Retention and Managing Information - How to make sense of requirements

This blog is based on Judicium’s Safeguarding and Data Protection ‘Sofa Session’ from the 7th of May, with Lane Baker. This session focused on information retention, how do schools keep information, best practice for managing records, and logs and records.

While we won’t dive into exact timeframes for every type of school record, we will look at understanding why retention matters, how schools can implement best practices, and the role of staff and EdTech in keeping things compliant and under control.

Poll 1

Why Does Retention Matter?

From safeguarding to subject access requests, the way schools store and manage data plays a vital role in their overall data protection strategy.

Retention ties directly into the core UK GDPR principles, particularly:

• Accountability – Schools must show they keep data only as long as necessary. Having a documented retention policy is key evidence of this.
• Storage Limitation – Keeping data beyond its useful life breaches GDPR. Schools need to delete data once it's no longer needed.
• Security – The longer data is held, the greater the risk. Schools that retain data unnecessarily could expose themselves to higher risk in the event of a breach.

Example: Following a cyber-attack, a school found itself overwhelmed with disorganised folders and outdated data that should have been deleted years prior. The breach response was delayed, and risk assessment was difficult. Had the school maintained an effective retention schedule, it would have reduced exposure and improved incident response time.

The Role of the Data Map

A data map is a visual representation of what personal data the school holds, where it is stored, and how it is used. If you do not have one in place, please contact your DPO.

If used and updated properly, a data map is helpful for a school to follow retention processes as it gives a clear overview of what data is held, where it’s held, why its stored, and how long it should be kept.

As noted in the example of a cyber-attack above, the data map would be a good document to review following an attack as:

• School can quickly identify what data was affected and know here sensitive or personal data is stored can help assess the scope of a breach
• Assess risk and impact
• Guide incident response to help the team isolate affected areas
• The ICO may expect clarity on what data was compromise and a data map helps provide this quickly

Tip: If your school doesn’t have a data map in place, your DPO can help you get started. Judicium also provides a helpful data mapping tool via Jedu, which streamlines this process.

Take a look at our Sofa Session on Data Mapping.

A clear set retention policy and procedures help achieve the following:

• Ensure compliance with legal and regulatory requirements
• Reduces risk by securely discarding unnecessary records
• Improve operational efficiency and reduce storage costs
• Protect sensitive student and staff information
• Enable quick access to important records when needed

Categories of Records: A Quick Overview

We’re often asked about how long schools should keep specific records. While we can’t cover every timeframe here, a few key points to remember:

• Pupil Records: There’s no law requiring schools to keep all pupil records until age 25, which is roughly six years after a pupil has left. However, the Limitation Act 1980 and safeguarding considerations often make it wise to retain until this age, particularly for secondary schools.

Primary schools can generally delete records once passed to a secondary school, as the responsibility shifts to the ‘last known school’.

• Staff Data: Retention periods for personnel records are generally around six years after an employee leaves, unless specific circumstances apply.
• Finance Records: Often governed by legislation such as the Taxes Management Act 1970.

Always refer to the IRMS retention schedule for specific guidance and speak to your DPO for clarification.

Poll 2

Email Retention

We get this question a lot: How long should we keep emails?

Emails should only be retained as long as necessary. They’re not records in themselves but may contain important information. Ask:

• Does the email relate to safeguarding?
• Is it part of a contract or HR matter?
• Should it be saved elsewhere (e.g. MIS)?

Once saved appropriately, delete the original.

The retention for keeping these e-mails will then correspond with the types of records found in the Retention Schedule for schools. These e-mails may need to be saved into an appropriate electronic filing system or printed out and placed on paper files. Similarly, information contained within these e-mails should be recorded in the appropriate place (e.g. the MIS or behaviour management system). Once this is done the original could be deleted.

The school can consider implementing an electronic rule whereby e-mails in inboxes are automatically deleted after a period, assuming any emails that are necessary to keep have been filed away. The school can also consider implementing procedures for the management of inboxes of staff who have left the organisation.

However, if school is confident that there is a good manual deletion process in place, then this can also continue. However, automatic deletion will take the obligation off staff to go through their inboxes manually.

Limiting the information which is retained will also mitigate the school’s liability in the event of a breach, as noted earlier, and will reduce the amount of electronic storage required.

Additionally, this will assist greatly in reducing the amount of information potentially disclosable if a subject access request is received. Should the school receive a subject access request for emails held bearing someone’s data, it is likely that there will be a lot less data to compile, sort and redact if there is an automatic email retention time in place. If you don’t need to email, delete it.

Staff Responsibility and Training

Clear communication is essential. Staff should understand:

• What data they are responsible for.
• How long it should be kept.
• When and how to delete it.

Make your retention schedule visible and offer regular training. Assign specific responsibilities for reviewing and destroying old records.

And don’t forget: electronic records must be managed as carefully as paper ones. That means encouraging staff to keep digital folders tidy, regularly review stored files, and delete what’s no longer necessary.

Poll 3

The Future of Retention Across EdTech

As EdTech continues to shape the education sector, schools face new compliance challenges.

As part of our ongoing efforts to streamline the compliance environment for education providers, Judicium have engaged with the Information Commissioner’s Office (ICO) to discuss the data protection compliance challenges schools and education providers face when using edtech tools, such as the MIS.

We’re working with the ICO to highlight issues around:

• MIS platforms that don’t allow proper deletion.
• Email systems lacking auto-delete features.
• Software providers with unclear privacy terms.
• Difficulties obtaining data for SARs.

We encourage schools to share their experiences via our survey – your feedback is helping shape future discussions with the ICO. You can access the survey here.

Retention Rules for Safeguarding Data

Retention rules for safeguarding data are another critical area of consideration:

• Safeguarding records related to children should be retained until the child’s date of birth plus 25 years, after which they should be reviewed.
• Records relating to child sexual abuse should be retained indefinitely, as recommended by the Independent Inquiry into Child Sexual Abuse (IICSA).
• Allegations against staff that are found to be false or malicious must not be retained on personnel files. However, records of unsubstantiated or founded allegations should be kept until the individual reaches normal pension age or for 10 years, whichever is longer.

Final Thoughts

Schools should avoid the temptation to keep everything ‘just in case’. Instead:

• Know what you have.
• Understand why you have it.
• Regularly review and delete what you don’t need.

By following these steps, you protect pupils and staff, support operational efficiency, and strengthen your overall compliance.

If you'd like help with your data retention policy, data mapping tools, or staff training, Judicium is here to support you every step of the way.

If you would like further information on the retention and sharing of Safeguarding data, please see our blog on Golden Rules for Safeguarding and Data Sharing.

Additional Info

Meeting digital and technology standards in schools and colleges - Guidance from GOV.UK 

You can find information regarding our School Data Protection Officer (DPO) service here.

Jedu is Judicium's online GDPR compliance tracking software for schools. Our platform is suitable for single schools to large MATs and is designed to assist schools with two critical needs: To enable trustees, Governors and other SLT to monitor GDPR compliance; and to assist you managing your data protection.

If you would like more information on how we can support you or more information regarding Jedu, please get in touch with us.

If you require any support in any of these steps or would like to talk to someone surrounding some support for your school, please do not hesitate to call us on 0345 548 7000 or email georgina.decosta@judicium.com.

 Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.