This schedule sets out the maximum retention periods for personal data processed by NSEMM, in compliance with UK GDPR Article 5(1)(e) (storage limitation principle) and the Data Protection Act 2018.
| Data Category | Retention Period | Legal Basis | Disposal Procedure |
|---|---|---|---|
| Safeguarding records (child protection records) | Until the subject reaches age 25, or 6 years from case closure, whichever is longer; longer where required for ongoing legal proceedings | Children Act 1989 + Limitation Act 1980 s.28 (minority clock pause) + best-practice guidance | Secure deletion with audit trail; physical documents cross-cut shredded |
| Session recordings | Retained in line with safeguarding retention schedule; longer where a safeguarding concern requires. NSEMM applies a default purge cadence configured at platform level. | UK GDPR Article 9(2)(g) + DPA 2018 Schedule 1, Part 2, paragraph 18 | Secure deletion via Lessonspace platform controls under Data Processing Agreement |
| DBS certificates | Must not be retained beyond 6 months from issue except where required for an ongoing safeguarding investigation | DBS Code of Practice (Police Act 1997 s.113BA + Safeguarding Vulnerable Groups Act 2006) | Securely shredded; certificate number and date of issue may be recorded separately |
| Onboarding records (including unsuccessful applications) | Successful: duration of engagement plus 6 years (statutory limitation period). Unsuccessful applications: 12 months from decision. | Limitation Act 1980 + Employment law | Secure deletion; physical documents cross-cut shredded |
| Incident records | 10 years from closure | Safeguarding best practice + Limitation Act 1980 s.28 | Secure deletion with audit trail |
| Audit logs | 10 years from creation (NSEMM Protect chain-hashed audit log is tamper-evident) | Accountability obligation + fraud prevention | Secure deletion with verified audit trail |
| Subject Access Request records | 6 years from response | UK GDPR accountability + Limitation Act 1980 | Secure deletion |
| Whistleblowing disclosures | Until the disclosure is closed, then 10 years | Public Interest Disclosure Act 1998 + safeguarding duty | Secure deletion with audit trail; restricted access throughout |
| Financial records | 7 years | HMRC requirements + Charity Commission requirements | Secure deletion; physical documents cross-cut shredded |
| Recruitment records (rejected candidates) | 12 months from decision | Equality Act 2010 + legitimate interests | Secure deletion |
| HR and employment records | Duration of engagement plus 6 years | Employment law + Limitation Act 1980 | Secure deletion; physical documents cross-cut shredded |
| Training records | Duration of engagement plus 6 years | Safeguarding and employment compliance | Secure deletion |
| Contact and communication records | 2 years from last contact, unless ongoing correspondence | Legitimate interests | Secure deletion |
| Donor and Gift Aid records | 7 years | HMRC Gift Aid requirements + Charity Commission | Secure deletion; physical documents cross-cut shredded |
| Website analytics | 12 months (completely anonymised) | Legitimate interests (service improvement) | Automatic expiry |
Records subject to ongoing legal proceedings are exempt from disposal until proceedings conclude. Erasure requests are assessed individually under UK GDPR Article 17(3)(e) (legal claims defence) and DPA 2018 Schedule 2 paragraph 5 (crime-prevention exemption).
The limitation clock for personal injury and abuse claims is paused during minority under Limitation Act 1980 s.11 and s.28. This informs the retention schedule for all safeguarding records.
For confirmed child sexual abuse records, NSEMM additionally considers the Independent Inquiry into Child Sexual Abuse (IICSA) recommendation for 75-year retention. Specific cases are reviewed by the Designated Safeguarding Lead and trustees before any disposal decision is made.
All destruction is recorded in the NSEMM Protect audit log.
This schedule is reviewed annually and updated when legislation or guidance changes. The Data Protection Contact (dsl@nsemm.org.uk) is responsible for ensuring retention periods are applied consistently across all systems.
This document is maintained by NSEMM leadership. Last reviewed: May 2026. For queries, contact dsl@nsemm.org.uk