EdPlace Data Retention
Version history log
| Version | Description of Change | Date of Policy Release by Judicium |
|---|---|---|
| 1 | Initial issue. | 06/05/2018 |
| 2 | Updated to include references to UK GDPR. | |
| 3 | Updated with statutory references for certain retention periods. | |
| 4 | Changed retention period for accident records for under 18s to age of 21 with a comment to explain why. | November 2021 |
| 5 | Formatting amendments. | 04/08/2022 |
| 6 |
Updated with statutory references for certain retention periods. Revised guidance on retention of student records. Additional categories of records detailed in the retention schedule. Further information detailed following conclusion of ISCA. | 30/11/2024 |
EdPlace Limited has a responsibility to maintain its records and record keeping systems. When doing this, the Company will take account of the following factors:
- The most efficient and effective way of storing records and information;
- The confidential nature of the records and information stored;
- The security of the record systems used;
- Privacy and disclosure; and
- Accessibility of records and record keeping systems.
This policy does not form part of any employee's contract of employment and is not intended to have contractual effect. It does, however, reflect the Company’s current practice, the requirements of current legislation and best practice and guidance. It may be amended by the Company from time to time and any changes will be notified to employees and customers within one month of the date on which the change is intended to take effect. The Company may also vary any parts of this procedure, including any time limits, as appropriate in any case.
Data Protection
This policy sets out how long employment-related and other personal data will normally be held by the Company and when that information will be confidentially destroyed in compliance with the terms of the UK General Data Protection Regulation (UK GDPR) and the Freedom of Information Act 2000.
Data will be stored and processed to allow for the efficient operation of the Company. The Company’s Data Protection Policy here outlines its duties and obligations under the UK GDPR.
Retention Schedule
Information (hard copy and electronic) will be retained for at least the period specified in the attached retention schedule. When managing records, the Company will adhere to the standard retention times listed within that schedule.
The retention schedule refers to all records regardless of the media (e.g., paper, electronic, microfilm, photographic etc) in/on which they are stored. All records will be regularly monitored by the Data Protection Officer and audited at least on an annual basis.
Destruction of Records
The schedule is a relatively lengthy document listing the many types of records used by the Company and the applicable retention periods for each record type. The retention periods are based on business needs and legal requirements.
Where records have been identified for destruction, they should be disposed of in an appropriate way. All information must be reviewed before destruction to determine whether there are special factors that mean destruction should be delayed, such as potential litigation, complaints or grievances.
All paper records containing personal information or sensitive policy information should be shredded before disposal where possible. All other paper records should be disposed of by an appropriate waste paper merchant. All electronic information will be deleted.
The Company maintains a database of records which have been destroyed and who authorised their destruction. When destroying documents, the appropriate staff member should record in this list the following: -
- File reference (or other unique identifier);
- File title/description;
- Number of files;
- Name of the authorising officer;
- Date destroyed or deleted from system; and
- Person(s) who undertook destruction.
Retention of Safeguarding Records
Any allegations made that are found to be malicious must not be part of the personnel records.
For any other allegations made, the Company must keep a comprehensive summary of the allegation made, details of how the investigation was looked into and resolved and any decisions reached. This should be kept on the personnel files of the accused.
Any allegations made of sexual abuse should be preserved by the Company for the term of an inquiry by the Independent Inquiry into Child Sexual Abuse. All other records (for example, the personnel file of the accused) should be retained until the accused has reached normal pension age or for a period of 10 years from the date of the allegation if that is longer. In 2022, the Independent Inquiry into Child Sexual Abuse (IICSA) concluded and published their final report, leaving a recommendation that all records relating to child sexual abuse should be retained for a period of 75 years.
The ICO has not currently produced guidance or frameworks regarding retention as recommended by the inquiry. Until this has been produced, records will still be retained for a prolonged period as recommended initially by IISCA in order to fulfil potential legal duties that the Company may have in relation to the inquiry or any further guidance.
Archiving
Where records have been identified as being worthy of preservation over the longer term, arrangements should be made to transfer the records to the archives. A database of the records sent to the archives is maintained by the Data Protection Officer. The appropriate staff member, when archiving documents should record in this list the following information:-
- File reference (or other unique identifier);
- File title/description;
- Number of files; and
- Name of the authorising officer.
Transferring Information to Other Media
Where lengthy retention periods have been allocated to records, members of staff may wish to consider converting paper records to other media such as digital media or virtual storage centres (such as cloud storage). The lifespan of the media and the ability to migrate data where necessary should always be considered.
Responsibility and Monitoring
The Data Protection Officer has primary and day-to-day responsibility for implementing this policy. The Data Protection Officer, in conjunction with the Company is responsible for monitoring its use and effectiveness and dealing with any queries on its interpretation. The Data Protection Officer will consider the suitability and adequacy of this policy and report improvements directly to management.
Internal control systems and procedures will be subject to regular audits to provide assurance that they are effective in creating, maintaining and removing records.
Management at all levels are responsible for ensuring those reporting to them are made aware of and understand this policy and are given adequate and regular training on it.
Emails
Emails accounts are not a case management tool in itself. Generally, emails may need to fall under different retention periods (for example, an email regarding a health and safety report will be subject to a different time frame to an email which forms part of a student record). It is important to note that the retention period will depend on the content of the email and it is important that staff file those emails in the relevant areas to avoid the data becoming lost.
Rentention Schedule
| FILE DESCRIPTION | RETENTION PERIOD |
|---|---|
| Employment Record | |
| Job applications and interview records of unsuccessful candidates | Six months after notifying unsuccessful candidates, unless the Company has applicants’ consent to keep their CVs for future reference. In this case, application forms will give applicants the opportunity to object to their details being retained. |
| Job applications and interview records of successful candidates | Added to staff personnel file and retained in line with that record (6 years after employment ceases). |
| Written particulars of employment, contracts of employment and changes to terms and conditions | Added to staff personnel file and retained in line with that record 6 years after employment ceases. |
| Right to work documentation including identification documents and immigration checks | Kept separately from personnel file and retained for 2 years after employment ceases. |
| DBS checks and disclosures of criminal records forms | DBS certificates should be destroyed as soon as practicable after the check has been completed and the outcome recorded (i.e. whether it is satisfactory or not) unless in exceptional circumstances (for example to allow for consideration and resolution of any disputes or complaints) in which case, for no longer than 6 months. |
| Change of personal details notifications | No longer than 6 months after receiving this notification. |
| Emergency contact details | While employment continues and up to six years after employment ceases (Limitation Act 1980). |
| Annual leave records | Six years after the end of tax year they relate to or possibly longer if leave can be carried over from year to year. |
| Consents for the processing of personal and sensitive data | For as long as the data is being processed and up to 6 years afterwards. |
| Working Time Regulations:
- Opt out forms - Records of compliance with WTR | - Two years from the date on which they were entered into; - Two years after the relevant period. |
| Disciplinary records | 6 years after employment ceases (Limitation Act 1980). |
| Grievance records | 6 years after employment ceases (Limitation Act 1980). |
| Training | 6 years after employment ceases (Limitation Act 1980) or length of time required by the professional body. |
| Staff training where it relates to safeguarding or other child related training | Date of the training plus 40 years (this retention period reflects that the IICSA may wish to see training records as part of an investigation). |
| Annual appraisal/assessment records | Current year plus 3 years. |
| Professional Development Plans | Life of the plan or plan superseded + 6 years. |
| Allegations of a child protection nature against a member of staff including where the allegation is unfounded | 10 years from the date of the allegation or the person’s normal retirement age (whichever is longer). This should be kept under review. Malicious allegations should be removed. |
| Financial and Payroll Records | |
| Staff financial records (pension, retirement, payroll, parental leave, SSP, bank details, NI, etc.) | Retained and managed at a Group level. |
| Insurance | Current year plus 6 years (Taxes Management Act 1970; Income and Corporation Taxes 1988). |
| Annual accounts | Current year plus 6 years. |
| Loans and grants awarded to the Company | Date of last payment + 12 years. |
| All records relating to the creation and management of budgets | Life of the budget plus 3 years. |
| Invoices, receipts, order books and requisitions, delivery notices | Current financial year plus 6 years. |
| Health and Safety Records – retained and managed at a Group level | |
| Temporary and Casual Workers | |
| Records relating to hours worked and payments made to workers | 3 years. |
| Customer Records | |
| Customer accounts & linked student data – partial and no-use registrations | Data anonymised and record removed on a 6-monthly cycle. |
| Customer accounts & linked student data – accounts with over 2 years of no activity | Data anonymised and record removed on a 6-monthly cycle. |
| Customer accounts & linked student data – removal requested | On demand. |
| Customer requests, including call logs, emails and correspondence | Retained for 4 years after investigation ceases. |
| Specific customer information relating to the investigation of a customer query | Retained only for the length of the investigation, unless the query becomes a complaint at any point (see below). |
| Specific customer information relating to the set-up, delivery and assessment of our tuition services | Retained for 2 years after tuition ceases. |
| Recordings of tuition sessions held (only recorded for safeguarding and quality assurance purposes) | 12 months from the date of recording. |
| Records relating to complaints made to and investigated by the Company | Major complaints: current year plus 6 years. If negligence was involved: current year plus 15 years. If child protection or safeguarding issues were involved then: current year plus 40 years. |
| Other records | |
| Staff emails | 4 years. |
| Staff instant messages | 4 years. |
| Policy documentation, registers and incident recording (including legal advice and guidance) | Until replaced plus 6 years. |