Retention, consent & audit

Holding data lawfully means keeping it only as long as needed, proving you had consent, and being able to show who did what. EduPrime provides a retention schedule, consent capture and a tamper-evident audit trail – plus breach-awareness tooling.

Where to find it — App drawer → ODPC Compliance → Audit Log.
Retention, consent & audit
Retention, consent & audit in EduPrime.

Retention schedule

Data-protection law requires that personal data is not kept indefinitely. Under Compliance → Retention, define a retention policy per record category:

Record categoryTypical retentionThen
Active student recordsDuration of studyMove to alumni / archive
Academic transcriptsLong-term (often permanent)Retain – legitimate record
Applicant data (not enrolled)Defined months after cycleDelete / anonymise
Health & counselling notesPer regulationSecure deletion
Financial recordsStatutory accounting periodArchive then delete

EduPrime flags records that have passed their retention period and queues them for review, deletion or anonymisation (stripping identifiers while keeping aggregate statistics). Deletion is reviewed, not automatic, so a legal-hold record is never destroyed by accident.

Tip — Anonymise rather than delete where you still need the numbers. An anonymised cohort keeps your historical pass-rate trends intact without holding a single identifiable former student.

Consent is captured at the point of collection – on the online application form, the portal, or a paper form digitised by staff – and stored as a dated, purpose-specific record (see Data protection & ODPC). A person’s consent dashboard shows every purpose they have agreed to, when, and whether any consent has been withdrawn, so staff can check before, say, using a photo or sending marketing.

The audit trail

EduPrime logs material actions on sensitive data: who viewed a confidential record, who changed a grade, who issued an official transcript, who ran an export, who released a SAR pack. The log records the user, the action, the record and the timestamp, and cannot be edited by ordinary users.

Important — The audit trail is your defence in a complaint or inspection – protect it. Do not grant audit-log delete or admin-impersonation rights to operational staff; reserve them for a small, named set of administrators and review the log periodically for unusual access.

Breach awareness

When something goes wrong – an account shared, an export emailed in error, suspicious access – the audit trail and access logs help you assess scope quickly: what data, whose, and who touched it. Most data-protection regimes require notifying the regulator of a serious breach within a tight window (commonly 72 hours), so maintain a breach-response runbook and rehearse it. EduPrime gives you the evidence to investigate; the institution owns the obligation to notify.

Was this page helpful?