This policy explains how long ACS retains personal data and the legal requirements that govern our retention practices.
Last updated: 11 June 2026•Version: 1.0
ACS is committed to retaining personal data only for as long as necessary for the purposes for which it was collected, and in accordance with our legal obligations. This policy sets out our standard retention periods for different types of data and the legal basis for those periods.
We apply a risk-based approach to data retention, balancing our obligations to preserve records for safeguarding, regulatory compliance, and legal defence with our duty to minimise data holding in line with GDPR principles.
Legal Framework: Our retention practices are designed to comply with GDPR, the Data Protection Act 2018, Ofsted regulations, employment law, and safeguarding statutory guidance.
Staff records are retained in accordance with employment law and regulatory requirements.
| Record Type | Retention Period | Legal Basis |
|---|---|---|
| DBS checks and safeguarding clearance | Until staff member leaves + 75 years (or 100 years from birth) | Safeguarding statutory guidance |
| Employment contract & personnel file | Until staff member leaves + 6 years | Limitation Act 1980 |
| Training records & certificates | Until staff member leaves + 6 years | Ofsted regulatory requirements |
| Supervision & appraisal records | Until staff member leaves + 6 years | Employment law & best practice |
| Disciplinary & grievance records | Until resolved + 6 years (or indefinitely if unresolved) | Employment law & ACAS guidance |
| Shift records & timesheets | 2 years after year end | HMRC requirements |
| Sickness & absence records | Until staff member leaves + 3 years | Statutory Sick Pay regulations |
| Pre-employment checks & references | Until staff member leaves + 6 years | Ofsted regulatory requirements |
| Accident & incident reports (staff) | 3 years from date of report | RIDDOR regulations (if reportable) |
| Policy acknowledgment records | Until staff member leaves + 6 years | Ofsted regulatory requirements |
Children's records are subject to specific statutory requirements. Many records must be retained indefinitely for safeguarding purposes.
| Record Type | Retention Period | Legal Basis |
|---|---|---|
| Child's core file/care record | 75 years after child reaches age 18 (or until age 100) | Children Act 1989 & safeguarding guidance |
| Safeguarding & child protection records | Indefinite (retention for life) | Working Together to Safeguard Children |
| Serious incident reports | Indefinite (retention for life) | Ofsted & safeguarding requirements |
| Daily logs & routine records | Until child leaves + 3 years | Local authority & Ofsted guidance |
| Care plans & reviews | 75 years after child reaches age 18 | Children Act 1989 |
| Health records & medical information | Until child leaves + 25 years (or until age 25) | NHS & medical record standards |
| Educational records | Until child leaves education + statutory period | Education regulations |
| Placement records & movement history | 75 years after child reaches age 18 | Children Act 1989 |
| Accident & injury records | 3 years from date of incident (or 21 years if reportable) | RIDDOR regulations |
| Photographs & media records | Until child leaves + 3 years (subject to consent) | GDPR & consent terms |
Important: Safeguarding-related records, serious incident reports, and child protection concerns must be retained indefinitely (for the child's lifetime) regardless of when they left care. This is a statutory requirement under Working Together to Safeguard Children and cannot be overridden.
| Data Type | Retention Period |
|---|---|
| User access logs | 1 year |
| System audit trails | 3 years (or longer if related to safeguarding) |
| Error & crash logs | 90 days |
| Backups & disaster recovery copies | Until primary data deletion + 30 days |
| Communication logs (emails, messages) | 2 years |
| Session & authentication data | 30 days after session expiry |
Special category data (sensitive personal data) requires additional protection and specific retention considerations.
Retained for the longer of: the primary retention period for the associated record, or until the individual reaches age 25 (for children's health records).
Retained indefinitely for safeguarding purposes as required by the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975 and safeguarding statutory guidance.
Retained indefinitely (for the lifetime of the individual) as required by Working Together to Safeguard Children and relevant statutory guidance.
When retention periods expire, data is securely deleted in accordance with our data protection policies.
Automated review identifies records approaching retention expiry
System checks for legal holds, ongoing proceedings, or safeguarding concerns
Manager or data protection officer reviews and approves deletion
Data is securely deleted from production databases and backup systems
Deletion is logged in audit trail for compliance purposes
While you have the right to request erasure of your personal data, there are exceptions where we may need to retain records.
In these cases, we will restrict processing instead of deleting, meaning the data will not be used for routine purposes but will be retained for the specific legal purpose.
This policy is reviewed annually to ensure it remains compliant with changing legal requirements and regulatory guidance. The last review was conducted on 11 June 2026.
Changes to this policy will be communicated to all data subjects through appropriate channels and will be published on this page with an updated revision date.