Retention

Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.

Contents

Control measure: Storage periods for all personal information are documented in a retention schedule.

Risk: Without a retention schedule, information may be retained for longer than necessary. This may breach UK GDPR articles 5(1)(a-f), 5 (2), and 32.

Ways to meet our expectations:

Produce a retention schedule that reflects business needs and legal requirements.
Document in detail how long to keep each category of personal information for and why.
Document the actions to take after the retention period (eg anonymisation, archiving, or deletion).

Options to consider:

Use an automated system that tags records with a retention date and automatically prompts for action at this date.
Publish the retention schedule.

Control measure: The retention schedule is reviewed regularly to check it meets all necessary requirements.

Risk: If processing is changed without updating the retention schedule, information may be held for an incorrect period. This may breach UK GDPR article 5(1)(e).

Ways to meet our expectations:

Regularly review the retention schedule so it continues to meet business needs and legal requirements.
Update the retention schedule quickly when a change is required.

Options to consider:

Have appropriate document and version control in the retention schedule.
Add the retention schedule review as a standing agenda item in relevant meetings.
Clearly communicate changes to retention periods to relevant staff.

Control measure: The retention schedule and process is owned by an appropriate staff member.

Risk: If there isn't a designated staff member responsible for retention, information may be kept too long or not saved. This may breach UK GDPR article 5(1)(e).

Ways to meet our expectations:

Assign responsibility for the retention schedule and deletion process to an appropriate staff member(s).
Provide specialised training for staff who handle retention or deletion.
Record specialist training requirements in a training needs analysis or training programme for staff who handle retention or deletion.

Options to consider:

Document retention responsibilities in job descriptions.
Add retention and deletion processes as a standing agenda item in relevant meetings.
Record minutes of meetings where retention and deletion decisions are made.

Control measure: Retained physical records are converted into electronic form, where possible, and physical copies are securely destroyed.

Risk: When stored for long periods, physical records are at a higher risk of degradation, loss, or tampering.

Ways to meet our expectations:

Scan physical records or manually input information into electronic systems, where possible.
Destroy physical records securely after information is saved electronically.

Options to consider:

Use a third-party records management provider to scan physical records in bulk.
Keep confirmation of the destruction of physical copies with the electronic copy, to help you respond to individual rights requests.

Control measure: Information or records are weeded periodically to prevent inaccuracies or excessive retention.

Risk: Without periodic weeding, information may be retained when it isn't accurate, relevant, or required. This may breach UK GDPR articles 5(1)(a-f) and 5(2).

Ways to meet our expectations:

Document information weeding processes in policies.
Regularly complete weeding activities.
Ensure staff understand the importance of weeding and how it supports compliance with data protection law.

Options to consider:

Use system rules or automated alerts to highlight records for weeding.
Run regular staff awareness exercises.