20. Retention of Records Containing Personal Data
There has been considerable development in records management in recent years, which has been driven not only by the statutory requirements of Data Protection legislation, the Freedom of Information (Scotland) Act (FOISA) and the Environmental Information Regulations 2004 (EIRs), but also by the data retention requirements of the legislative and regulatory framework, within which HE institutions operate.
20.1 Records Retention under Data Protection Legislation
Data Protection legislation requires that personal data is kept only for as long as is necessary. The relevant retention period for individual classes of data are determined by statutory requirements, professional requirements or best practice.
20.2 University and JISC Retention Schedules
All staff must be aware of their obligations for the appropriate retention of records containing personal data. Governance Services staff are working with Schools and Service Departments to develop their retention schedules.
Staff are also advised to refer to JISC's Business Classification Scheme (BCS) and Records Retention Schedules (RRS) for Further Education Institutions and Higher Education Institutions.
20.3 Destruction of Records Containing Personal Data
Once it has been established that records containing personal data may be destroyed, this must be done in accordance with the University's guidance on the Safe Disposal of Confidential Waste.
20.4 Record of Destruction
In order to ensure that the University will be able to demonstrate its legislative compliance in the event of a request under the DPA, (or FOI(S) A, EIRs) being received, a record of the data which has been destroyed and the basis on which this was done (e.g. in accordance with a legal requirement) must be kept for five years by the area in which the destruction took place. The University's Record Disposal form should be used for this purpose.
Page last updated 05 September 2018