Data Protection Policy: Retention of Data
The Data Protection Act 1998 does not specify periods for the retention of personal data. It is left to data controllers to decide how long personal data should be retained, taking into account the Data Protection Principles (see Data Protection Act Overview), business needs and any professional guidelines. In the context of SOAS, the following factors need to be taken into consideration:
- The need to balance the requirement of the fifth Data Protection Principle - that personal data should not be kept for longer than necessary - against the need to prevent the premature or accidental destruction of data which would damage the interests of data subjects, contrary to the seventh Data Protection Principle.
- The exemptions provided by the Data Protection Act which allow the permanent retention of data for historical and statistical research (see Use of Data in Research). SOAS's history should not be endangered by the overzealous destruction of data that could be retained as historical archives.
- The fact that the Data Protection Act does not override provisions in other legislation (e.g. health and safety legislation) which specify retention periods for personal data.
A retention schedule is a device used by records managers to specify retention periods for series of paper and electronic records (for an example, see the University of Edinburgh's retention schedules). A retention schedule has been developed for SOAS covering the major series of the School's records (i.e. focusing on those which SOAS generates in large quantities). The schedule will be developed as SOAS's information audit progresses.
Advice on retention periods relating to personal data is available from the Information Compliance Manager (see Data Protection Contacts). See also Records Management and FoI in the Freedom of Information Staff Guide.
Staff should note that under the Freedom of Information Act, it is a criminal offence to deliberately alter, deface, block, erase, destroy or conceal data which has been the subject of an access request under the Data Protection Act or the Freedom of Information Act with the intention of preventing the release of the data. However, data may be amended or deleted after receipt of the access request but before disclosure of the data, if the amendment or deletion would have taken place regardless of the request (e.g. under a retention schedule).
Last updated May 2008
