FAQs about Child Protection Records

Should schools keep a copy of the child protection file?

There is no statutory guidance which offers clarity on this issue. Local practice has developed over time, and there are essentially three types of retention that I come across. The most common time for information transfer is between primary and secondary, so I'll use that as an example.

  1. The primary school sends everything the have to the secondary school and keep nothing themselves.
  2. The primary school sends photocopies of the records, and keeps the originals until the person's 26th birthday (see below)
  3. The primary schools sends the originals to the secondary school, but keeps copies until the person's 26th birthday (see below)

For maintained schools, advice should be taken from the Local Authority. Academies, Free Schools and Independent Schools should consult with their legal provider.

Why does retention differ around the country?

Some interpretations of the Data Protection Act say that there should only ever be one safeguarding and child protection file, as only the school where the child is placed should have access to it.

Other interpretations think that if the data has been created by staff in the school, then they should retain ownership of it.

Certainly there are situations where records have gone missing or been destroyed, but have been needed, sometimes many years later, and the copy has been essential.

I'm sure I did read somewhere that there was statutory guidance which said we should keep a copy of the child protection file?

In 2010, the then Department for Children, Schools and Families, published the statutory guidance, 'Safeguarding children and safer recruitment in education' (DCSF, 2010). Appendix 3 of that document said, 'Where children leave the establishment ensure their child protection file is copied for new establishment as soon as possible but transferred separately from the main pupil file'. (Appendix 3). This statement was retained in the first edition of 'Keeping Children Safe in Education (April 2014)', but from 2015, the word 'copied' was removed and the paragraph in the answer below inserted.

What does Keeping Children Safe in Education say?

The statutory guidance for schools says that DSLs should ensure that records are transferred 'to the new school or college as soon as possible, ensuring secure transit, and confirmation of receipt should be obtained' (paragraph 79).

Retention Periods Guidance from the Information and Records Management Society (IRMS)

Whilst there is no definitive statutory guidance, most schools and local authorities use the ‘Information Management Toolkit for Schools’ from the Information and Records Management Society (IRMS). You can find their guidance here: http://irms.org.uk/page/SchoolsToolkit

The IRMS Toolkit page 93 says, ‘ Retention Period: DoB of the child + 25 years then review. This retention period was agreed in consultation with the Safeguarding Children Group on the understanding that the principal copy of this information will be found on the Local Authority Social Services record

Government Guidance: Data Protection Toolkit for Schools

The guidance from the IRMS (above) has now been included in Government guidance:  Data protection: toolkit for schools (see page 31); and the Data protection: annual review checklist  The toolkit says, 'Long term, until the child is 25 years of age or older, for instances where detailed information about activities in school may form an important part of safeguarding for that individual'.

Government Guidance: Information Sharing

The  Information Sharing (DfE, 2018) guidance says, 'In line with each organisation’s own retention policy, the information should not be kept any longer than is necessary. In some rare circumstances, this may be indefinitely, but if this is the case, there should be a review process scheduled at regular intervals to ensure data is not retained where it is unnecessary to do so'.

Historical Allegations of Sexual Abuse

Remember that since the beginning of the Independent Inquiry into Child Sexual Abuse (IICSA), organisations should not destroy any records that might be relevant (see http://www.iicsa.org.uk/media/2871/goddard-inquiry-papers.pdf ). This has been reinforced by including this in Keeping Children Safe in Education (DfE, 2018), paragraph 215.

UPDATE 1st September 2023: Keeping Children Safe in Education no longer includes this requiremnet as the Inquiry has now been concluded.

Retention Periods Judicial Review

In 2015, there was a High Court case into retention periods after a claimant sought a judicial review against Northumberland County Council on the basis that its policy of retaining child protection files for 35 years following case closure was unlawful. The judge concluded that although there was no specific period of time, 35 years ‘falls within the bracket of legitimate periods of retention”.

You can read more about the case here:  High Court Rules on Retention Period for Child Protection Information

The Data Protection Act 2018 and the GDPR

In May 2018, the DPA 2018 and GDPR came into force and, amongst other provisions, it asks organisations to have clear retention policies. The  Data protection: toolkit for schools will help schools do this. The document is clear that data protection should not get it the way of people sharing information.

eRecording Systems (including CPOMS and MyConcern)

The computer systems that are on the market have facilities to transfer the data to other schools. At the time of writing, this does not mean that the data is transferred, it simply means that the previous school relinquish access, and access rights are transferred to the new school; the data is kept intact. For more information, please check with the provider of the system.

Do we need parental permission to transfer safeguarding and child protection files?

Safeguarding and Child Protection information is regarded as 'personal information'.  This is the 'myth-buster' answer given in the  Data Protection Toolkit for Schools (see Annex 10.1 Safeguarding Myth-Busting)

Is consent is always needed to share personal information?

No – you do not necessarily need consent to share personal information. Wherever possible, you should seek consent and be open and honest with the individual from the outset as to why, what, how and with whom, their information will be shared. You should seek consent where an individual may not expect their information to be passed on. When you gain consent to share information, it must be explicit and freely given. There may be some circumstances where it is not appropriate to seek consent because the individual cannot give consent, or it is not reasonable to obtain consent, or because to gain consent would put a child’s or young person’s safety at risk. 

What about students who leave at the end of Year 13 (FAQs)

If a Year 13 student is transferring to University does their Child Protection (CP) file need to be sent to the University? No.

If a Sixth Form student leaves either in Year 12 or at the end of Year 13 to move into employment should the CP file be forwarded to the employer? No. These are education only records.

If a Year 11 student leaves school at 16 to go into employment is the CP file forwarded to the employer? No.

If a Year 11 student leaves school at 16 to start an apprenticeship is the CP file forwarded on to the college where they may do one day a week training or the employer or neither? No.


As can be seen, this is a complex area, so it is most important that the school has a clear policy on retention and follows it consistently.