20. Retention of Records Containing Personal Data
Download this section as a print-friendly PDF document.
There has been considerable development in records management in recent years, which has been driven not only by the statutory requirements of the DPA 1998, the Freedom of Information (Scotland) Act (FOISA) and the Environmental Information Regulations 2004 (EIRs), but also by the data retention requirements of the legislative and regulatory framework, within which HE institutions operate.
The DPA 1998 requires that personal data is kept only for as long as is necessary. The relevant retention period for individual classes of data are determined by statutory requirements, professional requirements or best practice.
All staff must be aware of their obligations for the appropriate retention of records containing personal data. The University's Records Management Unit is actively developing retention schedules.
Staff are also advised to refer to JISC's Business Classification Scheme (BCS) and Records Retention Schedules (RRS) for Further Education Institutions and Higher Education Institutions, and, in particular, the Records Retention Schedules for FEIs and HEIs.
Once it has been established that records containing personal data may be destroyed, this must be done in accordance with the University's guidance on the Safe Disposal of Confidential Waste.
In order to ensure that the University will be able to demonstrate its legislative compliance in the event of a request under the DPA, (or FOI(S) A, EIRs) being received, a record of the data which has been destroyed and the basis on which this was done (e.g. in accordance with a legal requirement) must be kept for five years by the area in which the destruction took place. The University's Record Disposal form should be used for this purpose.