A Records Retention Schedule (RRS) documents the length of time University records should be retained in order to comply with legal or regulatory requirements and our operational needs. It is an important element in effective records management.
It supports our policy on retention of our records and helps establish consistent practice across the organisation. The schedules ensure business records are kept for as long as they are needed (accounting for effective operations, legislative compliance, regulatory compliance, demonstrable accountability). They are also kept only for as long as they are needed (and not longer), so storage space (both physical and virtual/electronic) is used effectively.
This RRS is based upon a generic schedule developed by JISC and published on the web at http://bcs.jiscinfonet.ac.uk/he/. It is divided into ARU business areas and within each business area, a number of record types are described.
The retention periods specified in each specific Service Area are the maximum recommended periods for particular record types, and are based on relevant legislative requirements, common practice in the Higher Education sector or our own identified need. Under certain circumstances, longer periods may apply to certain groups of records, such as where the records are subject to a Freedom of Information request, an ongoing complaint, court action, an audit or extenuating business requirements. There may also be situations where records are subject to external temporary regulatory requirements determining a different (longer or shorter) retention period. We must also note that any records that are identified as CAY (Current Academic Year) refers to the last academic year in question for the record. An example of this would be CAY for a student would be the last academic year of their studies.
Our Records Retention Schedules are living documents and subject to change and revision as determined by University structures and organisation, operations and external influences such as legislation revisions and guidance on best practice.
A number of our systems currently have limited capability to delete records or anonymise the content. The University is currently engaged in initiatives to improve this functionality either by requiring the supplier to develop the necessary changes and we are therefore waiting for this to be delivered, developing our own bespoke solution and managing the project to deliver this, or reviewing alternative systems to replace existing ones. The entries on our retention schedule where data is held in these systems is therefore a statement of our intention to manage personal data to the stated timescales once the functionality is available to us. In the meantime, where data may be held beyond a retention period, the University will have safeguards in place to ensure that it is not processed in a manner which impacts adversely on data subjects.
This schedule documents the retention periods for records held by Anglia Ruskin University. It is mandated by and supports our Records Retention Policy. It has been written following consultation with representatives of the relevant functional areas and based on JISC guidance on University records retention.
The retention schedule is an important element in the ‘whole life’ management of University Records. Defining the length of time a record should be retained is a key factor in determining the most efficient and appropriate methods of creating, storing and disseminating them. Our retention periods are formulated based on a number of factors:
This retention schedule is formally reviewed annually as part of the University’s Data Protection compliance activity. It may also be subject to minor revisions periodically where additions, amendments and deletions are required.
In order to make changes to content on the schedule, a Faculty or Professional Service Data Owner should contact the Information Compliance Team identifying the amendment or addition to be made and confirming details of why the change is required. The University is required to be able to justify its retention rules on request from the public and the change process must challenge the justification of a proposed change accordingly.
Our Privacy Notices on which we are legally required to explain the terms and conditions under which we obtain personal data all refer the data subject to the schedule for retention information. It is not practical to advise and inform all data subjects of changes made to the schedule therefore they are advised on the Privacy Notices to periodically check for changes. It is a Data Owners’ responsibility to communicate changes in retention practice to relevant staff.
If staff become aware or are notified of any inaccuracies within the schedule, any records that are not covered within the schedule or any points of clarification, you should inform the relevant Data Owner (usually a team or service manager) who will then engage with the Information Compliance Team over the change process.
Data Owners are responsible for ensuring that the records under their control are deleted/destroyed in line with the schedule and being able to record that the activity has been undertaken appropriately with management oversight and approval. This activity will support an annual compliance check where Deans and Directors will be required to confirm that retention activity has been performed in line with ARU policy and this will be reported to CMT.