Principle 5: Personal data processed for any purpose shall not be kept for longer than is necessary

Universities are notorious for retaining data long after it serves any useful and, importantly, notified purpose. Many potential data protection issues could be alleviated if personal data that is no longer required for the purpose for which it was obtained was destroyed.

Staff need to be encouraged to question the need to retain personal data as a matter of course. The University needs to identify, in liaison with heads of the relevant central sections, data which could be destroyed after an appropriate time lapse.