Data Retention – Guidelines for Schools

The Department for Education has urged schools to ramp up protection for their systems and data following a new round of targeted ransomware attacks.


Targets for the recent cyber-attacks included all 17 schools in Cambridge Meridian Academies Trust, 15 schools at Nova Education Trust in Nottingham and 24 Schools across South Gloucestershire, including all seven at Castle School Education Trust.

Jon Gilbert, Chief Information Security Officer for the DfE, is now asking UK education establishments to confirm they are taking action to protect their systems and ensure that they have both a backup regime and incident management plan in place.

He wrote: “We have been working closely with the National Cyber Security Centre (NCSC) and have been made aware of an increasing number of cyber-attacks involving ransomware infections affecting the education sector recently, notably multi-academy trusts.

“These incidents appear to be financially driven but opportunistic, taking advantage of system weaknesses such as unpatched software, poor authentication systems or the susceptibility of users to misdirection.

“It is important that as heads of multi-academy trusts you understand the nature of the threat and the potential for ransomware to cause considerable damage to your institutions in terms of lost data and access to critical services, as highlighted in the NCSC Alert.”

The increase in attacks comes at a time when schools are being asked to rely heavily on technology, carry out additional reporting and change the nature of examinations.

In the most recent DfE notification, schools are urged to confirm with their IT team or provider that:

  • they are backing up the right data – including Covid-19 testing information, associated data, and data relating to exams alongside other key elements.
  • backups are held fully offline and not connected to systems or in cold storage
  • tests are carried out to ensure backups and restore services are working and data can be recovered

To combat this spike in malicious malware, the NCSC recommends a ‘defence-in-depth’ approach and above all urges organisations to have ‘up-to-date and tested offline backups’.

Data Retention Policies – Considerations / Reasoning

Consider four periods of data retention:

  1. Daily: This captures the data from the very beginning and reduces the risk of loss to a few hours (maximum of one day). Early stage data retention is critical in save guarding from loss of day to day project work.
  2. Monthly: This provides an archive of the most recent work and further ensures that any loss of data is minimised.
  3. Yearly: Good practice, as well as mitigating widescale data loss ie: where a ransomware attack renders substantial amounts of data unusable.. 
  4. Long term (3+ years):  Provides for instances where historical / analytical information may be useful or required.

When setting a data retention policy, consider the following questions:

  • Why am I holding this data?
  • Am I under legal duty to retain the information for a set period of time?’ Consider legal duties that impose specific time periods for data retention
  • Do I need to pass it on? Once I have passed it on, am I required to keep it? Do I still need to use it?
  • What is the school’s actual responsibility – is appropriate long-term retention actually someone else’s job such as a ‘receiving institution’ or local authority?
  • What might Ofsted expect from me in terms of the length of time I can perform detailed reporting?
  • As time goes on, can I delete some of the information – for example would aggregated data (‘counts’ of pupils that you might share with governors) or de-personalised data (individual rows, but with names and other identifiers removed) do the job just as well?
  • “Because I always have done” is not a justification, but it may be a clue as to a justification. “ Why might we have that policy?” Is a good question to ask.

A number of schools have collaborated with sharing thinking on data retention with us in creating this document, and their shared work is provided in Annex 5.1. This is provided to stimulate thinking and discussion at a local level. As data controllers, schools should determine their own policies that work for them and their particular context.

Pricing Calculator

Use the calculator below for indicative pricing.

Backup space required (1TB = 1000GB).
Don’t worry if you don’t know what licences you need just submit the TB you require and we’ll advise on licences.
Includes Backup & Replication Enterprise + Veeam ONE (No of Licences)
Includes Backup & Replication Enterprise + Veeam ONE (No of Licences)
No of Licenses
No of Licenses
No of Licenses
No of Licenses
No of Licenses
Total (Per Month)£ 

    Please prove you are human by selecting the star.

    How does it work?


    My Cloud Backup for Education is a leading provider of online backup for educational organisations.

    By using My Cloud Backup you can rest assured that your data is secure, easily accessible and inline with the most recent government legislation.

    Sign up for a FREE 30 day trial ...

    We will carry out the installation of either our My Cloud Backup solution or our My Cloud Backup for 365 solution.

    You can use this entirely free for 30 days.

    Simply fill out the form and our support team will be in contact with you.

    3 + 1 =