ChatGPT
Claude
Perplexity
Gemini
GrokHow long can a UK school legally keep prospect data?
Under UK GDPR Article 5(1)(e) — the storage limitation principle — personal data must be kept no longer than necessary for the purpose for which it was collected. For marketing and prospecting data, the ICO's direct marketing guidance establishes 3 years from the last active contact as the outer limit for prospect records at schools and universities. Beyond that threshold, no legitimate recruitment purpose can justify continued retention.
This is not an abstract compliance concern. Schools using CRMs, AI chatbots, email nurture platforms, and open day registration tools accumulate prospect data at scale across multiple systems — and the majority have no automated purging in place. Understanding exactly what you can keep, for how long, and in what form is the starting point for defensible GDPR compliance in your admissions operation.
For the complete framework governing prospect data under UK GDPR, see our GDPR guide for student data.
The legal framework: UK GDPR and the Data Protection Act 2018
UK GDPR is the post-Brexit retained version of the EU General Data Protection Regulation, given domestic effect by the Data Protection Act 2018. Both instruments apply to all UK higher education providers — Russell Group universities, post-92 universities, private colleges, QAA-registered providers, and OfS-registered institutions alike.
The Information Commissioner's Office (ICO) is the supervisory authority responsible for enforcement. It has published specific guidance on direct marketing and on storage limitation that applies directly to schools managing prospect pipelines.
Three articles of UK GDPR govern retention directly:
- Article 5(1)(e) — storage limitation: data must be "kept in a form which permits identification of data subjects for no longer than is necessary".
- Article 5(2) — accountability: the controller must be able to demonstrate compliance with the storage limitation principle.
- Article 30 — Records of Processing Activities (ROPA): retention periods must be documented for every processing activity, including prospect marketing.
The Limitation Act 1980 also creates a practical floor: contractual claims can be pursued for up to 6 years, so financial and contractual records relating to enrolled students must be retained for at least that period. For prospect data that never converted to enrolment, no comparable statutory minimum applies — the GDPR storage limitation principle governs.
Retention periods by data category: the reference table
The following periods reflect ICO guidance and established practice for UK schools and universities. They represent the maximum defensible retention period, not a target. Where your institution has a specific legitimate purpose that justifies shorter retention, that shorter period should be adopted.
| Data category | Retention period | Starting point | Legal basis / source |
|---|---|---|---|
| Prospect contact data (email, phone — non-converted) | 3 years | Last active contact | ICO direct marketing guidance |
| Chatbot conversation logs (identified prospect) | 3 years | Last active contact | Part of the prospect retention period |
| Website analytics / cookies | 13 months | Cookie placement | ICO cookie guidance |
| Open day / UCAS fair registration data | 3 years (if no conversion) | Last active contact | ICO direct marketing guidance |
| Application data — unsuccessful candidate | 2 years | Rejection decision date | ICO / DPA 2018 |
| Application data — withdrawn by candidate | 2 years | Withdrawal date | ICO / DPA 2018 |
| Enrolled student administrative file | 5 years | End of studies | DPA 2018 / QAA guidance |
| Financial / accounting records | 6 years (minimum) | End of financial year | Companies Act 2006 / Limitation Act 1980 |
| Card payment data | 13–18 months | Transaction date | PCI DSS / chargeback period |
| Marketing consent records | 3 years | Consent event or withdrawal | ICO accountability principle |
Two points deserve attention. First, the 3-year period for prospect contact data starts from the last active contact — not from the date of collection. An email reply, an open-day attendance, or a chatbot re-engagement resets the clock. Second, chatbot conversation logs involving an identified prospect are part of the prospect's overall record and follow the same 3-year limit; anonymised or aggregated conversation data falls outside the personal data regime entirely.
The three-phase retention lifecycle
ICO guidance and GDPR best practice describe a three-phase approach to managing personal data over its lifecycle.
Phase 1 — Active retention
During active retention, the data is operationally accessible to admissions and marketing teams. A prospect who submitted an enquiry form is in active retention from the date of collection. The retention clock runs from the last meaningful engagement: a replied email, a chatbot interaction, a form submission, an open day attendance, a brochure download.
For UCAS applicants, active retention runs through the application cycle and the admissions decision. For prospects who never apply, the active phase should ideally be capped at 12–18 months from last contact — beyond which, reactivation campaigns have demonstrably declining effectiveness.
Phase 2 — Intermediate archiving
Intermediate archiving covers the period between the end of operational use and final deletion or anonymisation. In this phase, data is no longer accessible to day-to-day admissions activity but is retained for specific justified purposes: potential legal claims, regulatory audits, or ongoing complaints. Access is restricted, and the data is held in a separate, controlled environment.
For unsuccessful application data, this phase covers the 2-year post-rejection window during which an admissions dispute could be raised. For pure prospect data, intermediate archiving is rarely necessary — the 3-year outer limit encompasses both phases.
Phase 3 — Deletion or anonymisation
At the end of the retention period, data must be either securely deleted or anonymised to a standard that makes re-identification impossible. Anonymisation is a valid alternative to deletion under UK GDPR, provided the result is genuinely irreversible. Pseudonymised data (where re-identification is possible with a key) is still personal data and remains subject to GDPR.
Automated purging configured in your CRM and email platform is the operationally simplest approach. Manual deletion processes across multiple systems are error-prone and create accountability gaps.
ROPA obligations: documenting your retention periods
Article 30 of UK GDPR requires controllers to maintain a Record of Processing Activities. For schools, the ROPA must document every processing activity involving personal data — including prospect marketing — and must specify the retention period or, where that is not possible, the criteria used to determine it.
An undocumented retention period is an ICO audit risk. When an inspector or a data subject asks how long your institution keeps prospect data, "we haven't decided" is not a compliant answer. The ROPA is not just a bureaucratic formality — it is the mechanism through which the accountability principle in Article 5(2) is discharged.
The ROPA should cover, for prospect data:
- The categories of data subjects (prospects, enquirers, open-day attendees)
- The categories of personal data (name, email, phone, programme interest, chatbot logs)
- The purposes of processing (marketing, recruitment, event follow-up)
- The retention period for each processing activity
- The technical and organisational security measures in place
The chatbot and AI dimension
72% of prospect questions to school chatbots are simple FAQ queries that can be automated; only 7% require human escalation (Source: Skolbot AI chatbot analysis of 12,000 conversations, 2025). This means the overwhelming majority of chatbot interactions generate conversation logs that do not contain the complex personal disclosures that require special handling — but those logs still constitute personal data when linked to an identified or identifiable individual.
Three rules apply to chatbot-generated prospect data:
Identify the user at the start of the session. If the conversation involves an unidentified visitor, the data is less sensitive but may still be personal if re-identification is possible from the content. A prospect who gives their name and email in the first exchange becomes identifiable — and the 3-year retention clock starts from that moment.
Apply automatic redaction to sensitive data. Prospects spontaneously disclose disability status, financial difficulties, or health conditions in chatbot conversations. These categories of data require heightened protection. Automatic redaction or anonymisation of sensitive data at 30 days is the recommended practice.
Include chatbot data in the data mapping for erasure requests. When a prospect requests erasure under Article 17 of UK GDPR, conversation logs on the chatbot platform must be deleted alongside CRM records, email subscriber profiles, and open-day attendance records. For a detailed walkthrough of this process, see our guide on handling erasure requests for prospective students.
Common retention failures in UK schools
Failure 1 — The legacy CRM. Prospect records from 2019, 2020, and 2021 still active in the database, receiving occasional marketing emails. These records are almost certainly beyond the 3-year limit and represent both a regulatory risk and a deliverability drag.
Failure 2 — The UCAS spreadsheet. Contact lists from UCAS fairs downloaded as Excel files, stored locally on staff laptops, never imported into the CRM or purged. These shadow records are invisible to any retention policy.
Failure 3 — The "just in case" archive. Application data from rejected candidates retained indefinitely on the grounds that "they might reapply". The 2-year post-rejection limit is clear; speculative future interest does not override it.
Failure 4 — The undocumented ROPA. A retention policy exists on paper but is not reflected in the ROPA, not configured in the CRM, and not communicated to staff. The accountability principle requires that policy and practice are aligned.
Failure 5 — Cookie data beyond 13 months. Analytics cookies and advertising pixels retained beyond the ICO's 13-month maximum — often because the consent management platform was configured at launch and never reviewed. For a detailed treatment of this compliance area, see our cookie consent GDPR guide for schools.
Deletion checklist: what your institution must do
- Retention periods are documented in the ROPA for every processing activity involving prospect data
- CRM is configured with automated purging at the stated retention limit for each data category
- Email platform subscriber lists are synchronised with CRM purging: deleted CRM records are unsubscribed and removed
- Chatbot platform: confirm with your vendor that conversation logs can be deleted by individual prospect (not only in bulk)
- Open-day attendance records: reviewed and purged at 3 years from the event
- Application data for unsuccessful candidates: deleted 2 years after the rejection decision
- Cookie consent records and analytics data: reviewed at 13 months
- Financial records: retained for 6 years minimum (Companies Act / Limitation Act)
- Staff are aware of the retention policy and know not to maintain shadow Excel copies
- A process exists to restart the retention clock when a prospect re-engages
For a broader end-to-end framework, see our protecting prospect data under GDPR guide.
Discover how schools improve their recruitmentFAQ
What is the standard retention period for prospect data at UK schools?
The ICO's direct marketing guidance establishes 3 years from the last active contact as the outer limit for prospect and marketing data. This is a ceiling, not a floor — if a prospect clearly has no ongoing interest, shorter retention is more defensible. The clock resets each time the prospect actively engages.
Does the retention period restart if a prospect opens a marketing email?
Opening an email is passive behaviour and does not clearly constitute active re-engagement for the purposes of resetting the retention clock. A reply, a form submission, an open-day registration, or a chatbot interaction — actions requiring affirmative steps from the prospect — are the appropriate triggers for restarting the 3-year period.
Must retention periods be included in the privacy notice?
Yes. Article 13 of UK GDPR requires that when personal data is collected, the controller must provide the data subject with information about the retention period or, where that is not possible, the criteria used to determine it. A privacy notice that says only "we will keep your data for as long as necessary" without specifying the criteria does not satisfy this requirement.
Can a school retain prospect data indefinitely if the prospect never unsubscribes?
No. The storage limitation principle in Article 5(1)(e) of UK GDPR applies regardless of whether the prospect has exercised any rights. Lack of objection does not create a lawful basis for indefinite retention. The institution must apply its own retention policy proactively.
What are the ICO's enforcement powers for retention failures?
The ICO can issue fines of up to £17.5 million or 4% of annual global turnover (whichever is higher) for serious infringements of UK GDPR, including storage limitation failures. The ICO also has powers to issue reprimands, enforcement notices, and requirement notices. Education sector audits are a published priority; retention of prospect data has featured in past regulatory investigations.
