Data retention

A Records Retention Schedule (RRS) documents the length of time University records should be retained in order to comply with legal or regulatory requirements and our operational needs. It is an important element in effective records management.

It supports our policy on retention of our records and helps establish consistent practice across the organisation. The schedules ensure business records are kept for as long as they are needed (accounting for effective operations, legislative compliance, regulatory compliance, demonstrable accountability). They are also kept only for as long as they are needed (and not longer), so storage space (both physical and virtual/electronic) is used effectively.

This RRS is based upon a generic schedule developed by JISC. It is divided into ARU business areas and within each business area, a number of record types are described.

The retention periods specified in each specific Service Area are the maximum recommended periods for particular record types, and are based on relevant legislative requirements, common practice in the Higher Education sector or our own identified need. Under certain circumstances, longer periods may apply to certain groups of records, such as where the records are subject to a Freedom of Information request, an ongoing complaint, court action, an audit or extenuating business requirements. There may also be situations where records are subject to external temporary regulatory requirements determining a different (longer or shorter) retention period. We must also note that any records that are identified as CAY (Current Academic Year) refers to the last academic year in question for the record. An example of this would be CAY for a student would be the last academic year of their studies.

Our Records Retention Schedules are living documents and subject to change and revision as determined by University structures and organisation, operations and external influences such as legislation revisions and guidance on best practice.

A number of our systems currently have limited capability to delete records or anonymize the content. The University is currently engaged in initiatives to improve this functionality either by requiring the supplier to develop the necessary changes and we are therefore waiting for this to be delivered, developing our own bespoke solution and managing the project to deliver this, or reviewing alternative systems to replace existing ones. The entries on our retention schedule where data is held in these systems is therefore a statement of our intention to manage personal data to the stated timescales once the functionality is available to us. In the meantime, where data may be held beyond a retention period, the University will have safeguards in place to ensure that it is not processed in a manner which impacts adversely on data subjects.

This schedule documents the retention periods for records held by Anglia Ruskin University. It is mandated by and supports our Records Retention Policy. It has been written following consultation with representatives of the relevant functional areas and based on JISC guidance on University records retention.

The retention schedule is an important element in the ‘whole life’ management of University Records. Defining the length of time a record should be retained is a key factor in determining the most efficient and appropriate methods of creating, storing and disseminating them. Our retention periods are formulated based on a number of factors:

Legal Requirements

  • The Data Protection Act 2018 – The Act regulates how the University processes personal information, protects individuals from the misuse of this information and provides individuals with rights over how it is managed. The Act requires that personal data is not held for longer than necessary and requires us to explain to data subjects how long their data will be held by us. These requirements drive the creation and maintenance of our Records Retention Schedule.
  • Freedom of Information Act 2000 – The Act provides a general right of access to the University’s records: the public have the right to be told whether information exists and to receive that information (subject to certain exemptions) within 20 working days of making a request. It is an offence to deliberately withhold or destroy information to prevent disclosure, so the University must demonstrate that any destruction takes place according to documented retention periods. A Code of Practice under the Act requires that public bodies make available a retention schedule to support transparency.
  • The Limitation Act 1980 – Provides for a defined time-scale beyond which recipients of services can no longer complain to service providers. We use this provision to cover retention of most of our records relating to our students, staff and contracts.
  • Finance Act 2007 – Provides HMRC with rights of access to financial records. We use these provisions to manage retention of our key finance and accounting records.
  • Guidance and Standards: Professional, Statutory and regulatory bodies – Courses accredited by professional, statutory or regulatory bodies may be subject to specific retention requirements in order to support complaints, reviews and standards audits
  • Higher Education Sector Retention Guidance – JISC guidance is available to the HE community which provides a valuable resource for best practice amongst peer organisations
  • Business Need: Where no statutory or regulatory requirements dictate retention practice the University needs to establish the business need for retention. Factors can include the ongoing cost of storage and experience of the need to gain access to the records to defend complaints and legal claims, audits and to justify past actions.

Changes to the Schedule

This retention schedule is formally reviewed annually as part of the University’s Data Protection compliance activity. It may also be subject to minor revisions periodically where additions, amendments and deletions are required.

In order to make changes to content on the schedule, a Faculty or Professional Service Data Owner should contact the Information Compliance Team identifying the amendment or addition to be made and confirming details of why the change is required. The University is required to be able to justify its retention rules on request from the public and the change process must challenge the justification of a proposed change accordingly.

Our Privacy Notices on which we are legally required to explain the terms and conditions under which we obtain personal data all refer the data subject to the schedule for retention information. It is not practical to advise and inform all data subjects of changes made to the schedule therefore they are advised on the Privacy Notices to periodically check for changes. It is a Data Owners’ responsibility to communicate changes in retention practice to relevant staff.

If staff become aware or are notified of any inaccuracies within the schedule, any records that are not covered within the schedule or any points of clarification, you should inform the relevant Data Owner (usually a team or service manager) who will then engage with the Information Compliance Team over the change process.

Implementation & Monitoring

Data Owners are responsible for ensuring that the records under their control are deleted/destroyed in line with the schedule and being able to record that the activity has been undertaken appropriately with management oversight and approval. This activity will support an annual compliance check where Deans and Directors will be required to confirm that retention activity has been performed in line with ARU policy and this will be reported to CMT.