The data you were supposed to delete this summer
On data retention policies, and the gap between writing one and running one.
It’s the end of the school year. The students who are leaving have nearly left. The staff who aren’t returning are clearing their desks. Somewhere in your school, a file is being closed on each of them.
But that file doesn’t really close. It moves to a folder, or a drive, or a system, and it sits there. And in most schools, it sits there forever, because the moment when someone was supposed to decide what happens to it never actually arrives.
This is the part of data protection that nobody likes to talk about. We worry about breaches. About the data getting out. But there is a quieter failure that almost every organisation is committing right now, and it has nothing to do with anyone breaking in. It’s the data we keep long after we have any reason to keep it. In many cases, long after we’re allowed to.
A few years ago, at a school I was doing some consulting with, I sat down to map their data. It’s not a glamorous job. You go system by system and you ask what’s in here, why, and on what basis. When I got to the admissions platform, I found something I wasn’t expecting. Applications going back more than ten years. Families who applied and enrolled. Families who applied and were turned down. Families who applied, were accepted, and chose to go somewhere else. All of them still there. Names, dates of birth, prior school reports, the financial pages from a fee application. A decade of children who were long gone, or in some cases, had never set foot in the building.
I asked the obvious question. Why do we still have this? The answer was the one you already know. “We’ve always kept it.” Nobody had decided to keep it. That was the point. Nobody had decided anything. The data had simply never been told to leave.
GDPR has a name for the rule that’s easiest to break without noticing. Storage limitation. Article 5(1)(e). Personal data can be kept only for as long as it’s needed for the purpose it was collected for. When the purpose is gone, the data has to go too. Deleted, anonymised, or properly archived. Not held indefinitely because deleting it was somebody’s job that nobody did.
The regulators have started counting. In January 2026 the French data protection authority fined Free Mobile €27 million. The headline was a breach. But buried in the decision was a separate finding: the company had also failed to delete the data of former subscribers when there was no longer any reason to hold it, including data on 2.8 million contracts that had been cancelled for more than ten years. A month later the European Data Protection Board reported on a year-long investigation across thirty-two countries into one critical question. When the time comes to delete personal data, can organizations actually do it? They asked 764 of them. The answer, broadly, was no. Deletion dressed up as anonymisation. Systems that couldn’t erase what was sitting in their backups. And, again and again, no clearly defined retention periods to begin with.
A telecom giant and a continent’s worth of corporations feel a long way from a school of a few hundred students. But the mechanism is identical, and schools are more exposed to it than almost anyone.
Think about whose data is actually sitting in those unclosed files. Not subscribers. Children. A student’s home address and medical accommodations. The counsellor’s notes about a hard year. The safeguarding record. The disciplinary file. The form a parent filled in about a family situation they’d never discuss in public. This is the most sensitive category of data a person generates in their whole life, generated when they were too young to consent to any of it, and it does not leave your systems when they leave your school. It stays. The student walks out the gate at eighteen with no idea that a detailed account of their childhood is still sitting on a drive somewhere, and there is no say in how long it will stay there.
That’s the same argument this newsletter made about the PowerSchool and Canvas breaches. A child’s data doesn’t expire when they graduate. What I didn’t say is why it doesn’t expire. This is why. The damage isn’t immediate because the data is quiet. But it is always there. Over-retention is the silent mechanism underneath every student-data story. The profile persists because the deletion never happens.
Here’s where it gets genuinely hard, and where the argument that this issue is “minor” does damage. The answer is not “delete more!” Some data about a child must be kept for a very long time, and keeping it is exactly right. England has thought about this harder than most, and its rules are instructive even when they aren’t minding. Child protection records there are typically held until the person’s twenty-fifth birthday, and sometimes far longer. When a claimant challenged one council for keeping such files for thirty-five years, the High Court ruled that thirty-five years fell within the bracket of legitimate retention. During the national inquiry into child sexual abuse, schools were instructed not to destroy any record that might be relevant to it, suspending their normal review schedules entirely until the inquiry concluded in 2023. None of that is over-retention. It’s the system working. A person who needs to return to that record at forty must be able to find it.
So the failure isn’t too much or too little. It’s the absence of anything that can really tell the difference. A school without a working retention schedule does the worst of both. It hangs onto the trip spreadsheet from three years ago that should have gone, and it has no idea whether the safeguarding file that must be kept for decades is being held correctly or just drifting in a shared folder with everything else. Keeping is the default for all of it. Sorting is the thing nobody does.
And sorting is genuinely hard, and that’s worth acknowledging. Different records sit on different clocks. Enrollment on one. Safeguarding on another, measured in decades. Disciplinary, medical, staff records, each with its own set of rules. If you work in an international school you may be sitting between a local data protection law, an accreditation body’s expectations, and the GDPR rights of European families all at once. There is no single date when a departed student falls out of your systems. England’s Information Commissioner’s Office says as much plainly – the law sets no fixed time limits, which means the judgement is yours to make and yours to defend. That’s a dozen judgements, on a dozen kinds of data, and tracking them is a real, ongoing, calendared job. Most schools have never given it to anyone.
So the data stays. The applicant you didn’t hire in 2017. The parent contact list from a trip three years ago. The medical form for a student who graduated, in a folder that nobody opens. The counsellor’s notes. None of it sorted, kept, or deleted on purpose, because the day it should have been reviewed came and went like any other busy day inside a school.
Here’s what makes this the right week to raise this. The end of the school year is the one moment when the data naturally turns over. Students leave. Staff leave. If your retention schedule is doing anything at all, this is when it should be triggering, telling you what crossed its threshold this year and what to do with it. The question is whether anything in your school is set up to notice, or whether the schedule is a document somebody wrote once and nobody has opened since.
Because a retention policy that lives in a document is not a retention policy. It’s the description of one. The real thing is a calendar, a named owner, and a recurring date when someone opens the folder, reads the schedule, keeps what must be kept, and deletes what should be gone. The gap between the document and the deletion is where almost every school quietly sits.
We protect children’s bodies with systems we rehearse. Fire drills. Safeguarding training. We don’t wait for harm to prove the system was needed. We assume the potential is real and we build for it. A child’s data deserves the same reasoning. At the end of a school year it asks a plain question. When the date in your retention schedule arrives this summer, whose job is it to act on it?