Data Protection Policy - Retaining Personal Data

The Data Protection Act 1998 does not specify periods for the retention of personal data. It is left to data controllers to decide how long personal data should be retained, taking into account the Data Protection Principles, business needs and any professional guidelines. In the context of Swansea University, the following factors need to be taken into consideration:

  • The need to balance the requirement of the fifth Data Protection Principle - that personal data should not be kept for longer than necessary - against the need to prevent the premature or accidental destruction of data which would damage the interests of data subjects, contrary to the seventh Data Protection Principle.
  • The exemptions provided by the Data Protection Act which allow the permanent retention of data for historical and statistical research (see section on The Use of Data in Research). 
  • The fact that the Data Protection Act does not override provisions in other legislation (e.g. health and safety legislation) which specify retention periods for personal data.

Advice on retention periods relating to personal data is available from the Information Compliance Officer (FOI/DP).

Staff should note that under the Freedom of Information Act, it is a criminal offence to deliberately alter, deface, block, erase, destroy or conceal data which has been the subject of an access request under the Data Protection Act or the Freedom of Information Act with the intention of preventing the release of the data. However, data may be amended or deleted after receipt of the access request but before disclosure of the data, if the amendment or deletion would have taken place regardless of the request (e.g. under a retention schedule).