• Home
  • Login
  • Welcome to the Staff Intranet
YOU ARE HERE: Skip Navigation LinksEdinburgh Napier Staff Intranet > Service Depts > Governance & Compliance > Governance Services > Data Protection > Code of Practice > Retention of Records Containing Personal Data

20. Retention of Records Containing Personal Data

Huge stack of files ​

There has been considerable development in records management in recent years, which has been driven not only by the statutory requirements of Data Protection legislation, the Freedom of Information (Scotland) Act (FOISA) and the Environmental Information Regulations 2004 (EIRs), but also by the data retention requirements of the legislative and regulatory framework, within which HE institutions operate.

 

20.1 Records Retention under Data Protection Legislation

Data Protection legislation requires that personal data is kept only for as long as is necessary. The relevant retention period for individual classes of data are determined by statutory requirements, professional requirements or best practice.

 

20.2 University and JISC Retention Schedules

All staff must be aware of their obligations for the appropriate retention of records containing personal data. Governance Services staff are working with Schools and Service Departments to develop their retention schedules.

 

Staff are also advised to refer to JISC's Business Classification Scheme (BCS) and Records Retention Schedules (RRS) for Further Education Institutions and Higher Education Institutions.

 

Files20.3 Destruction of Records Containing Personal Data

Once it has been established that records containing personal data may be destroyed, this must be done in accordance with the University's guidance on the Safe Disposal of Confidential Waste.

 

20.4 Record of Destruction

In order to ensure that the University will be able to demonstrate its legislative compliance in the event of a request under the DPA, (or FOI(S) A, EIRs) being received, a record of the data which has been destroyed and the basis on which this was done (e.g. in accordance with a legal requirement) must be kept for five years by the area in which the destruction took place. The University's Record Disposal form should be used for this purpose.