Data retention

Records retention

Please fill in the Accessible name field or the Question Field

Records Retention Schedule Guidance

Please fill in the Accessible name field or the Question Field

Legal Requirements

  • The Data Protection Act 2018 – The Act regulates how the University processes personal information, protects individuals from the misuse of this information and provides individuals with rights over how it is managed. The Act requires that personal data is not held for longer than necessary and requires us to explain to data subjects how long their data will be held by us. These requirements drive the creation and maintenance of our Records Retention Schedule.
  • Freedom of Information Act 2000 – The Act provides a general right of access to the University’s records: the public have the right to be told whether information exists and to receive that information (subject to certain exemptions) within 20 working days of making a request. It is an offence to deliberately withhold or destroy information to prevent disclosure, so the University must demonstrate that any destruction takes place according to documented retention periods. A Code of Practice under the Act requires that public bodies make available a retention schedule to support transparency.
  • The Limitation Act 1980 – Provides for a defined time-scale beyond which recipients of services can no longer complain to service providers. We use this provision to cover retention of most of our records relating to our students, staff and contracts.
  • Finance Act 2007 – Provides HMRC with rights of access to financial records. We use these provisions to manage retention of our key finance and accounting records.
  • Guidance and Standards: Professional, Statutory and regulatory bodies – Courses accredited by professional, statutory or regulatory bodies may be subject to specific retention requirements in order to support complaints, reviews and standards audits
  • Higher Education Sector Retention Guidance – JISC guidance is available to the HE community which provides a valuable resource for best practice amongst peer organisations
  • Business Need: Where no statutory or regulatory requirements dictate retention practice the University needs to establish the business need for retention. Factors can include the ongoing cost of storage and experience of the need to gain access to the records to defend complaints and legal claims, audits and to justify past actions.
Read more about legal requirements.

Changes to the Schedule

This retention schedule is formally reviewed annually as part of the University’s Data Protection compliance activity. It may also be subject to minor revisions periodically where additions, amendments and deletions are required.

In order to make changes to content on the schedule, a Faculty or Professional Service Data Owner should contact the Information Compliance Team identifying the amendment or addition to be made and confirming details of why the change is required. The University is required to be able to justify its retention rules on request from the public and the change process must challenge the justification of a proposed change accordingly.

Our Privacy Notices on which we are legally required to explain the terms and conditions under which we obtain personal data all refer the data subject to the schedule for retention information. It is not practical to advise and inform all data subjects of changes made to the schedule therefore they are advised on the Privacy Notices to periodically check for changes. It is a Data Owners’ responsibility to communicate changes in retention practice to relevant staff.

If staff become aware or are notified of any inaccuracies within the schedule, any records that are not covered within the schedule or any points of clarification, you should inform the relevant Data Owner (usually a team or service manager) who will then engage with the Information Compliance Team over the change process.

Read more about changes to the schedule.

Implementation & Monitoring

Data Owners are responsible for ensuring that the records under their control are deleted/destroyed in line with the schedule and being able to record that the activity has been undertaken appropriately with management oversight and approval. This activity will support an annual compliance check where Deans and Directors will be required to confirm that retention activity has been performed in line with ARU policy and this will be reported to CMT.

Read more about implementation & monitoring.