To Keep or Not to Keep

Baby boomers like myself tend to hoard clothes. We were born in a time during the postwar era when new clothes were a luxury and people saved their good clothes for Sundays when they would wear their “Sunday Best”. I remember sowing my laddered tights! It was definitely not the disposable society we have today. Perhaps that has resulted in so many of us tending to hoard.

Data is a very valuable asset and some describe it as the new oil. However, just because it is valuable, does this mean we should hang on to that data “....just in case”.

Whilst the UK GDPR does not prescribe how long data should be retained, it does lay down two main principles.

The first principle is the data minimisation which states the requirement to limit data to what is necessary and not to retain more than is required for that purpose.

The second principle is the storage limitation principle which states that we must not keep data for longer than is necessary. The concept of ….”just in case” is not permitted!

We have to consider why we are holding data and must be able to justify it with a legal basis. Sometimes it is a statutory obligation and other times it is best practice. All schools should have a data retention policy which includes a schedule of all the data held along with the relevant timeframe and the justification for retaining it.

There are risks to schools who fail to adhere to the above principles:

  • Breach of retention period
  • Breach of data minimisation principle
  • Breach of storage limitation principle
  • Breach of purpose limitation principle
  • Contractual breaches
  • Personal data breach
  • Ransomware attack
  • Enforcement action
  • SARs - complaint re data still being held

All of the above risks apply to data which is held in paper format as well as electronically. Organisations including schools are required to keep data accurate, provide individuals with the option to have their data rectified and also in certain circumstances to facilitate the right to be forgotten. Therefore, although data is certainly an asset, it can also be considered a liability.

At our termly Brunch & Discuss Data Protection User Group held at Boardman House last week, we covered this subject from a number of aspects. Tom Alexander spoke about the retention of HR records. We also had a guest speaker, Julie Halliday who worked for many years as a school business manager in Newham, most recently at Gallions Primary School. Julie spoke about how she and Nicky Harman transformed Gallions into a truly paperless office and explained the huge benefits the school in terms of efficiencies and cost savings.