top of page

Data retention

This guidance document is designed for use by all British Canoeing affiliated
clubs. It is intended to help you, as a club, identify the key issues relating to
Data Retention, which is one of the fundamental principles of the Data
Protection legislation in force in the UK which includes the Data Protection Act
2018 and the UK General Data Protection Regulation (UK GDPR).

The purpose of this guidance is as follows:
 To inform clubs of the importance of only retaining person data in accordance with the
requirements of UK GDPR.
 To assist clubs in complying with the relevant legislation in this area, including UK GDPR,
employment and health and safety.
 By promoting an understanding of the principles in this area, reduce the amount of personal data
(including paperwork) that clubs and its members manage and store.
This guidance is meant as an introduction to what is a complex and nuanced area and is not intended to
constitute legal advice. If you are unsure as to the implications for your particular club or your obligations
under Data Protection law we would recommend visiting the Information Commissioner's Office (ICO)
website or seeking specialist advice.
What does ‘Data Retention’ mean?
Data Retention refers to the length of time you should retain personal data. It then follows that Data
Retention policies or retention schedules list the types of record or information you hold, what you use it for,
and how long you intend to keep it.
The fundamental principle in this regard is that even where you have collected and used personal data lawfully,
you cannot keep it for longer than you actually need it. Additionally, you should inform the individual how long
you intend to keep their personal data at the time it was acquired.
The principle of data retention covers both electronically stored information (such as on a computer, email
system, cloud-based application, web-based application, within your British Canoeing Club Portal, etc.) as well
as information held within a paper-based storage system (filing cabinet, storage box, folder etc.).
If you wish to retain data to help build a picture of your membership, activity or event over time, you will need
to anonymise the data and ensure that personally identifiable information is not being retained.
What type of information is regarded as ‘personal data’ under UK GDPR?
UK GDPR defines personal data that relates to a living individual who can be directly or indirectly identified
from that information. This could be any information you gather about a member or participant and does not
need to be information you would consider private or restricted. If you can identify an individual from the
information, then it will count as personal data.
Some examples of personal data include, but not limited to:
 Name, address, telephone number, mobile number, email address, passport number, national
insurance number, driving license details, medical information, bank details, credit/debit card
numbers, cultural identity, social media posts, IP address, location data.

Please note: That when processing and handling special categories of personal information there are more
onerous requirements on you as a Data Controller due to the sensitive nature of this data. Special categories
include, but not limited to, personal data that reveals a person’s racial or ethnic origin, or concerns their health
(including disability status), or sexual orientation.
My club is only small- does this still apply to my club?

Yes – If you collect and store any personal data as part of your club’s activities, you still have to gather, process,
and store the data in adherence with UK GDPR.
This guidance is focused on the data that clubs hold centrally, often managed by the Club Secretary or the Club
Members Secretary. However, any data supplied by individuals to the club that is shared with other people
(such as to committee members or coaches and leaders) should receive the same treatment as data which is
held centrally (i.e. only be retained as long as is necessary and proportionate).
So how long should we retain personal data for?
The UK GDPR does not dictate how long you should keep personal data. It is up to you to justify this, based on
your purposes for processing and any other requirements for retention. You will need to be able to justify why
you need to retain data and for what purpose. If you do not need to identify individuals, you should instead
anonymise the data so that identification is no longer possible.
When considering how long you should retain data, there are a number of factors which you should consider.
These factors include:
 Contractual – there may be a contractual requirement to retain information for a specified period of
 Legal requirement –there may be a legal requirement to retain information for a specified period of
 Legitimate interest – you may have a legitimate interest to retain the information for a specified
period of time (e.g. race results, rankings, qualifications etc.).
Whilst UK GDPR does not set specific time limits for the retention of different types of data and this will
depend on some of the factors outlined above, we have provided some example below which will hopefully
act as a starting point for your club in deciding how long different categories of data should be retained. We
would recommend working through the table below and considering if the suggested retention periods are
appropriate in your club’s circumstances.

Information Suggested Retention Period Notes
Current members

Throughout the time the individual is a
member of the club

Data on current members needs to be up-to-date and
accurate. Out of date data (such as a previous email
address) will be deleted from all records as soon as
the club is notified of the update. Once the individual
is no longer a member you will need to refer to data
on ‘former members’ below.

contact details for
current members

Throughout the time the individual is a

If the member updates their emergency contact the
previous details will need to be deleted immediately
from all records. Best practice would dictate that the
member informs the emergency contact that they have
provided their details to you for the purpose of being
an emergency contact.

Former members 6 years after last contact with the


You may have a legitimate interest in retaining
records for this period whilst they may be required
in relation to support, complaints, appeals, and
insurance purposes.
Non-relevant data on member records should be
deleted sooner when it is no longer necessary and
proportionate to retain (such as emergency contact


Throughout the time the individual is a
prospective member. Then follow
guidelines for ‘Current members’ or
‘Former members’

This covers the period of time when the prospective
member is taking part in the 6 sessions prior to joining
the club as permitted within the British Canoeing

Casual enquirers 12 months after last contact with the


This is for those individuals who registered an
interest in the club (for instance via the club
website) but did not attend any club meets or club
events and did not become a member

Meet /event
attendee lists
– held by club

3 years after the event Clubs may wish to retain attendee lists as evidence of
who did/didn’t attend a particular meet/event. If
under 18’s were involved the length of time extends
to 3 years past their 18th birthday.

attendee lists –
provided to meet

Until the event has taken place Copies of attendee lists will be deleted/destroyed
as soon after the event as possible. The club-held
list should be the only one that is kept.

Emails 12 months, if important retain for up

to 6 years.

Not all emails need to be retained.
If the content is deemed to be important and or
relevant to a legitimate purpose, it may be kept for
up to 6 years.

Club Journals Potential to retain indefinitely subject
to appropriate safeguards being in

Club Journals may be considered material with
historical or statistical value and therefore retained
under the exemptions afforded to:
 archiving purposes in the public interest;
 scientific research purposes;
 or statistical purposes.

Minutes of club

Potential to retain indefinitely subject
to appropriate safeguards being in

Minutes of club meetings may be considered
material with historical or statistical value and
therefore retained under the exemptions
afforded to:
 archiving purposes in the public interest;
 scientific research purposes;
 or statistical purposes.

CCTV images No more than 30 days Unless needed for the prevention or detection of


Gift Aid

As long as the declaration is valid, plus
6 years.

Specifically for charities or CASC’s

Accident reports –
if relating to adults

Statutory requirement is 3 years
after the last entry in the
Accident book. To standardise
with other records and for
insurance purposes you may wish
to retain for 6 years

These reports may be required as evidence if a
claim is made on the British Canoeing insurance
and should also be reported via the Incident
reporting system.

Accident reports –
if relating to

To be kept for a minimum of 3 years
after the child reaches the age of 18.
As above, standardise with other
records and for insurance purposes
you may wish to retain for 6 years.

personnel records

6 years after the individual leaves
employment with the club

Including attendance records,
application forms, job or status change records,
performance evaluations, termination papers,
withholding information, garnishments, test results,
training and qualification records

Safeguarding See Notes The Information gathered during the course of an
investigation will be retained by British Canoeing. Data
relating to children will be kept for at least 25 years.
Where the concern relates to an adult’s behaviour
around children, the file will be kept securely until the
adult reaches 65 or for 10 years whichever is longer in
accordance with NSPCC guidelines on records retention
and storage.

When should we review our retention?
When you approach the end of the designated retention period, you should review if you still need personal data
and either erase or anonymise it, unless there is a clear justification for retaining it for a longer period.
You are also required to review whether you still need personal data if an individual asks you to. Individuals have
the right to erasure of personal data that you no longer need for your specified purposes.
What should we do with data we no longer require?
Once you no longer need personal data, you can either erase (delete) it, or anonymise it. It must be remembered
that when erasing, personal data should be permanently deleted to reduce its availability and the risk of future
misuse. In the case of electronic data, it is recognised that it is not always possible delete or erase all traces of
the data. However, you must ensure that the data is put beyond use (including deletion from any back-up
Alternatively, you can anonymise data so that it is no longer possible to identify a data subject from the data.

Still unsure about any aspects of Data Retention? Contact
and we will do our best to assist.

bottom of page