You are here

How long should we keep personal data?

The GDPR requires us to keep data for no longer than is necessary.

See Group Handbook A6: Handling data

  1. Types of personal data
  2. Deleting information securely
  3. Need support?

Types of personal data

You must follow these rules for different types of data:

Membership data

Membership data must be downloaded from the Portal and not held locally other than for the time it takes to complete a mailing or other task.

  1. Find out more about Using membership data

Volunteer application forms

We don’t expect your group to hold personal information about potential volunteers. If a candidate who submitted a paper application form is successful, either email or post it to our Supporter Care Team. If you don’t recruit them, you must destroy their application form.

  1. See our guidance on Recruiting volunteers

Health and safety documents

You must post or email Accident and Incident Report Forms to our Head of Health and Safety and destroy all copies.

Health and safety documents such as Physical Activity Readiness Questionnaires (PARQ) must be reviewed annually and kept for three years after a person stops taking part in a service.

  1. Find out more about our Risk management system

Financial data

Our Online Accounting system enables you to safely store financial data relating to individuals. You must retain any other financial data for seven years to meet HMRC requirements.

  1. Learn about Managing your finances


If your group awards grants, you must hold grants information for seven years following the issue of a successful grant application. Unsuccessful applications must be destroyed one year after the decision was made.

  1. Find out more about our National Grant Funds

MS Support

We don’t expect Lead Support Volunteers or Support Volunteers to hold personal information about people using your MS Support service, or make case notes about enquiries you have taken, and you must not do so.

  1. See our guidance on Offering MS Support


You must retain personal information such as attendance lists and routine correspondence to and from individuals about events for one year following the event.

  1. Find out more about Organising an event

Stories and photos

Stories and photos must be stored and used for no longer than three years. You must keep the Consent Form for the full duration of use plus another year after the deletion of the stories and photos themselves.

  1. See our rules for using Images and stories

Back to the top

Deleting information securely

Paper records must be shredded or burnt when no longer needed. Electronic records must be deleted from your PC or device’s storage, and the ‘recycling bin’ must be emptied.

When it’s time to replace IT equipment and phones, or you wish to pass them on to someone else, you should reformat disks to ensure that all content is deleted.

Back to the top

Need support?

Our Data Governance Team is here to make sure we all meet our personal data, information handling and record keeping obligations. Contact us for help with any data compliance questions you may have.

  1. Get contact details for our Data Governance Team

Back to Handling data