Retention of student records

University of Oxford

Guidance on how long to retain student records

Why do we need a data retention policy?

- We need to comply with the requirement of the General Data Protection Regulation that personal data is not kept for longer than necessary. If we retain personal data for longer than we need to, we will also breach the requirement that personal data must be relevant and limited to what is necessary to meet our purposes.

- We need to keep data for as long as it is required to meet operational purposes or to ensure that the University has sufficient information to respond to complaints or legal claims.

- We need to make best use of storage space, both physical and digital.


- This guidance seeks to provide indicative guidance for those responsible for managing student records and student administration. It covers the main corporate systems such as SITS, CMIS, GSR, OXCORT, DWH, and local Access databases, Excel spreadsheets, email and paper, for example, interview scores held locally in a departmental database.

- Data extracted from master systems and stored in local drives or email, should be destroyed after use to avoid unnecessary duplication, and to ensure data is not held for any longer than necessary.

- Excluded: Retention guidelines for maintaining transactional records, for example retention of requests for transcripts.

Retention periods

- The master copy of data should not be deleted before the expiry of the retention period. Supplementary copies (e.g. Excel downloads, or working files) should be deleted before the retention period if they no longer serve a purpose. Careful consideration should be given as to whether supplementary copies of data should be held or could be destroyed.

- When the retention period is reached, the data should be destroyed as soon as practicable and in a secure manner.

Last reviewed October 2018

Issued by Student Registry

A detailed Guide (727kb) sets out how long to retain student records.