Data Retention Schedule
This schedule maps each category of personal information stored in Skoolara to a retention period, legal basis and end-of-life treatment. It supports the School's obligations under POPIA section 14 (retention and restriction of records) and the equivalent storage-limitation principle under GDPR Article 5(1)(e).
All retention periods are defaults. A School may, on documented instruction to Skoolara, set longer or shorter retention periods where permitted by law. Where the applicable statutory retention period is longer than a default below, the statutory period prevails.
Conventions
- "Hard delete" — irreversible deletion from production systems. Data is purged from databases and object storage and becomes unrecoverable after the applicable backup-retention window.
- "Anonymise" — irreversibly strip direct and indirect identifiers so that the remaining data cannot reasonably be linked to an identifiable person. Anonymised data may be retained for statistical and analytical purposes.
- "Archive" — move to cold / restricted storage with reduced access. Retention clock continues to run against the archived copy.
- "Enrolment end" — the date on which the learner ceases to be enrolled at the School (whether by graduation, transfer, or withdrawal).
- "Employment end" — the date on which the staff member's employment with the School terminates.
Retention table
| # | Data category | Retention period | Legal basis / rationale | End-of-life action |
|---|---|---|---|---|
| 1 | Student profile (name, DOB, ID/passport, contact, demographic, grade, class) | Enrolment end + 7 years | South African Schools Act 84 of 1996; National Archives and Record Service of South Africa Act 43 of 1996; POPIA s14; education-sector best practice | Hard delete. Aggregate historical roll data may be retained in anonymised form. |
| 2 | Marks and academic results | Enrolment end + 40 years (or lifetime where practicable) | Statutory and certification retention (historical academic record required for verification of qualifications); POPIA s14(1)(a) | Archive then anonymise where no longer required for certification purposes. |
| 3 | Attendance records (daily and per-period) | 7 years from the end of the academic year | Compliance with South African Schools Act and provincial education regulations; POPIA s14 | Hard delete. Aggregate attendance statistics retained anonymised. |
| 4 | Homework and assignment submissions | Enrolment end + 2 years | Education delivery; dispute and grading review windows; storage-limitation principle | Hard delete. |
| 5 | Documents: ID, birth certificate, proof of residence | Enrolment end + 5 years (or earlier where no longer required and no pending matter) | Enrolment verification; Children's Act 38 of 2005; Identification Act 68 of 1997 | Hard delete of scanned copies; paper originals (if any) returned to parent or securely destroyed. |
| 6 | Medical and health information (allergies, chronic conditions, medication) | Enrolment end + 3 years | Duty of care; Children's Act; POPIA s26-27 (special personal information) | Hard delete. |
| 7 | Teacher notes / pastoral and disciplinary records | Enrolment end + 7 years (serious matters: 15 years) | Duty of care; potential litigation and safeguarding review; Prescription Act 68 of 1969 | Hard delete. Where relevant to ongoing safeguarding concerns, retain under legal hold. |
| 8 | Parent / guardian profile and contact information | Duration of the child's enrolment + 1 year (or until last child's enrolment ends + 1 year where multiple children) | Performance of enrolment contract; POPIA s14; communication obligations | Hard delete. |
| 9 | Parent–school communications (messages, notifications) | 2 years from date of message | Education delivery; potential dispute resolution | Hard delete. |
| 10 | Teacher and staff profile | Employment end + 7 years | Basic Conditions of Employment Act 75 of 1997; Employment Equity Act 55 of 1998; Labour Relations Act 66 of 1995 | Hard delete. |
| 11 | Teacher professional qualifications (SACE number, certificates) | Employment end + 7 years | Professional registration; employment law | Hard delete. |
| 12 | Fees, invoices and payment records | 5 years minimum from financial-year end | Tax Administration Act 28 of 2011; Companies Act 71 of 2008 | Archive; hard delete after retention lapses, save for data that must be retained longer by law. |
| 13 | Consent records (POPIA s18 notices, photograph consents, etc.) | Duration of processing relying on that consent + 5 years after withdrawal or enrolment end | Demonstrate lawful basis (POPIA s11; GDPR Art 7(1)); limitation periods for disputes | Hard delete. |
| 14 | Audit logs (access, actions, exports) | 7 years | Security, accountability, investigation of security compromises; alignment with financial-record retention | Hard delete. |
| 15 | Authentication logs (logins, failed logins, token issuance) | 12 months | Security; detection of account compromise; proportionality to purpose | Hard delete. |
| 16 | Device / push-notification tokens | Until device unregistration or 12 months of inactivity | Necessary for push delivery; storage limitation | Hard delete on rotation. |
| 17 | IP addresses and session data | 12 months | Security and fraud prevention | Hard delete. |
| 18 | Error and performance logs | 90 days (production); 30 days (where containing user identifiers) | Operational reliability; data minimisation | Hard delete. |
| 19 | Backups (routine) | Rolling 35 days | Business-continuity best practice; shortest window consistent with recovery-time objectives | Backups are encrypted and automatically rotated; deletions from production flow through to backups within this window. |
| 20 | Disaster-recovery archives | 12 months (quarterly snapshots) | Business continuity | Encrypted, access-controlled; automatic destruction at end of period. |
| 21 | Export files generated through the platform | 30 days from generation | Convenience for the School; minimisation of duplicated personal information | Automatic hard delete after 30 days. |
| 22 | Support tickets and correspondence | 3 years from ticket closure | Service quality; dispute resolution | Hard delete, or anonymise where retaining for service-improvement analysis. |
| 23 | Marketing contact data (staff, decision-makers only — not learners) | Until opt-out or 3 years of inactivity | Legitimate interest; Electronic Communications and Transactions Act 25 of 2002; POPIA s69 (direct marketing) | Hard delete on opt-out or expiry. |
| 24 | CCTV / image uploads stored in Skoolara (where enabled by the School) | 30 days default; longer only where required by a specific incident | Safety and security; proportionality; POPIA s14 | Hard delete on rolling window; incident-related footage retained under case reference. |
| 25 | Anonymised analytics and aggregate reports | Indefinite | Not personal information once properly anonymised; supports service improvement | No action required; periodic review to ensure re-identification risk remains low. |
Legal-hold exception
If personal information is subject to a legal hold — for example, it is relevant to pending or threatened litigation, a regulatory investigation, or a safeguarding matter — the retention periods above are suspended for the affected records until the legal hold is released. Legal holds must be:
- documented in writing by the School's Information Officer;
- communicated to Skoolara so that automated deletion is paused;
- reviewed at least every 12 months; and
- released in writing when no longer required.
Deletion and anonymisation methods
- Database records: deletion via application-level APIs (which cascade deletion across related tables) or via infrastructure-level purge for archived data. Hard-delete jobs run on a scheduled basis.
- Object storage (documents, images): deletion via lifecycle policies in Cloudflare R2 with versioning expiry.
- Backups: rotation in accordance with the 35-day rolling window. Personal information deleted from production becomes unrecoverable from backups once the window has elapsed.
- Anonymisation: removal or hashing of direct identifiers (name, ID numbers, email, phone), suppression or coarsening of indirect identifiers (dates, small-cell demographic combinations), and k-anonymity testing where the data is to be used analytically.
Governance
- The School's Information Officer is responsible for approving deviations from default retention periods.
- Skoolara reviews this schedule at least annually and after any material change to applicable law.
- Any change to a retention period is recorded as a version change of this document.
End of Data Retention Schedule (draft v0.1).