Case Study: The Summer Holiday Data Protection Review That Uncovered Years of Forgotten Records

For many schools, the summer holiday period is the only realistic opportunity to step back and review information governance arrangements. Pupils are off-site, teaching pressures are reduced, and staff have an opportunity to focus on projects that are difficult to tackle during term time.

One independent school used the summer break to commission a data protection compliance review. The aim was simple: ensure compliance before the start of the new academic year.

What the review uncovered surprised senior leadership.

The Background

The school had grown significantly over the previous decade, new buildings had been opened, several IT systems had been introduced, large volumes of records had been digitised, the school believed its data protection and GDPR arrangements were largely compliant and policies existed.

Staff had received training, a Data Protection Lead had been appointed, so the data protection compliance review was intended as a routine health check.

The First Task: Mapping Personal Data

The review began by identifying where personal data was stored.

The initial list included:

• The pupil management system
• HR software
• Finance systems
• Shared drives
• Email accounts

However, as discussions progressed, additional locations emerged, these included:

• Archived paper records
• Former staff filing systems
• Departmental spreadsheets
• Legacy databases
• Safeguarding archives
• External storage facilities

By the end of the review, the school had identified more than twice the number of data repositories than originally expected.

The Second Task: Archive Room Discovery

One summer holiday task involved reviewing long-term archive storage. A storeroom that had gradually become a repository for historical files contained:

• Former pupil records
• Admissions files
• Staff personnel records
• Historic safeguarding documentation
• Complaint files

Some records dated back more than twenty years, many of which had never been reviewed against the school's retention schedule. Several of the information storage boxes were labelled only with a year and a department name and no detailed inventory existed.

The Third Task: Retention Review

The school's retention policy appeared comprehensive on paper, however, the review revealed that implementation was inconsistent. Different departments interpreted retention periods differently and some records that should have been securely destroyed years earlier remained in storage.

At the same time, certain records requiring long-term retention had not been clearly identified. The issue was not a lack of policy, it was a lack of operational review.

The Fourth Task: Subject Access Request Testing

As part of the summer review, the school conducted a practical exercise. A hypothetical Subject Access Request was created for a former pupil, the objective was to determine how quickly relevant information could be located. The exercise revealed that data could potentially exist in:

• Email archives
• Paper files
• Shared drives
• Safeguarding records
• Historic databases

Finding all relevant information would have required significant effort, and the exercise highlighted the importance of understanding where information is stored before a real request arrives.

The Fifth Task: Safeguarding Records

Particular attention was given to safeguarding documentation, these records were among the most sensitive held by the school, the review identified:

• Historical safeguarding files stored separately from current records.
• Limited documentation regarding archive arrangements.
• Uncertainty about long-term retention decisions.

While no immediate compliance failures were identified, the review highlighted the need for stronger governance and clearer ownership.

The Sixth Task: Updating the Record of Processing Activities

During the review, the school also examined its Record of Processing Activities (ROPA). Several processing activities were found to be missing or outdated, new educational technology platforms had been introduced and additional third-party suppliers had been engaged. Some records storage arrangements were not documented at all.

The summer holiday provided an ideal opportunity to update records before the start of the new academic year.

The Outcome

By the end of the project, the school had:

• Updated its Records of Processing Activities.
• Reviewed retention schedules.
• Created an archive inventory.
• Identified records suitable for secure destruction.
• Improved safeguarding records governance.
• Clarified ownership of information assets.
• Strengthened Subject Access Request procedures.

Importantly, no major data breach or regulatory issue had occurred, the review simply identified areas where compliance arrangements had drifted over time.

Why Summer Is the Ideal Time

Many schools use the summer holiday to carry out building maintenance, curriculum planning and operational reviews, and information governance deserves the same attention. The quieter summer period provides an opportunity to:

• Review retention schedules.
• Audit archived records.
• Update privacy documentation.
• Review supplier arrangements.
• Refresh staff training.
• Test Subject Access Request procedures.
• Update Records of Processing Activities.

These tasks are often difficult to complete effectively during a busy term.

Conclusion

The school's GDPR review did not uncover a crisis.

What it uncovered were years of gradual change that had never been fully documented or reviewed.

That is often how compliance risks emerge—not through a single event, but through the slow accumulation of records, systems and processes over time.

For schools, the summer holiday is more than a break between academic years. It is an opportunity to ensure that data protection practices remain as robust as the education they provide.

Sometimes the most valuable outcome of a GDPR review is not discovering a problem, it is discovering it before someone else does.

Contact Caroline Harrison, CSH Consulting if you would like to talk more about Data Protection Compliance Reviews: caroline@cshconsulting.co.uk