Oxford Brookes University
  • Skip to content
  • Skip to global navigation
  • Skip to local navigation
  • Contact us
  • Site map
  • Site help
  • Home
  • Studying at Brookes
  • International
  • About Brookes
  • Research
  • Business and employers
  • Alumni
  • Students and staff

Disposal and Retention Guidelines for Personal Information

Introduction

The Data Protection Act 1998 places an obligation on the University to dispose of personal information when it is no longer needed. To prevent unauthorised or accidental disclosure of the information, it is important to exercise care in its disposal, including protecting its security and confidentiality during storage, transportation, handling, and destruction.

All staff have a responsibility to consider safety and security when disposing of personal information in the course of their work. Consideration should also be given to the nature of the personal information involved (how sensitive is it?), and the format in which it is held.

Schools and directorates should establish procedures appropriate to the information held and processed by them, and ensure that all staff are aware of those procedures. In addition, schools and directorates are encouraged to maintain a disposal record which will assist the University in responding to enquiries made under the Data Protection Act.

Definition

University record means any data recorded in any form, including paper files, computer files, audio- and videotapes, film and microfiche, which are maintained by University staff, or agents, in the course of their employment.

Recommended Procedures

  1. Authorisation
    The destruction of University records must be authorised by the Head of the School or Directorate involved. If there is any doubt about the need for authorisation in a specific case, individuals should consult their line managers.
  2. Safe and Secure Disposal
    When records are disposed of, on-site or off, it is important to use methods which do not allow future use or reconstruction.
    Paper records containing personal information should be shredded, not simply thrown out with other rubbish or general records. Shredding can be arranged through Campus Services.
    Special care must be taken with electronic records, which can be reconstructed from deleted information. Similarly, erasing or reformatting computer disks or personal computers with hard drives which once contained personal information is not enough. Software tools are available which will remove all data from the medium so that it cannot be reconstructed.

    Videotapes containing personal information should also be physically destroyed, not simply thrown away. Overwriting a videotape which contains personal information with non-personal information will remove the previous images, but this should be done on-site by authorised staff.
  3. Off-site Disposal
    When records are destroyed by an outside agency, that agency should be contractually bound to observe the same security standards and considerations as those which apply to on-site disposal.
  4. Disposal Policy
    Every School, department and office should have a disposal policy to which all staff can refer when they need to dispose of personal information.When deciding retention times, consider the following, in order:
        * any legal requirements (e.g., possible negligence action);
        * the length of any appeals procedure relating to the information;
        * the number of times in the last two or three years that you have had to refer to a particular       type of record (if the answer is never, then get rid of it!).
  5. Disposal Record
    A disposal record is a list indicating what records have been destroyed, when, by whom, and using what method of destruction. Records which have been kept or archived may also be tracked. The record may consist of a simple list on paper, or be part of an electronic records management system.
    The disposal record applies to both paper and electronic (computer and video) records. It must not, in itself, contain personal information. Refer to the record type rather than the contents of the record. For example, "1990 Home Visits" would be acceptable, "Home Visits: John Smith" would not. To downloaded an example of a completed disposal record click here
  6. Guidelines for Retention of Personal Information
    Records are kept for a variety reasons and will carry various retention times. Gguidance on retention periods applicable to information used in Higher Education is available from the website of the Joint Information Systems Committee(JISC).
  • Learning Resources
    • Information Security Policy
    • Data Protection Policy
    • Laws Policies and Guidelines
    • Training Programme
    • Email Information
    • Virus information
  • Privacy policy
© 2007 Oxford Brookes University, Headington Campus, Gipsy Lane, Oxford OX3 0BP, UK - Tel: +44 (0)1865 741111