Retention and disposal schedules Information governance and compliance retention schedule

Published: 27 March 2026

Data protection and access

Audit and review

  • Description: Audit reports, surveys and improvement plans
  • Retention period: 3 years
  • Trigger date: Date last modified
  • Action: Delete
  • Reasoning: Business requirement
  • Personal data: No
  • Special category data: No
  • Description: Registers recording consent
  • Retention period: 3 years
  • Trigger date: Date last modified
  • Action: Delete
  • Reasoning: Business requirement
  • Personal data: No
  • Special category data: No

Contract registers

  • Description: Registers of data protection-related contracts
  • Retention period: 3 years
  • Trigger date: Date last modified
  • Action: Delete
  • Reasoning: Business requirement
  • Personal data: No
  • Special category data: No

Communications and training (internal)

  • Description: Internal IG and data protection communications and training materials
  • Retention period: 3 years
  • Trigger date: Date last modified
  • Action: Delete
  • Reasoning: Business requirement
  • Personal data: No
  • Special category data: No

Data protection complaints

  • Description: Complaints files and complaint trackers
  • Retention period: 10 years
  • Trigger date: Date of closure
  • Action: Review
  • Reasoning: Legal and business requirement
  • Personal data: Yes
  • Special category data: Yes

Data breaches

  • Description: Breach files and breach trackers
  • Retention period: 6 years
  • Trigger date: Date last modified
  • Action: Delete
  • Reasoning: Legal requirement (limitation periods)
  • Personal data: Yes
  • Special category data: Yes

Data protection impact assessments (DPIA)

  • Description: DPIA tracker and DPIA documents
  • Retention period: 6 years
  • Trigger date: Date last modified
  • Action: Review
  • Reasoning: Legal requirement
  • Personal data: No
  • Special category data: No

Information governance leads

  • Description: Lists of IG leads, agendas and administrative trackers
  • Retention period: 3 years
  • Trigger date: Date last modified
  • Action: Delete
  • Reasoning: Business requirement
  • Personal data: Yes
  • Special category data: No

Individual rights requests

  • Description: Individual rights request trackers and case files
  • Retention period: 6 years
  • Trigger date: Date last modified
  • Action: Delete
  • Reasoning: Legal and business requirement
  • Personal data: Yes
  • Special category data: Yes

Subject access requests (SAR)

  • Description: SAR trackers and SAR case files
  • Retention period: 6 years
  • Trigger date: Date last modified
  • Action: Delete
  • Reasoning: Legal and business requirement
  • Personal data: Yes
  • Special category data: Yes

Information sharing agreements (ISA)

  • Description: ISA tracker, agreements and supporting documentation
  • Retention period: 6 years
  • Trigger date: Date last modified
  • Action: Review
  • Reasoning: Contractual requirement
  • Personal data: No
  • Special category data: No

Policies and procedures

  • Description: IG and Compliance policies and procedures
  • Retention period: 3 years
  • Trigger date: Date superseded
  • Action: Delete
  • Reasoning: Business requirement
  • Personal data: No
  • Special category data: No

Privacy notices

  • Description: Privacy notices and notice trackers
  • Retention period: 3 years
  • Trigger date: Date superseded
  • Action: Delete
  • Reasoning: Business requirement
  • Personal data: No
  • Special category data: No

Records of processing activity

  • Description: Records of processing activity (ROPA)
  • Retention period: 3 years
  • Trigger date: Date last modified
  • Action: Delete
  • Reasoning: Business requirement
  • Personal data: No
  • Special category data: No

Publication scheme

Publication scheme on website

  • Description: Information published under the publication scheme
  • Retention period: Until superseded
  • Trigger date: Date superseded
  • Action: Delete
  • Reasoning: ICO guidance and business requirement
  • Personal data: Yes
  • Special category data: No

Information asset management

Information asset registers

  • Description: Information asset registers
  • Retention period: 3 years
  • Trigger date: Date last modified
  • Action: Delete
  • Reasoning: Business requirement
  • Personal data: No
  • Special category data: No

Information management strategy

  • Description: Information management strategy documents
  • Retention period: Until superseded
  • Trigger date: Date superseded
  • Action: Delete
  • Reasoning: Business requirement
  • Personal data: No
  • Special category data: No

Management reports

  • Description: Information management and IG management reports
  • Retention period: 3 years
  • Trigger date: Date last modified
  • Action: Delete
  • Reasoning: Business requirement
  • Personal data: No
  • Special category data: No

Freedom of information (FOI) and environmental information regulations (EIR)

FOI and EIR requests

  • Description: FOI and EIR requests, responses, internal reviews and correspondence
  • Retention period: 3 years
  • Trigger date: Date of closure
  • Action: Delete
  • Reasoning: Business requirement
  • Personal data: Yes
  • Special category data: No

FOI and EIR complaints

  • Description: FOI and EIR complaints including ICO cases, litigation or tribunal matters
  • Retention period: 10 years
  • Trigger date: Date of closure
  • Action: Review
  • Reasoning: Legal requirement
  • Personal data: Yes
  • Special category data: No

FOI and EIR disclosure log

  • Description: Public disclosure log of FOI and EIR responses
  • Retention period: 3 years
  • Trigger date: Date added to log
  • Action: Delete
  • Reasoning: Transparency and operational efficiency
  • Personal data: Yes
  • Special category data: No

Records management

Retention schedules

  • Description: Schedules outlining how long information is held and why
  • Retention period: Until superseded
  • Trigger date: Date superseded
  • Action: Delete
  • Reasoning: Business requirement
  • Personal data: No
  • Special category data: No

Disposal reports

  • Description: Information about records removed, archived or deleted
  • Retention period: 3 years
  • Trigger date: Date last modified
  • Action: Delete
  • Reasoning: Business requirement
  • Personal data: Yes
  • Special category data: Yes

Projects

  • Description: Advice, guidance and policy around Digital and ICT projects and processes
  • Retention period: 3 years
  • Trigger date: Date last modified
  • Action: Delete
  • Reasoning: Business requirement
  • Personal data: No
  • Special category data: No

Paper records

  • Description: Information about paper files held off-site
  • Retention period: 3 years
  • Trigger date: Date last modified
  • Action: Delete
  • Reasoning: Business requirement
  • Personal data: Yes
  • Special category data: No