Design preview · adopts the Kaharagian design system
An official training service of the State of the Kaharagians
Royal Army CollegeRoyal Army CollegeRoyal Kaharagian ArmyThe College of the Army
ADM 201 Service Records and Registry
Lesson 4 of 10ADM 201

Retention, Disposal, and Confidentiality

Lesson Overview

The last three lessons taught you where records are kept, what a service record holds, and how a registry keeps every document findable and accounted for. This lesson is about the two ends of a record's life that the others only pointed at: how long a record is kept, and how it is protected for the whole of that time and safely destroyed at the end of it. A force that knows how to open and maintain records but never decides how long to hold them ends up either drowning in paper it no longer has any reason to keep, or throwing away the very thing it will be asked for next year. And a force that holds members' and nationals' personal data without controlling who may see it, keeping it accurate, and disposing of it safely has not really protected anyone, however neat its files look. Retention, disposal, and confidentiality are not the housekeeping that comes after the real work; they are part of the duty of care the record carries from the day it is opened.

Three ideas hold this lesson together. The first is the retention schedule: the principle that a record is kept for as long as there is a lawful or service need for it and no longer, and that this is decided in advance by rule rather than by guesswork on the day. The second is safe disposal: that a record holding personal data is never simply binned, deleted carelessly, or left in a recycling pile, but securely destroyed so that the data in it cannot be recovered, with the destruction itself recorded. The third is confidentiality and data protection: that personal data is held only where there is a reason, seen only by those who need it, kept accurate, retained only as long as it is lawful to retain it, and disposed of safely, which are the data-protection principles applied to a working orderly room. Sitting across all three is access control, the plain question of who may see a service record, and the discipline of answering it the same way every time.

This is the knowledge layer. Reading it teaches you how a retention schedule is read and applied, how a record is securely disposed of and the disposal recorded, and how the data-protection principles shape who holds, sees, and keeps personal data. But the hands-on administration this feeds, reviewing files against a schedule, raising and witnessing a destruction, granting and recording access, is practised and signed off in person where supervision allows, on records you are appointed to handle. By the end you will be able to explain what a retention schedule is and apply the rule that a record is kept while there is a lawful or service need and no longer; describe safe, secure disposal of records that hold personal data and why casual binning is never acceptable; state the data-protection principles and apply each to the personal data a force holds about its members and nationals; apply access control to a service record, deciding and recording who may see it; and explain how all of this ties to the records and data security taught in CIS 220.

Key Terms

  • Retention: the keeping of a record for a defined period, decided in advance, during which there is a lawful or service need for it; after that period the record is disposed of.
  • Retention schedule: the written rule that sets, for each type of record, how long it is kept and what happens to it at the end, so that retention is decided by policy rather than by guesswork on the day.
  • Lawful or service need: the test for whether a record may still be held, that there is either a legal reason or a genuine force reason to keep it; once both are gone, the record is no longer kept.
  • Disposal: what is done with a record at the end of its retention, either secure destruction or, for the few records of lasting value, permanent preservation.
  • Secure destruction: the safe, irreversible destruction of a record so that the personal data it held cannot be recovered, for example shredding paper and properly wiping digital files, never casual binning.
  • Destruction record (disposal log): the short, dated, signed note that a record was securely destroyed, what it was, when, by whom, and under what authority, so that disposal is itself accountable.
  • Personal data: information about an identified or identifiable person, a member or a national, such as name, contact details, next of kin, service history, conduct, or medical category.
  • Data-protection principles: the standing rules for handling personal data, lawfulness, purpose limitation, minimisation, accuracy, storage limitation, and security, taught in full in CIS 220 and applied here.
  • Data minimisation: holding only the personal data genuinely needed for the purpose, and no more, so that what is not held cannot be lost or misused.
  • Storage limitation: the principle that personal data is kept only as long as there is a lawful need, which is what the retention schedule puts into practice.
  • Confidentiality: the duty that personal data is seen only by those who need it for their work, and not disclosed to anyone else.
  • Access control: the discipline of deciding, granting, and recording who may see a particular record, on what need, so that access is by entitlement and not by curiosity or convenience.
  • Need to know: the test for access, that a person may see personal data only where they genuinely need it to do their duty, not merely because they are senior, present, or interested.

The retention schedule: keeping a record the right length of time

A record exists to be used, and most records are useful for a while and then are not. An application decided years ago, a strength return long since superseded, a routine letter whose matter is closed, all of these were once worth keeping and at some point stop being so. The question every orderly room must answer is not whether a record is useful today but how long it should be kept before it is disposed of, and the wrong way to answer it is on the day, file by file, from the mood and memory of whoever happens to be clearing the shelf. Decided that way, retention is a lottery: some records are thrown out while they are still needed, others are hoarded for decades for no reason, and no two clerks decide alike. The right way to answer it is in advance and by rule, and that rule is the retention schedule.

A retention schedule is a written list that sets, for each type of record the force keeps, how long it is held and what happens to it at the end. It turns a thousand individual judgements into one policy decision made calmly and once. A service record might be retained for a defined period after a member leaves, a routine correspondence file for a shorter period after the matter closes, a strength return only until it is superseded and then briefly for reference, while a small number of records of lasting historical or constitutional value are marked for permanent preservation rather than destruction. The exact periods are set by the force's policy and are not for a clerk to invent; the clerk's job is to read the schedule, know which line covers the record in front of them, and apply it. What the schedule gives the orderly room is consistency, defensibility, and calm: every record of a given type is treated the same way, the treatment can be explained if anyone asks, and no one has to agonise over the shelf.

Underneath the schedule sits the principle that justifies every period on it, and it is the principle you fall back on when the schedule does not obviously cover a record. A record is kept for as long as there is a lawful or service need for it, and no longer. Lawful need means there is a legal reason to hold it; service need means there is a genuine force reason, that the record may still be acted on, referred to, or required to answer a question. While either need stands, the record is kept; once both are gone, the record has reached the end of its retention and is disposed of. This is exactly the storage limitation principle of data protection, that personal data is not kept indefinitely just because keeping it is easy, and it cuts both ways: it forbids throwing away a record that is still needed, and it forbids hoarding one that is not. A clerk who internalises this single test can read any retention schedule and, in its silences, reason from the principle the schedule was built on.

   RETENTION SCHEDULE  ·  decide the period in advance, by rule

   +------------------------+------------------+--------------------+
   |  TYPE OF RECORD        |  RETENTION       |  AT END OF PERIOD  |
   +------------------------+------------------+--------------------+
   |  Service record        |  Defined period  |  Secure           |
   |  (after member leaves) |  after departure |  destruction       |
   +------------------------+------------------+--------------------+
   |  Routine               |  Shorter period  |  Secure           |
   |  correspondence file   |  after matter    |  destruction       |
   |  (matter closed)       |  closes          |                    |
   +------------------------+------------------+--------------------+
   |  Strength return /     |  Until           |  Secure           |
   |  nominal roll          |  superseded,     |  destruction       |
   |  (superseded)          |  then brief ref  |                    |
   +------------------------+------------------+--------------------+
   |  Record of lasting     |  Permanent       |  PRESERVE          |
   |  historical value      |                  |  (do not destroy)  |
   +------------------------+------------------+--------------------+

   THE PRINCIPLE BEHIND EVERY LINE:
        keep a record while there is a LAWFUL or SERVICE need,
        and NO LONGER. Need gone  ->  retention ended  ->  dispose.

   (Actual periods are set by force policy, not by the clerk. The
    clerk reads the schedule, finds the right line, and applies it.)

Safe disposal: how a record holding personal data is destroyed

Reaching the end of retention is not the end of the duty; it is where the most easily neglected part of the duty begins. A record that holds personal data does not become harmless the moment the force no longer needs it. The next-of-kin details, the conduct entry, the medical category, the addresses and dates that identify a real person, all of these are exactly as sensitive on the day the record is due for disposal as they were on the day it was opened, and in some ways more dangerous, because the record is now out of mind and no one is watching it. This is why disposal of a record holding personal data is never casual binning. A file dropped in a wastepaper basket, a document left in an open recycling pile, a digital file simply moved to a deleted folder, all of these leave readable personal data in a place it can be picked up, read, copied, or reassembled. Casual disposal is not disposal; it is publication by neglect.

Safe disposal means secure destruction: the record is destroyed in a way that makes the personal data in it irrecoverable, so that no one can later read or reconstruct it. For paper, that means shredding or an equivalent that leaves nothing legible, not tearing in half and binning. For digital records, it means proper deletion or wiping that genuinely removes the data and any copies, not merely hiding the file from the everyday view while it sits intact on the disk. The standard to aim at is plain to state: after secure destruction, the personal data the record held cannot be recovered by anyone. CIS 220 teaches the technical detail of how digital data is securely destroyed and why a deleted file is often not gone at all; the principle the orderly room must hold is that disposal is finished only when recovery is impossible, and a clerk who is unsure whether a method achieves that asks before disposing, never after.

Disposal must also be accountable, which means it is recorded. It is not enough to destroy a record safely; the force must be able to show that it was destroyed, that the right record was destroyed at the right time and under the right authority, and that nothing was disposed of that should have been kept. So secure destruction is captured in a short destruction record: what was destroyed, when, by whom, and under what authority, the line of the retention schedule that called for it. This protects everyone. It protects the member, by proving their data was properly ended rather than left lying around. It protects the clerk, by showing the disposal was authorised rather than a private decision to throw something away. And it protects the force, by letting it answer what became of a record with the provable reply that it was securely destroyed on such a date under such authority. A destruction that is not recorded looks, from the outside, exactly like a record that simply went missing, and the force cannot tell the two apart any better than anyone else.

   SAFE DISPOSAL  ·  secure destruction, recorded

   END OF RETENTION (the schedule says this record's time is up)
        |
        v
   CONFIRM:  is the need really gone?  is this record marked for
        |    PRESERVATION instead?  (if so, do not destroy)
        v
   SECURELY DESTROY so the personal data CANNOT be recovered:
        |    PAPER   -> shred (or equivalent); never bin or recycle
        |    DIGITAL -> wipe / proper deletion of file and copies
        |              (a "deleted" file is often still readable)
        v
   RECORD THE DISPOSAL (the destruction record / disposal log):
             WHAT was destroyed
             WHEN  it was destroyed
             BY WHOM
             UNDER WHAT AUTHORITY (the retention-schedule line)

   NEVER:  casual binning  ·  open recycling  ·  "move to deleted"
           left as the whole of disposal. That is publication by
           neglect, not disposal.

   A recorded destruction is provable. An unrecorded one looks,
   from outside, identical to a record that simply went missing.

Confidentiality and the data-protection principles

Everything in this lesson rests on one fact: the records a force keeps are mostly made of personal data, information about identified, real people, members and nationals alike, who have trusted the force with it. Confidentiality is the standing duty that flows from that trust, that personal data is seen only by those who need it for their work and is not disclosed to anyone else. But confidentiality is only one face of a larger discipline, data protection, which is the whole set of rules for handling personal data responsibly across its life. CIS 220 teaches these rules in full and in their technical form; the orderly room's job is to apply them, every day, to the files on its own shelves. The data-protection principles are not abstract law to be admired from a distance. They are a checklist a clerk can run against any handling of personal data, and if the handling fails any one of them, it is wrong, however convenient or well meant.

Run the principles in turn against the record in front of you. Lawfulness asks whether there is a proper reason to hold and use this data at all; a force holds a member's data because it must administer that member, not because it is curious. Purpose limitation asks whether the data is being used only for the reason it was collected; next-of-kin details gathered for emergencies are not for any other use. Minimisation asks whether only what is needed is held; the orderly room records a medical category, a grading of fitness for a task, not a clinical diagnosis it does not need, and it records conduct factually, not gossip, because what is not held cannot be lost or misused. Accuracy asks whether the data is right and kept right; a wrong record misleads command and harms the member, so accuracy is a duty, not a courtesy. Storage limitation asks whether the data is kept only as long as it is lawfully needed, which is the retention schedule turned into a principle: keep it while needed, then securely destroy it. Security asks whether the data is protected against loss, theft, and prying eyes, by access control, by safe storage, and by safe disposal. Hold all six and you have protected the person; let any one slip and you have not.

These principles are not separate from the rest of this course; they are the reasons behind the rules you have already met. The single source of truth in Lesson 02 serves accuracy and security at once. The registry discipline of Lesson 03, one subject per file, every file accounted for, serves security, because data that is not findable by you is not safe from others either. The retention schedule earlier in this lesson is storage limitation; the secure destruction beside it is security carried through to the very end of a record's life. When a clerk applies the data-protection principles, they are not adding a new burden on top of the work; they are naming the principle each existing discipline was built to serve, which is why the principles are worth memorising: they let you see, in any new situation the rules do not cover, what the right handling must be.

Access control: who may see a service record

If confidentiality is the duty, access control is how the duty is kept in practice, and it comes down to one plain question asked of every request to see a record: does this person need to see this, to do their duty? The test is need to know, and it is deliberately not seniority, presence, or interest. A senior rank does not gain the right to read any member's file simply by being senior; a person in the orderly room does not gain the right to read a record simply by being near it; and no one gains the right by being curious, however genuine the curiosity. Access to a service record is by entitlement, and entitlement comes from a genuine need to do a specific duty. The member whose record it is, the administrator appointed to keep it, and those in the chain of command who must act on it for a real purpose have a need; a colleague who would simply like to know does not, however ordinary the wish feels.

Working this in practice means a small, firm routine rather than a case-by-case argument each time. When a record is asked for, the holder considers who is asking and for what duty, grants access only where the need to know is genuine, and gives access to what is needed rather than to everything: a question about a member's leave balance is answered from the leave section, not by handing over the whole file. And access, like everything else in administration, is recorded, so that the registry's charge-out and access discipline can show who saw a record and why, just as the file census from Lesson 03 shows where every file is. The hardest cases are the ones dressed as helpfulness or authority, the colleague who offers to fetch a file they have no need to read, the visitor who asks for a fact about a member that is not theirs to know, the senior who expects access by rank alone. The clerk's task in each is the same: to apply the need-to-know test calmly and the same way every time, and to be willing to say, courteously, that a record cannot be shown without a genuine need, because the confidentiality the force promised its members is kept exactly at moments like these or not at all.

   ACCESS CONTROL  ·  who may see a service record?

   THE TEST IS "NEED TO KNOW", never seniority/presence/curiosity.

   +-------------------------+----------------------------------+
   |  WHO IS ASKING          |  MAY SEE?                        |
   +-------------------------+----------------------------------+
   |  The member (own        |  YES, their own record           |
   |  record)                |  (within force policy)           |
   +-------------------------+----------------------------------+
   |  Appointed administrator|  YES, to keep and maintain it    |
   |  / orderly room clerk   |  (the part needed for the task)  |
   +-------------------------+----------------------------------+
   |  Chain of command       |  YES, ONLY for a genuine duty    |
   |  acting on the member   |  and ONLY what that duty needs   |
   +-------------------------+----------------------------------+
   |  A colleague who is     |  NO. Curiosity is not a need.    |
   |  simply interested      |                                  |
   +-------------------------+----------------------------------+
   |  A senior, by rank      |  NO, not by rank alone. Need to  |
   |  alone                  |  know, not seniority, governs.   |
   +-------------------------+----------------------------------+
   |  Anyone outside, for a  |  NO, unless there is a lawful    |
   |  fact that is not theirs|  basis to disclose.              |
   +-------------------------+----------------------------------+

   GIVE only what the need requires (answer from the right section,
   do not hand over the whole file). RECORD who was given access
   and why. When in doubt, do NOT disclose; ask first.

In Practice: An administrator reviews the shelf against the schedule

Corporal Adeyemi is the orderly-room administrator, and one of her standing duties is the periodic review of files against the retention schedule, a calm, scheduled task rather than a panic when the shelves are full. She works through the files due for review one at a time, and for each she does the same three things. She finds the line of the retention schedule that covers the record, she asks whether there is still a lawful or service need to keep it, and she decides, on the schedule and the need, whether the record is retained further, destroyed, or, in the rare case, preserved. Most are easy: a routine correspondence file whose matter closed long ago and whose retention period has run is due for disposal; a service record of a member who left only recently is still well within its retention and stays. One file gives her pause, a closed matter that the schedule would dispose of but which she can see is referred to by a live matter elsewhere, so she judges that a service need still stands and holds it, noting why, because the principle, not the bare period, is what governs in the gaps.

For the files genuinely at the end of their retention, Adeyemi does not bin them. She takes the paper to be securely destroyed by shredding, and for the digital records she ensures they are properly wiped rather than merely sent to a deleted folder, because she knows from CIS 220 that a deleted file is often still readable. As each record is destroyed she completes the destruction record: what it was, the date, that she carried it out, and the line of the retention schedule that authorised it. The disposal is now provable; if anyone ever asks what became of that file, the force can answer truthfully that it was securely destroyed on that date under that authority, and not be left unable to tell a proper disposal from a loss.

While she works, a colleague drops by, sees her handling files, and asks, half in passing, whether a particular member, a mutual acquaintance, "got that promotion in the end". Adeyemi does not answer from the file. The colleague has no duty that needs the answer; curiosity is not a need to know, however friendly. She says, courteously, that she cannot discuss the contents of a member's record, and the colleague, who knows the rule too, does not press. It is a small moment and an easy one to wave through, and that is exactly why it matters: the confidentiality the force promised its members is kept or broken in moments precisely this ordinary. Adeyemi protects the data not by suspicion but by routine, the same need-to-know test applied every time, so that the member whose record it is can trust the orderly room with it whether or not they ever know the question was asked.

Check Your Understanding

  1. Explain what a retention schedule is and why retention is decided in advance by rule rather than file by file on the day. Then state the single principle that justifies every period on a schedule (keeping a record while there is a lawful or service need and no longer), and explain how that principle both forbids throwing away a record that is still needed and forbids hoarding one that is not.

  2. A record holding personal data has reached the end of its retention. Describe what secure destruction means for paper and for a digital record, explain why casual binning, open recycling, or merely moving a file to a deleted folder is never acceptable disposal, and explain why the destruction must be recorded and what the destruction record protects against.

  3. State the data-protection principles and, for any three of them, give a concrete example of applying that principle to the personal data a force holds about a member. Then explain the need-to-know test for access to a service record, and say why a senior rank, a person who is simply present in the orderly room, and a curious colleague each do not, by that fact alone, have a right to see a member's record.

Reflection (write a short paragraph): Think about a piece of your own personal data that someone else holds, your contact details, a record of something you applied for, a note about your health, and how you would want it handled: who should be able to see it, how long it should be kept, and how it should be got rid of when it is no longer needed. Now turn that around to the records you will keep for the force. Which of the duties in this lesson, holding only what is needed, controlling who may see it, keeping it accurate, disposing of it safely, do you think you would be most tempted to let slide on a busy day, and what specific habit could you build now so that the members and nationals whose data it is can trust you with it the way you would want to be trusted?

Summary

  • A retention schedule sets, in advance and by rule, how long each type of record is kept and what happens at the end, so retention is one calm policy decision rather than a thousand guesses on the shelf; the clerk reads the schedule and applies it, and the periods are set by force policy, not invented.
  • The principle behind every retention period is that a record is kept while there is a lawful or service need and no longer; this is the storage-limitation principle of data protection, and it cuts both ways, forbidding both the disposal of a record still needed and the hoarding of one that is not.
  • Safe disposal is secure destruction, paper shredded, digital records properly wiped, so that the personal data cannot be recovered; a record holding personal data is never casually binned, recycled, or merely "deleted", because that is publication by neglect, and the destruction is recorded (what, when, by whom, under what authority) so disposal is provable and cannot be mistaken for a loss.
  • Confidentiality and data protection mean holding only what is needed, controlling who may see it, keeping it accurate, retaining it only as long as it is lawful, and disposing of it safely; the data-protection principles, lawfulness, purpose limitation, minimisation, accuracy, storage limitation, and security, are a checklist to run against any handling of personal data, and naming them shows that the disciplines from earlier lessons exist to serve them.
  • Access control answers who may see a service record by the need-to-know test, by genuine need to do a duty, never by seniority, presence, or curiosity; access is granted to what is needed rather than the whole file, and recorded, so confidentiality is kept in exactly the ordinary moments where it is most easily waved through.
  • Builds on Lesson 01 · The Orderly Room and Why Administration Matters, Lesson 02 · The Service Record (closing and retaining a record), and Lesson 03 · The Registry and the Registered File (the file discipline that keeps data secure and accounted for). Leads into Lesson 05 · Routine Orders and Recording Personnel Events. Connects to CIS 220 · Identity, Access, and Records Security (records and data security, secure destruction, and the data-protection principles in full), ADM 210 · Personnel Administration (the personal data gathered in joining and leaving), and LDR 420 · Command Responsibility and Ethical Leadership (the integrity and duty of care on which trusted, well-handled records rest).

Crown Copyright © 2026 | Published by Authority of H.R.H. The Prince of Kaharagia

Lesson 4 · Knowledge Check

Question 1 of 3

What does a retention schedule do?