School archives and the indefinite retention of data
19 August 2021
Many schools may wish to retain personal data for periods long after the relationship with the employee, parent or pupil ends, but are you clear on the basis for doing so and are you sure that your current practices are in line with the UK GDPR and Data Protection Act 2018?
The UK GDPR and Data Protection Act 2018 contain certain derogations from the normal rules on the retention of data for 'archiving in the public interest'. One of those derogations is that you can retain information as part of the archive indefinitely.
Unfortunately, the text of the GDPR (which is not clear) appears to provide that archiving in the public interest only occurs when the archiving is undertaken pursuant to a specific legal basis or a legal duty to provide general access to the records. Schools should therefore check their governing document (usually Articles of Association) to see whether any provisions contemplate archiving activities. If they do not, then it is likely that the school should only be 'archiving' in the informal sense, rather than 'in the public interest' and consequentially will be unlikely to be able to benefit from the derogation.
If a school wishes to create a formal archive, there are several steps to consider, including alteration to the school's governing document(s) and putting in place the appropriate safeguards to benefit from the derogation mentioned above. This can involve a lot of work and existing archiving policies are lengthy and comprehensive documents.
If you would like to explore this route then please do get in touch and we would be happy to help.
If you are not archiving in the public interest, your school will need to carefully consider your informal archiving arrangements.
Initially, you will need to consider the purpose of the archive and determine: to whom it will be accessible; what it is intended to achieve; what information it will hold, etc. You must then ensure that you do not retain more information than is necessary to meet your purpose.
Thereafter, you can work to identify the appropriate lawful basis for the data processing involved, for example 'legitimate interest or consent'. If the information that you intend to retain includes 'special category data', you will also need to identify a condition for processing in addition to a lawful basis, which can be more difficult to achieve.
Archives (even informal ones) are intended to provide a permanent record. However, you are not permitted by data protection laws to retain data indefinitely except under the derogation for archiving in the public interest. Therefore you must decide how long you need to keep information for archiving purposes by reference to a fixed retention period, or at least the means by which the retention period will be determined. The periods may vary according to the type of information and by whom it can be accessed.
When processing personal data on the basis of legitimate interest you need to consider the individual's right to object to the processing. You are likely to need to add some appropriate wording to the privacy notices for staff or alumni to reflect the school's use of personal data for archiving purposes. You should also consider whether the archived information is shared any more widely than within the school and update any sections regarding sharing information with third parties if this is something that applies to your school.