Skip to main content

Keeping data in compliance with the Data Protection Act

How to comply with the Data Protection Act when you retain data for University-related purposes.

If you have access to existing files or data you must follow the rules on keeping data to ensure that requirements of the Data Protection Act are met.

There are four general rules of compliance that you should follow when keeping data:

  • review and manage the content of files and records
  • keep data secure
  • maintain best practice in record keeping
  • only retain data for as long as necessary

Review the content of files and records


Files and other records containing personal data must be kept up-to-date and regularly checked for accuracy. Record any changes and delete any obsolete information.


Only relevant and necessary information should be retained. Carry out the regular administration of files and records to remove and securely delete duplicated materials and irrelevant information.

Fairness and access rights

Individuals have the right to see their personal data, including any comments about them. Opinions about individuals in documents should be justifiable and based on fact. It is permissible to give a reasoned, frank opinion about a student's work or behaviour, but not to express personal dislike or make any insulting or defamatory remarks. Do not record, however informally, comments you would not be happy for the Data Subject to see.

Keep data secure

All paper and digital records containing personal data must be held securely. You must take care to ensure that data cannot be accessed or viewed by anyone not authorised to do so.

See our detailed guidance on data security and data security off-campus.

Maintain best practice in record keeping

Limit access to data

Access to personal data should be restricted to those staff who need access for legitimate business or operational reasons and it should only be used for the purpose(s) for which it was granted.

Exercise caution if you are asked by a third party to disclose personal data. It should not normally be disclosed without the consent of the individual data subject themselves.

Only use data for the original purpose

Personal data collected for one purpose may not subsequently be used for another without the individual's consent. For example, contact details collected on a course feedback form may not subsequently be used for a mailshot.

Keep files in a single location

All documents which may need to be referred to in order to carry out normal university or departmental business should be kept centrally in a single file.

Members of staff holding their own separate files can only be justified if it is in the interests of the student or other individual, for example where the information is particularly sensitive.

Private files should not be routinely kept so as to avoid duplication or fragmentation. Personal data should only be reproduced for specific purposes. Once the purpose is fulfilled the record should be securely disposed of.

Subject Access provisions apply to 'private' files in the same way as to any other records. Any additional or separate files maintained by personal tutors relating to students for the duration of a programme of study should be weeded after graduation.

Any material which might be needed for the completion of student references should be combined with the relevant central departmental student file. Storing selected work-related or staff records at home does not exempt them from the Subject's right of access.

Only retain data for as long as necessary

Personal data should not be kept for any longer than is necessary.

When a student graduates or leaves the university the departmental student file is closed. At some time during the next three years, student files must be thoroughly weeded and all records of no further use should be destroyed. Weeded student files must be retained permanently within the department or in the University Records Centre.

When personal data is to be deleted or disposed of, ensure that confidentiality is maintained. Paper files should be shredded or put into confidential waste sacks.

Contact us

If you have any questions, please contact us.

On this page