HomeKnowledge base › Universities and student data
Education

Universities: destroying student data

Student files, exams and grade lists at a university ready for confidential destruction

A university or college manages the data of thousands of students and staff. Enrolments and student files, exams and grade lists, diploma and certificate administration, application and personnel data and research data with personal details. Part falls under a statutory retention obligation, part under the tax administration and a large part should be kept as briefly as possible. This guide shows, by part, what you keep, when it may go and how to destroy it confidentially.

The quick answer. You keep the enrolment file for a few years after deregistration, the diploma administration is kept longer and the financial administration falls under the tax seven years. Exam work has a short inspection period and research data with personal details you anonymise or destroy as soon as the research allows. What may go disappears confidentially and with a certificate.

Two frameworks that run together

At an educational institution two things run together. The education and tax rules set what you must keep, from the award of a degree to the administration of tuition fees. Alongside this the GDPR applies, which requires not keeping personal data longer than necessary. The retention obligation sets the floor for what you must keep, the GDPR the ceiling for what you may not keep too long.

So treat the data per type. A diploma has a different status than a rejected application or a set of raw research data. If you make that distinction, you keep exactly what you must and clear out the rest on time. A central overview of periods helps here, such as the GDPR retention periods cheatsheet.

Retention periods by part

The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the end of the enrolment or the procedure.

PartStarting pointPeriod
Enrolment and student fileEducation ground and GDPRa few years after deregistration
Exams and test workInspection and appeal periodoften around 2 years
Grade lists and certificatesDiploma administrationlong term
Tuition fees and financial administrationTax retention obligation7 years
Rejected applicationsStorage limitation4 weeks, max 1 year with consent
Personnel files of staffGDPR and tax2 to 7 years per component
Research data with personal detailsPurpose limitation, anonymiseas briefly as possible

Use this as a guideline, not a substitute for your own retention policy or an applicable selection list. When in doubt, consult your data protection officer. For the single document types beyond this overview, how long to keep documents helps.

Student files and enrolments

A student file contains name, address, date of birth, a student number and often a copy of an identity document, plus the progress of the programme. After deregistration most of the ground to keep all this data lapses. So keep the file only as long as there is a concrete reason, such as an ongoing financial settlement or an alumni relationship for which the student gave consent, and clear it out afterwards. Education follows fixed patterns here that are comparable to the retention of student files in primary and secondary education.

Be restrained with copies of identity documents. A copy ID contains a national ID number and a photo and is sensitive. Do not keep it longer than the law requires and destroy loose copies confidentially once they have served their purpose.

Exams, grade lists and diploma administration

You keep test and exam work as long as a student can still inspect or challenge the assessment, often around two years. After that the loose work has no ground any more and you destroy it. Grade lists and certificates belong to the diploma administration and have a longer status, because the institution must be able to demonstrate the award of a degree on a lasting basis. This distinction between short-lived test material and lasting results matches the approach for exam work, tests and grade lists in education.

Application, personnel and research data

An institution is also a large employer. Data on rejected applicants you keep briefly, as a guideline four weeks after the procedure, or a maximum of one year where the applicant gave consent. Personnel files of staff have their own periods per component, as described in the retention of the personnel file. Research data with personal details needs extra care. Use the data only for the purpose of the research, anonymise where you can and destroy identifiable data as soon as the research and its accountability allow. Keeping it to come in handy one day is not a valid ground.

How to handle it in 6 steps

  1. Split the data into student file, exam, diploma, personnel and research.
  2. Limit identity data to what the law requires and keep no superfluous copies.
  3. Apply the inspection period for exam work and destroy it afterwards.
  4. Keep diploma and financial administration for the applicable period.
  5. Collect what may go in sealed containers, not in the paper bin.
  6. Have it destroyed confidentially with a certificate and record it in your register.

Destroy confidentially with a certificate

Student data is destroyed confidentially, because it contains identity, study and sometimes health data. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old student administration on a server, a backup or a phased-out exam laptop with personal data belongs with it too.

Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.

Student data to be destroyed?

Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.

Request a quote

Common mistakes

  • Keeping student files forever. After deregistration most of the ground lapses.
  • Holding on to copies of identity documents. Keep only what the law requires.
  • Not anonymising research data. Identifiable data should not stay longer than necessary.
  • Throwing away unshredded. A student file on the street is a reportable data breach.
  • Keeping no proof. Without a certificate you cannot demonstrate the destruction.

Frequently asked questions

How long does a university keep a student file?

You keep the enrolment file for a few years after deregistration, depending on the legal ground and an ongoing relationship such as alumni or financial settlement. The diploma administration is kept longer because an institution must be able to demonstrate that a degree was awarded. The rest you clear out once the purpose has lapsed.

How long must exams and grade lists be kept?

Test and exam work has a limited period, often around two years, so a student can still inspect or challenge the assessment. Grade lists and certificates belong to the diploma administration and are kept much longer. Loose exam material without a further ground you destroy after the inspection period.

What do I do with application and personnel data?

Data on rejected applicants you keep briefly, as a guideline four weeks after the procedure, or a maximum of one year with consent. Personnel files of staff have their own periods between two and seven years per component. Whatever lapses you destroy confidentially.

How do I destroy student data in line with the GDPR?

Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and stay that way until destruction, and you record the destruction in your record of processing.

Conclusion

A university or college works with identity, study and personnel data of large numbers of people, between a retention obligation and the GDPR. Keep the diploma and financial administration for the applicable period, apply a short inspection period for exam work and clear out student files after deregistration. Application data you keep briefly and research data you anonymise as soon as you can. What may go you have destroyed confidentially with a certificate as proof. That way you meet both frameworks and protect the data of your students and staff.

Read also: training providers: destroying participant data, exam bodies: destroying candidate data, tutoring services: destroying student data and the GDPR retention periods cheatsheet.


Have student data collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.