Contents

Summary

Data retention is a set of guidelines DfE follows for retaining and disposing of data and information, based on regulatory requirements and internal needs.

WarningYou are breaking the law if you do not meet this standard.

Categories

The categories applicable to this standard are:

Information and Data Management
  • Data Lifecycle
  • Data Protection

Purpose

Data retention

This involves storing data for a certain period, which can be dictated by legal requirements, business needs, or both. This ensures that important information is available when needed, such as for analysis, decision-making, or compliance with regulations.

Data disposal

This is the process of securely deleting or destroying data after it is no longer needed or after the retention period has expired. Proper data disposal is crucial to prevent unauthorised access or data breaches, protecting the privacy and security of the data.

How to meet this standard

To be compliant, you need to ensure that data/information is deleted as per the DfE disposal and retention schedules.

What all DfE staff, including consultants, contractors and third party suppliers must do

  1. Ensure that data you are responsible for is reviewed regularly and that you delete and dispose of data when it is no longer required in line with the DfE Retention and Disposal Schedules (DfE Intranet).
  2. Ensure all electronic media containing data awaiting disposal is stored and handled securely in accordance with the requirements for its classification and the latest NCSC guidance and best practice: Secure sanitisation of storage media - NCSC.GOV.UK.
  3. Dispose of reports, correspondence, and other printed media containing sensitive data by one of the following:
    1. Shredding - documents must be shredded using IT approved cross-cut shredders.
    2. Shredding bins - disposal must be performed using locked bins located on-site using an IT approved shredding service.
    3. Incineration - materials may be physically destroyed using an IT approved incineration service.
  4. Non-sensitive data and information may be disposed of via common destruction methods, for example, rubbish bins or commonplace deletion from a computer system.

What the Information Asset Owner (IAO) / Senior Responsible Owner (SRO) must do

  1. Ensure that retention periods are applied to all data in accordance with the DfE Retention and Disposal Schedules (DfE Intranet) and ensure that data is not retained for longer than is necessary.
  2. Obtain proof of destruction for the data being disposed of, if using a third-party disposal contractor.
  3. Ensure cessation of contracts, access removal and permanent removal of associated software from the DfE estate.
  4. Ensure destruction of all sensitive data is logged, when applicable, including details of the asset number of any electronic media being disposed of and the method used to sanitise the data held on any media device.
  5. Ensure any release or re-use of electronic media without appropriate sanitisation is reported as an information security incident.

Declaring conformance with this standard

Conformance with the standard must be recorded every 12 months.

Owner and contacts

Standard owner
Saheel Sankriwala
Chief Technology and Data Officer
Other point of contact
DDT Standards
Team