The update advises carrying out an annual audit to check what personal data your organisation holds. Using a retention schedule, like the one provided by Data Protection Education, will help you to document how long you will keep different types of data for.
The Data Protection Act 2018 and UK GDPR says you should only keep data for as long as you need it - you should regularly check what data you hold against your schedule. You should also regularly review (or check in with us) to see if there have been any legislation changes which mean you should update your schedule.
Safe disposal of data no longer required is paramount - confidential data still continues to be confidential, even if you no longer need it: Managing Confidential Waste.
The guidance is set out:
Develop a data retention policy - this policy should explain how long you need to keep information. It should set out:
- why you are holding this data
- your justification for keeping the data
- the lawful basis for processing and keeping the data
- if you will pass this data on and, if so, if you need to keep it once you have passed it on
- the steps you will take when you destroy any personal data
Carry out a personal data audit - you should regularly review what personal data you hold and check whether it is accurate and still needed. Categorising data can help apply retention policies and schedules. All systems, both paper and digital need to be considered.
Depersonalise personal data - you may wish to keep some data for analytical purposes, in which case, you should either remove the personal data completely or replace the personal data with non-personal identifiers.
Dispose of personal data - you should ensure you dispose of any data appropriately and your retention policy must include procedures for safely destroying personal data. For example, by shredding paper documents.
Create a data retention schedule - this documents how long you will keep the data for. You may be keeping it for operational needs or legal requirements. You should check against any statutory requirements.
The full update 👉DfE Record Keeping and Management
Review our Records Management Best Practice Area for template policies and guidance. Consider completing our Data Retention and Destruction Best Practice Checklist to see where you are now.