Data Storage and Retention Policy

Introduction

George Watson’s College (“The School”) is committed to retaining personal data for no longer than is necessary for the purpose for which it was obtained or to comply with legal and regulatory requirements.

This Policy sets out time limits for retaining various types of personal data held by the School and clear procedures for disposing of personal data.  

It also covers the right of any individual to require the erasure of their personal data (also known as “the right to be forgotten”).

What is personal data and in what form is it held by the School?

Personal data is any data from which it is possible to identify an individual.  It includes any expression of opinion about an individual and any indication of the intentions of any other person in respect of the individual.  It includes electronic records, emails and photographs as well as letters and paper records.

The School holds personal data in the following forms:

  • Paper records, including pupil files, agreements and correspondence with parents, contracts and paper files for staff, application forms and other personal data in respect of pupils and staff who applied to join the School but who turned down a place.
  • The School’s management information system 3Sys/PASS for personal data relating to pupils, prospective pupils, parents and staff.
  • The School’s IT network and other electronic systems, including email, speadsheets and word processing applications.
  • Storage devices including USB sticks, CDs and DVDs.
  • CCTV recording.

How does the School protect personal data?

The School has implemented working practices and guidelines to ensure that personal data is not stolen or lost or unlawfully accessed and to ensure that it is not shared with third parties without the consent of the individual to whom it relates.  

Further details can be found in the Information Security policy.

How long will the School retain personal data?

The School will retain personal data for no longer than is necessary for the purposes for which the data was collected or to fulfil its legal obligations.

A number of factors have been taken into account in determining the time limits for retaining personal data, including:

  • The School needs to retain pupil files for pupils after they have left the School in order to respond to requests for references or other information from universities, colleges and other organisations or from employers.  Retaining pupil files for a period of seven years after a pupil has left George Watson’s College, or until a pupil reaches the age of 25, whichever the sooner, allows the School to provide this information and is not excessive.   
  • Child Protection files for pupils who have been the subject of a referral or a multi-agency plan, or other related issues or concerns will be kept for a period of 25 years from the date the pupil leaves the School in case of future interventions, investigations, inquiries or litigation, or in case children wish to access this information later in life.
  • The School needs to retain a minimal level of information on former pupils beyond the seven year period, including dates of attendance and achievements and other highlights in order to respond to requests for information from the media and other parties on former pupils, such as Sir Chris Hoy.  This summary information will be recorded and maintained in the School’s management information system.
  • The School will keep photos in the archive to document the history of the School and enable publications to draw on the history. Retention of photos is covered in the Taking, Storing and Using Images of Children Policy.
  • The School needs to retain application forms and other information for prospective pupils who did not join the School as a number of these pupils reapply for places in the following school year.  The School will retain this information for one year after the latest application.
  • The School needs to retain applications for employment and related information, including CVs and references, for individuals who did not join the School, in case they reapply for vacancies in the future and in order to defend claims that it had acted unlawfully in not offering employment.  The School will retain this information for one year after the date of the latest application.   
  • Membership details for members of The Galleon will be retained for one year after the end of the financial year (31 July) in which the member ceased to be a member.
  • HMRC require all organisations to keep financial records for a period of six years.  To avoid any confusion about when the six years starts and finishes, the School retains all financial records, including billing records and staff and payroll records for a period of seven years.
  • The time limit for lodging claims for breach of contract is six years.  Again, to avoid any confusion, the School will keep all information that might be subject to a claim for a period of seven years.
  • Statutory time limits for most health and safety related incidents, including accident reports and exposure to many hazardous substances range from four years to seven years from the date of the incident.
  • Health records for any employees who are under health surveillance following exposure to extremely hazardous substances, including certain carcinogens and asbestos, must be retained for a minimum of 40 years from the date of the last entry.
  • Data recorded by the CCTV system will be permanently deleted once there is no reason to retain the recorded information. For example, where images are being recorded for crime prevention purposes, data will be kept long enough only for incidents to come to light. In all other cases, recorded images will be kept for no longer than 90 days.

All of the above is currently subject to the Scottish Child Abuse Inquiry which is expected to conclude in April 2019.  Schools have been instructed not to dispose of any personal data relating to past and present pupils and staff until the Inquiry is concluded.

Table of retention periods

The following table sets out the periods for which the School will retain certain types of personal data.  These retention periods will apply in most cases, but in certain circumstances the School may retain personal data for longer periods, for example where there is still the possibility of legal action.  In these limited circumstances the School will document its reasons for retaining personal data beyond the relevant retention period.

As noted above, the School will retain all personal data relating to past and present pupils and staff until the Scottish Child Abuse Inquiry is concluded, following which the retention periods in the table below will apply.

Type of Personal Data Retention Period
Pupil files and any other detailed information on pupils, including data held in electronic files and the School’s management information system.

7 years from the date the pupil left the School or reaches the age of 25, whichever the sooner.

At the end of the 7 year period the information for each pupil will be summarised into dates of attendance, key achievements and highlights and stored on the School’s management information system.  Pupil files and other detailed information will be securely disposed of.

Summary information on former pupils Retained indefinitely, unless the individual requests their data to be erased.
Keeping in touch and supporting the School 10 years to enable reunion communication, unless the individual changes their preferences.
Child Protection files for pupils who have been the subject of a referral or multi-agency plan or related issues or concerns 25 years from the date the pupil left the School.
Financial information relating to parents, including information for charging and paying school fees and extras, including bank account details and direct debit mandates.  7 years from the date the pupil left the School, except where there are financial transactions after the pupil left the School, in which case, 7 years from the date of the last financial transaction.
Applications for financial assistance and supporting documentation, spreadsheets and other records containing details of financial assistance and any related correspondence. 7 years from the date the pupil left the School, except where there are financial transactions after the pupil left the School, in which case, 7 years from the date of the last financial transaction.
Applications and other information relating to prospective pupils who did not join the School. 1 year after the date of the latest application.
Staff, HR and Payroll records 7 years from the date the employee let the School.
Applications for employment and related information, including CVs and references, for individuals who did not join the School. 1 year after the date of the latest application.
Galleon membership records 1 year after the end of the financial year (31 July) in which the member ceased to be a member.
Health and Safety Accident and Near Miss Reports, investigations and other health and safety reports. 7 years from the date of the accident or incident.
Health records for any employees who are under health surveillance following exposure to extremely hazardous substances, including certain carcinogens and asbestos. 40 years from the date of the last entry
Photographs See the Taking, Storing and Using Images of Children policy.
Data recorded by CCTV Less than 90 days unless required for legal or other reasons.

 

Secure disposal of documents and deletion of data

At the end of the retention period, or in response to a request from an individual for their personal data to be erased (see below), information will be deleted or disposed of in a secure manner:

  • Paper records containing personal data will either be shredded or disposed of by approved confidential waste handlers.
  • Personal data held on USB sticks, CDs or other storage media will be erased or destroyed by employees with the appropriate level of authority and access or by approved confidential waste handlers.
  • Personal data contained in electronic databases, spreadsheets, word processing or other files will be deleted by a member of staff with the appropriate level of authority and access.
  • Personal data held on the School’s management information system will be deleted by a member of staff with the appropriate level of authority and access.

The right to erasure – also known as “the right to be forgotten”

Individuals have the right to have their personal data erased if:

  • Their personal data is no longer necessary for the purpose for which the School originally collected or processed the data.
  • If the School is relying on their consent as its lawful basis for holding the data, and the individual withdraws their consent.
  • If the School is relying on legitimate interests as its basis for processing and there is no overriding legitimate interest to continue this processing
  • If the School is processing their personal data for direct marketing purposes and the individual objects to that processing.

Requests for erasure must be submitted in writing and clearly state the individual’s name, including any former names, and their current or previous relationship with the School in a way which allows their data to be identified.  

On receiving a request for erasure, the School will respond without undue delay and within one month of receiving the request.  Before responding the School will take steps to confirm the identity of the sender to ensure that the request is genuine.

The School will respond to confirm either:
That all personal data relating to the individual has been securely disposed of or erased.
That all or some of the data has not been erased, giving reasons for why the School has not complied with the request.

How to Contact Us

If you have any questions, comments or requests regarding this Privacy Policy please contact:

The Bursar / Data Protection Officer
George Watson’s College
Colinton Road
Edinburgh
EH10 5EG
or
dataprotection@gwc.org.uk
or
0131 446 6000

Complaints

If you are not satisfied with the way that we have handled any of your requests or questions relating to our use of your personal data then you can contact the Information Commissioner’s Office at www.ico.org.uk/concerns or phone 0303 123 1113.

The Information Commissioner’s Office is the statutory body responsible for overseeing data protection legislation and law in the United Kingdom.

Version 1/Issue 1/Last updated 22 May 2018