pupilprotect.co.uk

Data Retention Policy

How long we keep your data and our secure deletion procedures

Last updated: December 2024

Effective date: December 2024

Introduction

This Data Retention Policy explains how long Pupil Protect retains different types of data, the legal basis for retention, and our procedures for secure data deletion. We are committed to keeping data only as long as necessary for legitimate purposes.

Data Retention Periods

Safeguarding Records

Active Records

While the child is at the school plus 25 years

In line with DfE guidance for child protection records

Closed Records

25 years from the date of birth of the child

Statutory requirement for safeguarding documentation

Account & User Data

Active Accounts

Duration of subscription plus 7 years

For audit and compliance purposes

Inactive Accounts

2 years after last login

Automatic deletion after inactivity period

System & Security Data

Audit Logs

7 years

Legal and regulatory compliance

Security Logs

2 years

Security monitoring and incident response

Communication Data

Support Tickets

3 years after resolution

Service improvement and training

Marketing Communications

Until consent withdrawn

Based on ongoing consent

Legal Basis for Retention

Statutory Requirements

  • • Keeping Children Safe in Education (KCSIE)
  • • Working Together to Safeguard Children
  • • Children Act 1989 & 2004
  • • Data Protection Act 2018
  • • UK GDPR

Business Requirements

  • • Contractual obligations
  • • Audit and compliance
  • • Legal proceedings
  • • Service improvement
  • • Security monitoring

Secure Deletion Procedures

Automated Deletion

Our systems automatically identify and delete data that has reached the end of its retention period:

  • Daily automated scans for expired data
  • Secure overwriting using DoD 5220.22-M standards
  • Deletion from all systems including backups
  • Audit trail of all deletion activities

Manual Deletion Requests

You can request deletion of your data before the standard retention period expires:

How to Request

  • • Email: dpo@pupilprotect.com
  • • Include: Account details and data to delete
  • • Verification: Identity confirmation required

Response Time

  • • Acknowledgment: Within 72 hours
  • • Completion: Within 30 days
  • • Confirmation: Written confirmation provided

Retention Exceptions

Legal Hold

Data may be retained beyond normal periods in the following circumstances:

  • Active legal proceedings or investigations
  • Regulatory investigations or audits
  • Ongoing safeguarding concerns
  • Court orders or statutory requirements

Data Export Before Deletion

Before data is deleted, you have the right to export your information:

Available Formats

  • • CSV (Comma Separated Values)
  • • JSON (JavaScript Object Notation)
  • • PDF (Portable Document Format)
  • • XML (Extensible Markup Language)

Export Process

  • • Self-service export via platform
  • • Request via Data Protection Officer
  • • Secure download links provided
  • • 30-day access to exported data

Contact Information

For questions about data retention or to request data deletion:

Data Protection Officer

Email: dpo@pupilprotect.com

Phone: +44 20 1234 5678

Address: Pupil Protect Limited, 123 Safeguarding Street, London, EC1A 1BB, United Kingdom

Related Policies

Privacy Policy

How we collect, use, and protect your data

GDPR & Data Security

Our comprehensive data protection measures

Terms & Conditions

Legal terms for using our services