Data Care

Data Retention & Disposal

This schedule sets how long we keep information, why, and how we dispose of it securely. It balances safeguarding, statutory, and heritage obligations with the rights of individuals under UK GDPR.

Retention principles

  • Keep data only for as long as necessary for legal, safeguarding, or operational purposes.
  • Minimise personal data in archives; where retention is justified, apply access controls and audit trails.
  • Document lawful bases and review periods for each category of information.

Typical periods

Membership and governance records: 10 years; safeguarding records: minimum 25 years or in line with statutory guidance; grant files: 7 years; education evidence: programme duration plus 3 years; marketing consent: until withdrawn. Where law requires longer retention, this is noted in the register.

Secure disposal

Paper records are cross-shredded or collected by a certified provider. Digital files are deleted from active systems and backups in line with supplier processes, with certificates or logs retained. Archival material is anonymised where possible.