Data retention — OMNIA Inclusion

# OMNIA — Data Retention Schedule **Version:** 1.0 **Last reviewed:** 2026-05-10 OMNIA enforces these retention windows automatically via a daily retention sweep (`/api/public/hooks/retention-sweep`, scheduled by pg_cron at 02:00 UTC). A summary row is written to `system_audit_logs` after every run. | Data | Retention | Trigger | Rationale | |---|---|---|---| | Pupil record (`students`) | While on roll + 7 years after leaving | Manual erasure or DSAR | KHDA / Ofsted SEND record-keeping guidance | | Inclusion plans (`plans`) | Same as pupil record | Cascade with pupil | Statutory SEND record | | PEEPs (`peeps`) | Same as pupil record | Cascade with pupil | Health & safety record | | Referrals (`referrals`) | Same as pupil record | Cascade with pupil | Safeguarding audit | | Parent voice — pending (`parent_voice_requests`) | 30 days from creation | Token expiry | Limit attack surface | | Parent voice — submitted / expired / revoked | 365 days | Daily sweep | Long enough to merge into next plan cycle | | Plan share-link views (`plan_share_views`) | 180 days | Daily sweep | Audit window for "who saw what" | | Plan share links (`plan_share_links`) | While not revoked + linked to pupil retention | Manual / cascade | Allows re-issue | | Audit log (`audit_logs`) | 730 days | Daily sweep | KHDA inspection cycle (2 yrs) | | System audit log (`system_audit_logs`) | Indefinite | — | Tamper-evident operational log | | Pupil photos (Storage) | Same as pupil record | Cascade with pupil | — | | Discovered SharePoint files (`pupil_discovered_files`) | While pupil on roll | Cascade with pupil | Index only — original lives in SharePoint | ## Right to erasure Erasure on parent / pupil request is performed via the **Erase pupil record** admin action on the pupil page. This bypasses the schedule above and removes the data immediately, leaving an audit trail row containing the reason. ## Retention sweep details Implemented in `src/routes/api/public/hooks/retention-sweep.ts`. The endpoint is gated by the project's publishable key in the `apikey` header. The pg_cron job is registered separately via the Supabase data tools.