Email Retention and Management Policy

  1. Introduction

DS Educational Psychology is committed to upholding the principles of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, particularly the principle of data minimisation. This means that personal data will only be collected, stored, and retained for as long as it is strictly necessary for legitimate professional or legal purposes.

This policy sets out how emails are managed, retained, and securely deleted to ensure compliance with data protection laws and to protect the confidentiality of clients and professional contacts. 

  1. The Principle of Data Minimisation

The data minimisation principle requires that:

  • Only essential data is collected and processed – Emails should contain only the information necessary to complete professional duties.
  • Emails are not retained beyond their required purpose – If the information has been transferred to a secure case file, the email must be deleted.
  • Duplicate records must be avoided – If data is stored securely elsewhere (e.g., in a report, financial record, or case note), emails containing the same information must not be retained.
  • Once an email has fulfilled its purpose, it must be securely deleted. 
  1. Email Retention and Automatic Deletion

Emails will be managed as follows:

Email Type

Retention Period

GDPR Justification

Action

General inquiries (non-client related)

Deleted after 6 months

No lawful basis for long-term retention

If no further action is required, emails are permanently deleted.

Client-related emails (parents, schools, professionals)

Deleted immediately after the report is sent and the invoice is paid

Data minimisation – no longer necessary for processing

All related emails are removed from inboxes, sent folders, and trash folders.

Invoices and financial records

Retained for 7 years

Legal requirement for financial compliance

Stored securely outside of email.

Safeguarding or legal concerns

Retained indefinitely if legally required

Legal obligation

Stored securely outside of email and monitored separately.
  • Once a report has been sent to the client and payment has been received, all related emails are permanently deleted from all email folders.
  • No client emails are retained unless legally required for safeguarding or compliance reasons. 
  1. Secure Storage and Data Handling
  • Emails must not serve as long-term storage – Any necessary information should be transferred to a secure document management system or financial record.
  • Emails containing personal data must not be duplicated or forwarded unnecessarily.
  • Emails should never store highly sensitive data unless encryption is used.
  • Email servers will be regularly cleared to remove any residual personal data and ensure compliance with GDPR data minimisation principles. 
  1. Immediate and Secure Email Deletion Process

✔ Once a report is issued and payment is confirmed, all related emails are deleted from:

  • The inbox
  • The sent folder
  • The trash/recycle bin

✔ Automated deletion policies will be implemented to prevent personal data from being stored unnecessarily in email accounts.

✔ If an email contains information required for professional or legal purposes, it must be securely stored elsewhere and then deleted from the email system. 

  1. Client Rights Under GDPR

Under UK GDPR, individuals have rights regarding personal data contained in emails, including:

  • Right to Access – Clients can request copies of emails before they are deleted.
  • Right to Erasure (‘Right to be Forgotten’) – Once a report has been issued and the invoice has been paid, all related emails are deleted automatically, ensuring compliance with this right.
  • Right to Rectification – Clients may request corrections before deletion.

All requests must be submitted in writing and will be processed within 30 days, unless an exemption applies.

  1. Email Security and Confidentiality
  • Personal data in emails must be minimised to prevent data breaches.
  • Encrypted email or secure document transfer platforms must be used when sending sensitive information.
  • Multi-factor authentication (MFA) is required for email account access to enhance security.
  • Emails should not be accessed on public or shared devices unless secure login credentials are used. 
  1. Breach Management and Compliance

If an unauthorised disclosure of personal data occurs via email, it must be reported immediately. If necessary, the Information Commissioner’s Office (ICO) will be notified within 72 hours in accordance with UK GDPR breach reporting requirements

  1. Policy Review and Updates

This policy will be reviewed annually to ensure compliance with evolving data protection laws and best practices. Adjustments will be made if regulatory changes or operational needs arise.

Key takeaway: Emails will only be retained when absolutely necessary, and all unnecessary personal data will be deleted as soon as it is no longer required. This ensures full compliance with GDPR’s data minimisation principle and protects the privacy of all individuals involved.

The British Psychological Society Logo
Get In Touch 07507 712 990
Address

First Floor
2 Castle Buildings
147-149 Telegraph Rd
Heswall
Wirral
CH60 7SE

Policies Privacy Policy Email Retention & Management Policy

Copyright © DS Educational Psychology Ltd

Website by Farm Factory