as professional storage solutions or IT systems) and not individual ad hoc action;
- That arrangements with external storage providers – whether physical or electronic (in any form, but most particularly “cloud-based” storage) – are supported by robust contractual arrangements providing for security and access;
- That reviews are conducted on a regular basis, in line with the guidance below, to ensure that all information being kept is still relevant and – in the case of personal data – necessary for the purposes for which it is held (and if so, that it is accurate and up-to-date); and
- That all destruction or permanent erasure of records, if undertaken by a third party, is carried out securely – with no risk of the re-use or disclosure, or re-construction, of any records or information contained in them.
This is particularly important in respect of the school’s specific legal obligations under the GDPR. However, they amount to common sense rules even where personal data is not directly involved.
- A note on litigation
One consideration in whether it is necessary or desirable to keep records is possible future litigation. Generally speaking, an institution will be better placed to deal with claims if it has a strong corporate memory- including adequate records to support its position, or a decision that was made. Ideally, therefore, records would not be disposed of until the limitation period for bringing a claim has passed. For most contracts that will mean 6 years from any breach (or 12 years in case of, say, a witnessed deed), but the date to start counting from is the last day of the period under contract. Where there has been early termination, this will be the relevant date to apply (once the appeal process has been concluded): but for pupils, limitation periods will only apply from the age of 18 years.
The period of 6 years also applies to many claims outside contract (such as fraud, mistake or negligence). In the case of personal injury it is only 3 years. However, if the harm is only discovered later – eg ‘latent’ damage, or some unseen injury – then the timer only starts from the point of discovery: subject, in the case of latent property damage, to a 15-year backstop. In some cases the prompt may be the end of a calendar year, so for the purpose of this guidance a contingency is generally built in (eg 7 years where the statutory limitation is 6 years).
Finally, limitation periods may be disapplied altogether by courts in the case of certain crimes or associated breaches of care (eg historic abuse), whether a charge is brought by the police or a school is sued under a private claim. It is not always possible to try a case where the evidence is inadequate, including due to a lack of corporate memory (eg records and witnesses): but recent cases show the courts and police will expect to see a record, and inferences may be drawn otherwise. Often these records will comprise personal or sensitive personal data (eg health or criminal allegations). In such instances, even justifiable reasons to keep records for many years will need to be weighed against personal rights. Recent high-profile cases in the field of child protection make a cautious approach to record retention advisable and, from a GDPR perspective, make it easier for a school to justify retention for long periods. A recent case held that 35 years was a legitimate period to retain safeguarding case files. But the longer data is retained, and the more sensitive material is kept on file, the greater – and potentially more serious – the risk of security breach.
The most important steps a school can take to support such a policy are (a) having adequate notices and consents in both staff and parent contracts; and (b) ensuring any long-term records worth keeping are kept very secure, accessible only by trained staff on a need-to-know basis. Finally, insurance documents need to be kept in respect of historic policies for as long as a claim might arise.
- A note on recording information
It is important that all staff bear in mind, when creating documents and records of any sort (and particularly email), that at some point in the future those documents and records could be disclosed – whether as a result of litigation or investigation, or because of a subject access request under the GDPR. The watchwords of record-keeping are therefore accuracy, clarity, professionalism and objectivity.
- A note on secure disposal of documents
For confidential, sensitive or personal information to be considered securely disposed of, it must be in a condition where it cannot either be read or reconstructed. Skips and ‘regular’ waste disposal will not be considered secure.
Paper records should be shredded using a cross-cutting shredder; CDs/ DVDs/ diskettes should be cut into pieces. Hard-copy images, AV recordings and hard disks should be dismantled and destroyed. Where third party disposal experts are used they should ideally be supervised but, in any event, under adequate contractual obligations to the school to process and dispose of the information securely.
How to use the table of suggested retention periods
The table at the end of this guidance document has three main functions:
- it should help schools and staff identify the key types of document concerned.
- it should focus attention on any particular issues associated with those types of document.
- finally – and this needs to be emphasised – it acts as an outline guide only.
Note that, except where there is a specific statutory obligation to destroy records, it is misleading to present (or apply) any guidance as if it constitutes prescriptive time ‘limits’. Figures given are not intended as a substitute to exercising thought and judgment, or take specific advice, depending on the circumstances.
Indeed, the essence of this guidance can be boiled down to the necessity of exercising thought and judgment – albeit that practical considerations mean that case-by-case ‘pruning’ of records may be impossible. It is accepted that sometimes a more systemic or broad-brush approach is necessary, which is where the table comes in.
|Type of Record/Document||Suggested Retention Period|
|• Registration documents of School||Permanent (or until closure of the school)|
|• Attendance Register||6 years from last date of entry, then archive|
|• Minutes of Governors’ meetings||6 years from date of meeting|
|• Annual curriculum||From end of year: 3 years (or 1 year for other class records: eg marks/timetables/assignments)|
|INDIVIDUAL PUPIL RECORDS||NB – this will generally be personal data|
|• Admissions: application forms, assessments, records of decisions||25 years from date of birth (or, if pupil not admitted, up to 7 years from that decision).|
|• Examination results (external or internal)
|7 years from pupil leaving school
|• Pupil file including:
o Pupil reports
o Pupil performance records
o Pupil medical records
|ALL: 25 years from date of birth*
* unless there is good reason to consider this may be applicable evidence in a medical negligence or abuse claim: see ‘Safeguarding’ below.
|• Special educational needs records (to be risk assessed individually)
|Date of birth plus up to 35years (allowing for special
extensions to statutory limitation period)
|• Policies and procedures
|Keep a permanent record of historic policies
|• DBS disclosure certificates (potentially sensitive personal data & must be secure)
|No Ionger than 6 months from decision on recruitment,
unless DBS specifically consulted – but keep a record of the fact that checks were undertaken, if not the
|• Incident reporting
|Keep on record for 35 years, ideally reviewed regularly
(eg every 6 years) if a suitably qualified person is
available and resources allow.
Courts may be sympathetic if not, but the ICO
(lnformation Commissioner’s Office) will expect to see responsible assessment policy in place.
|Limitation periods can be disapplied in criminal or civil abuse cases. However, rights under the GDPR and insurers’ requirements remain relevant.
|CORPORATE RECORDS (where applicable)
|Eg. where schools have trading arms|
|• Certificates of Incorporation
|Permanent (or until dissolution of the company)
|• Minutes, Notes and Resolutions of Boards or Management Meetings||Minimum – 10 years|
|• Shareholder resolutions
|Minimum – 10 years|
|• Register of Members/Shareholders
|Permanent (minimum 10 years for exmembers/
|• Annual reports
|Minimum – 6 years|
|• Accounting records (normally taken taken to mean records which enable a company’s accurate financial position to be ascertained & which give a true and/air view of the company’s financial state)
(NB specific ambit to be advised by an accountancy expert)
|Minimum – 3 years for private UK companies (except where still necessary for tax returns)
Minimum – 6 years for UK charities (and public companies) from the end of the financial year in which
the transaction took place
Internationally: can be up to 20 years depending on local legal/accountancy requirements
|• Tax returns
|Minimum – 6 years
|• VAT returns
|Minimum – 6 years
|• Budget and internal financial reports
|Minimum – 3 years
|CONTRACTS AND AGREEMENTS
|Signed or final/concluded agreements (plus any signed or final/concluded variations or amendments)||Minimum – 7 years from completion of contractual
obligations or term of agreement, whichever is the later
|Deeds (or contracts under seal)
|Minimum – 13 years from completion of contractual
obligation or term of agreement
|INTELLECTUAL PROPERTY RECORDS|
|Formal documents of title (trade mark or
registered design certificates; patent or utility model certificates)
|Permanent (in the case of any right which can be
permanently extended, eg. trade marks); otherwise expire of right plus minimum of 7 years.
|Assignments of intellectual property to or from
|As above in relation to contracts (7 years) or, where
applicable, deeds (13 years).
|IP/ IT agreements (including software licences
and ancillary agreements eg maintenance;
storage; development; co-existence agreements;
|Minimum – 7 years from completion of contractual
obligation concerned or term of agreement
|EMPLOYEE/ PERSONNEL RECORDS||NB this will almost certainly be personal data
|• Contracts of employment
|Minimum – 7 years from effective date of end of contract|
|• Employee appraisals or reviews and staff
|Duration of employment plus minimum of 7 years|
|• Payroll, salary, maternity pay records||Minimum – 6 years|
|• Pension or other benefit schedule records
|Possibly permanent, depending on nature of scheme
|• Job application and interview/rejection records (unsuccessful applicants)||Minimum – 3 years (but see note of DBS disclosure
|• Immigration records||Minimum – 4 years|
|• Health records relating to employees
|Minimum of 7 years from end of contract of employment
|• Insurance policies (will vary – private, public, professional indemnity)
|Duration of policy (or as required by policy) plus a period
for any run-off arrangement and coverage of insured
risks: ideally, until it is possible to calculate that no living
person could make a claim.
|• Correspondence related to claims/ renewals/notification re: insurance||Minimum – 7 years
|ENVIRONMENTAL & HEALTH RECORDS
|• Maintenance logs||10 years from date of last entry|
|• Accidents to children||25 years from birth (unless safeguarding incident)|
|• Accident at work records (staff)||Minimum – 4 years from date of accident, but review
case-by-case where possible
|• Staff use of hazardous substances||Minimum – 7 years from end of date of use|
|• Risk assessments (carried out in respect of above)||7 years from completion of relevant project, incident,
event or activity
- General basis of suggestion:
Some of these periods will be mandatory legal requirements (eg under the Companies Act 2006 or the Charities Act 2011), but in the majority of cases these decisions are up to the institution concerned. The suggestions will therefore be based on practical considerations for retention such as limitation periods for legal claims, and guidance from Courts, weighed against whether there is a reasonable argument in respect of data protection.
- Retention period for tax purposes should always be made by reference to specific legal or
- Be aware that latent injuries can take years to manifest, and the limitation period for claims
reflects this: so keep a note of all procedures as they were at the time, and keep a record
that they were followed. Also keep the relevant insurance documents.