This guide is limited to retention guidance for records and information in higher and further education institutions.
It is aimed at information and records professionals working within these institutions, as well as anyone working within those institutions who comes into regular contact with records such as administrative, teaching and IT staff.
To achieve effective information management, it is crucial for all teams and individuals that create and handle information to be aware of the institution’s retention strategy. This will help to prevent unnecessary duplication, over-retention and data protection risk.
This guide is designed to be a strategic document rather than a complete practical guide. As there are so many different variables regarding the structure of institutions and the systems and processes they use, it was felt that trying to produce a complete how-to guide would be impractical.
For more information on student records in particular, read our guidance document (pdf).
Updates from the 2007 guidance
This is an updated version of the HE and FE records retention schedules from 2007. It has been decided to combine both the HE and FE schedules as there was a lot of repetition so items that appear in only the FE version have been added to the HE version where necessary.
Excess columns have also been removed as it was noted that the old version was difficult to navigate and contained a lot of repetitive information. The citations have been amended to reflect current legislation, and with the General Data Protection Regulation (GDPR) and Data Protection Act (DPA) 2018 in mind.
In many cases, there is not a mandated legal requirement for a specific retention period; with some items, it is dependent on individual institutional needs. In these cases, the citation will state “institutional business requirements”. Often you can use 6 years as a starting point as that is the period specified by the Limitation Act 1980 within which any legal action must be brought. But many document types may not need to be retained for this long, particularly working papers that support an official record.
General note on the Data Protection Act 2018 and General Data Protection Regulation (GDPR) (EU) 2016/679
As with the Data Protection Act 1998, GDPR Article 5(1)(e) about storage limitation specifies that personal data shall be kept for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of GDPR.
Lawful basis should be explained in plain language in a privacy notice when personal data is collected. You can find further information on what you should include in a privacy notice on the ICO website.
Personal data that is in an identifiable form must be periodically reviewed in accordance with the HEI/FEI’s retention schedules and if it is no longer needed it should be deleted or anonymised as appropriate.
Any challenges to the retention of personal data must be considered in accordance with GDPR Article 17 (Right to erasure). The right to erasure does not apply where you are legally obliged to process personal data or where the processing is necessary for performing institutional functions.
Where an HE/FE institution would be required to erase personal data but the personal data must be maintained as evidence for legal purposes or for reasons of important public interest, the HEI/FEI must (instead of erasing the personal data) restrict its processing.
Maintaining an information asset register and a record of processing activities (ROPA) as well as information flows regarding personal data will help to ensure compliance with GDPR and provide evidence in the event of a data breach if reporting a breach to the ICO.
 Anonymisation: managing data protection risk code of practice, ICO (2012).
Freedom of Information Act 2000
Freedom of Information (FoI) and Environmental Information (EIR) legislation provides the public with a right to access information held by a UK public authority, which includes most universities, colleges, or publicly-funded research institutions. It was enacted in 2000 with the full provisions coming into force on 1st January 2005 and has since been amended to include datasets.
In Scotland, the Freedom of Information (Scotland) Act 2002 fulfils the same purpose. This covers public bodies over which the Holyrood parliament, rather than Westminster, has jurisdiction.
HE and FE institutions are subject to the Act under Schedule 1 Part IV. Institutions are required to maintain a Publications Scheme which is a guide detailing the information they intend to publish routinely to comply with their obligations under the act. For help creating this document please refer to ‘definition document for universities and other higher education institutions’ or ‘definition document for colleges of further education’ ICO (2013).