As another school year rolls around, another wave of children will enter the education system. For schools, this means another group of children to both teach and protect.
Schools hold a huge amount of information about teachers, students, and even parents. Some of this information will include personal data. But what types of information should nurseries, schools, and other educational establishments keep safe, and what should they destroy?
Getting started with data retention at your nursery or school
Dawn Cordner, an MI Reports Administrator here at Shred Station, used to run her own nursery for children aged 1-4 years. From years of experience looking after children and now working in the data destruction industry, Dawn’s one piece of advice to schools or places that care for children is:
“If a document can identify an adult or a child, it should be destroyed securely when no longer needed. The only identifiable information you should keep is information needed for safeguarding purposes or where a legal retention period applies.”
If your nursery or school doesn’t yet have a data retention policy to help you manage what information to keep and what to destroy, our digital guide will help to get you started. Essentially, you should only keep information if it is needed, and the information should only ever be accessed by authorised personnel. For everything else, secure storage is required while retention periods apply, and then secure destruction is needed once retention periods have ended. Materials that can be shredded immediately should be.
Paper-based documents that schools and nurseries should destroy
Staff and teaching documents
All employers will need to collect some form of personal data about their employees. Unlike other workplaces, however, people who work in schools in the UK require enhanced DBS checks and Children Barred List checks. This goes for everyone who works or volunteers for a school in any capacity. Because of this, schools are likely to hold more personal data about their employees than most workplaces, for longer than most workplaces. Extra care should be taken to protect that information.
Some information relating to employees should be held onto until legal retention periods are over. For schools, this is sometimes decades. The below materials, however, can be shredded (or deleted if stored digitally) as soon as they are no longer needed:
Applicant CVs, cover letters and interview notes for unsuccessful applicants
While you may want to destroy this information immediately, it is wise to keep it for at least 6 months. This is the timeframe an applicant has to file a claim against your school or nursery if they felt their application was unsuccessful because of discrimination. After six months, you should destroy these records.
DBS certificates, while vital to collect for school employees, are essentially out of date the moment after they are issued. For this reason, it isn’t necessary to keep DBS certificates in a personnel file. As long as you keep a record that DBS checks were completed and approved, that is enough. DBS certificates should be securely destroyed immediately when they are no longer needed.
Implementation of Curriculum
There are many documents about your school’s curriculum that you only need to keep for a year after the current year ends. This includes schemes of work, timetables, class record books, mark books, and records of any homework set. Some of this will not be confidential, but we advise using a Shred Everything policy at your school to avoid staff making the wrong call when it comes to what information needs to be disposed of securely.
As with most information a school holds, records about children must be retained for quite a long time. However, there are documents that may contain identifiable information about children that you should shred immediately. For example:
- Pupil’s Work – Where possible, you should return the student’s work to them at the end of the academic year. If work isn’t returned and won’t be required, it should be securely destroyed.
- Exam papers – Sometimes, keeping high-quality old exam papers from past students is beneficial to aid current students with their own exam preparation. If you keep any old exam papers, personal information should be anonymised. If you do not need to keep old exam papers or mock papers, provided you have made note of the grade and left time for any challenges to be made, you should destroy them. You can do this quickly by using a bulk paper shredding service.
Information about parents or guardians
All schools and nurseries keep some form of information from or about guardians. This will include things like emergency contact information, confirmation of parental responsibility, copies of permission slips, consent forms, and even religious information if self-reported by the student or their guardian.
- Emergency Contact Details – Schools should keep emergency contact details of at least two trusted adults for every child. However, if a child needs to change their emergency contact details, you should destroy the old contact details immediately. The same applies when a child leaves your school.
- Parental Consent Forms – Parental consent forms for things like photograph usage, school trips and after-school clubs should be kept until the child reaches 22 years of age. If there was a major incident at any of the trips or at an after-school club, the consent forms and any related files should be kept until the children involved turn 25. After that, these forms can be destroyed.
Other things that could identify children
Some independent nurseries or daycare groups hire public facilities such as church halls to host their groups. Schools too are sometimes open to visitors or members of the public. In shared spaces where there is public access, you should take extra care to ensure that no materials are accessible that could be used to identify a child. For example:
- Not writing a child’s full name on their work if displayed or accessible in public areas
- Not using full name tags or stickers on children’s cubby holes, coat pegs or drawers
- Keeping photographs of the child (especially if labelled with their name) away from public spaces
- Keeping pupil records, children’s learning books, or development logs in locked drawers
Other documents your school should keep and how long you should keep them for
Some information collected by schools must be kept for long periods of time – sometimes even decades. After these retention periods are over, ensure the below records are securely destroyed.
Every employee at a school should have their own personnel file. This will make it easier to check records such as proof of ID, eligibility to work at your school, qualifications, and a copy of the employee’s contract. When a staff member leaves, you should keep their personnel file for 6 years after the end of the current year. However, if this person worked unsupervised with children, it should be kept for 25 years.
Children’s records should be retained for a minimum of seven years after the pupil has left school or until they have reached the age of 25 – whichever is later. This includes their attendance register, accident report books, parental permission forms, and special education needs files. Medication records should be kept until the child reaches 22. If you are a primary school, you should pass these records on to the child’s chosen secondary school rather than keeping your own copies.
Safeguarding and welfare records
All child welfare records should be kept until the child reaches the age of 25. However, for looked-after children, the retention period increases to 75 years.
Accident records for staff should be kept for 3 years from the date of the last entry. If the accident involves a child, accident records must be kept for 3 years or until the child reaches the age of 21, whichever is longer. Some councils even recommend keeping this information until the child reaches the age of 25. If the accident involves hazardous substances, however, records should be retained for 40 years.
Payroll records including things like employee leave and sickness absences should be kept for three years after the end of the tax year they relate to. The only payroll data you should keep after three years is proof that you are paying employees the minimum wage. Records that prove this should be kept for at least six years.
The Information and Records Management Toolkit for Schools provides specific information for many different types of school documents. You can read the toolkit here.
Other materials your nursery or school may need to destroy
When you think about things that need to be destroyed in schools, you might imagine boxes of dusty paperwork and files. You may not necessarily think about the things you see every day – for example, school uniforms and student ID cards – but these items may require secure destruction too.
Destroying old uniforms
School uniforms cost the average family hundreds of pounds each year. If your uniform hasn’t changed, why not host an end-of-year uniform supermarket? By asking students to donate the uniforms they have outgrown that are still suitable to wear, you can offer your students the chance to secure official uniforms at much cheaper prices while raising funds for the school at the same time. Any donated items that aren’t suitable for re-use can be shredded and recycled (depending on the fabric).
If your school logo or uniform has changed, you may be left with a large stock of old uniforms that aren’t usable. To prevent the uniform from being sent to landfill or misused, a shredding and recycling service is the best option.
Shredding student ID cards
If you require your students to wear ID cards to enter the premises, check out books or engage in any other activities, you are already taking steps to protect the school from unauthorised access or theft. However, you must also protect your students. ID cards may contain personal information about your pupils. This could include their name, photo, student ID numbers, dates of birth and more. Combined with your school logo, this could be enough for someone to locate a child or misuse their information. While, ultimately, it is the responsibility of the student to ensure their ID card is kept safe, there may be instances where they don’t need their old ID card any longer. For example, it may become worn, or they may be moving schools. If you need to collect old ID cards for purposes such as this, you should destroy them immediately.
Managing lost property at your school
While most lost property containing personal information can usually be quickly returned to its rightful owner, there may be rare instances where you need to destroy lost property. For example, someone may hand in a lost phone. This phone could contain images of students, personal information, access to the student’s emails and other confidential materials. Devices like this therefore shouldn’t just be donated to charity if unclaimed. To avoid situations like this altogether, you could recommend that your pupils write their full name on their phone case or use an image of themselves as their phone background to aid in the retrieval of lost property.
Securely destroying unused or uncollected school photographs
If you take photos of students at your school, there are strict data protection regulations to adhere to. However, that doesn’t mean using photographs of students for social media, the school website, or yearbooks is not allowed. As well as seeking parental permission to take and use photographs of young people under the age of 16, you must also ensure that access to the photos is limited, and all unused photos are destroyed. For digital copies, these should be erased when no longer needed. You must also respect the right of students to withdraw their permission. If permission is withdrawn, you can delete/destroy the photographs of that child for future use or blur out the child’s face.
Shredding and recycling old brochures or school prospectuses
As with school photos, brochures and prospectuses can contain images of children, staff, and things like the full names of members of the faculty. This constitutes personal information. When these items are no longer needed, therefore, they should be shredded and recycled.
Erasing or destroying CCTV recordings
As with images, video footage can also contain personally identifiable information. The UK GDPR and Data Protection Act 2018 do not define any specific minimum or maximum retention periods for surveillance systems. However, Article 5 of the UK GDPR does set out seven key principles for processing personal data. One of these principles is storage limitation. This means that personal data should not be stored for longer than is necessary. With CCTV footage, your school must establish how long “necessary” is. For example, 30 days may be long enough. After this 30 days is up, you must ensure that digital footage is erased and any physical copies (for instance data tapes) are securely wiped or destroyed.
Old hard drives and computer equipment
It might be necessary for your school or nursery to shred old hard drives or computer equipment. For example, if you are getting new laptops for your IT class or new PCs for your teachers, the old device shouldn’t just go into an unlocked bin at the end of its life. This is because it could contain information about children, their development, images, files with their names on them, and files containing your teacher’s information. Some schools even collect digital fingerprints to scan students and teachers into the building or to do things like check out library books. All this information must be protected. Degaussing is one option to ensure files are permanently erased and inaccessible, and shredding is another.
Teaching children about personal information
As well as protecting children’s information as a data processor, it is vital that schools teach children about what personal information is and how, if not protected correctly, it can put us at risk. As we all spend so much of our lives in a digital world, this is especially important for information shared online.
There are many resources available to teach children about privacy issues and the value of personal data, including:
- Lesson plans created by the Information Commissioner’s Office
- Teaching resources published by the BBC’s Own It
- Anti-fraud lesson plans published by Cifas
- Lessons and activities that teach children about digital citizenship and navigating the web
- Simon Shred activity books for your junior and primary school years students
With resources like these and thoughts about keeping information safe from a young age, we can all hope that the next generation will be equipped to deal with the ever-increasing risk of things like fraud and data misuse.
Please note, this information is correct in the UK at the time of publication. For up-to-date information, we recommend seeking advice from your local council and Ofsted, seeking legal advice, and consulting the Information Commissioner’s Office website.
For more information on UK data retention schedules, please see below links:
The Education & Skills Funding Academy Guidance on Record Keeping and Retention Information for Academies and Academy Trusts
The Data Protection Act 2018
The Education (Pupil Information) (England) Regulations 2005
The Education (Scotland) Act 1980
The Education Act 2011
The Public Records Act 1958
The Limitation Act 1980
The Information Management Toolkit for Schools
Statutory Guidance for Keeping Children Safe in Education
Sign up for our newsletter to receive alerts about new blog articles, data protection advice, and Shred Station news.