Retention, consent & audit
Holding data lawfully means keeping it only as long as needed, proving you had consent, and being able to show who did what. EduPrime provides a retention schedule, consent capture and a tamper-evident audit trail – plus breach-awareness tooling.

Retention schedule
Data-protection law requires that personal data is not kept indefinitely. Under Compliance → Retention, define a retention policy per record category:
| Record category | Typical retention | Then |
|---|---|---|
| Active student records | Duration of study | Move to alumni / archive |
| Academic transcripts | Long-term (often permanent) | Retain – legitimate record |
| Applicant data (not enrolled) | Defined months after cycle | Delete / anonymise |
| Health & counselling notes | Per regulation | Secure deletion |
| Financial records | Statutory accounting period | Archive then delete |
EduPrime flags records that have passed their retention period and queues them for review, deletion or anonymisation (stripping identifiers while keeping aggregate statistics). Deletion is reviewed, not automatic, so a legal-hold record is never destroyed by accident.
Consent capture
Consent is captured at the point of collection – on the online application form, the portal, or a paper form digitised by staff – and stored as a dated, purpose-specific record (see Data protection & ODPC). A person’s consent dashboard shows every purpose they have agreed to, when, and whether any consent has been withdrawn, so staff can check before, say, using a photo or sending marketing.
The audit trail
EduPrime logs material actions on sensitive data: who viewed a confidential record, who changed a grade, who issued an official transcript, who ran an export, who released a SAR pack. The log records the user, the action, the record and the timestamp, and cannot be edited by ordinary users.
Breach awareness
When something goes wrong – an account shared, an export emailed in error, suspicious access – the audit trail and access logs help you assess scope quickly: what data, whose, and who touched it. Most data-protection regimes require notifying the regulator of a serious breach within a tight window (commonly 72 hours), so maintain a breach-response runbook and rehearse it. EduPrime gives you the evidence to investigate; the institution owns the obligation to notify.

