1051 NW 14th St., Suite 165
(UM mail routing R-26)
Miami, FL 33136

Receptionist: 305-243-6475
Hours: 830am - 500pm, M-F

Help Desk: 305-243-5999
Hours: 24/7

General fax: 305-243-6417
Admin. fax: 305-243-2622

Rust (1963). Electron micrograph of an oxide scale, sometimes called rust, on a single crystal of iron. Source: General Motors and National Museum of American History.

Related content

Data retention classification

Objective • To classify data as to retention period in order to assure appropriate storage measures throughout the data lifecycle of organizational information.

Applicability • Data retention classification should occur for all significant information collections of the organization.

Retention criteria • Retention classification should be based should be based on confidentiality, integrity and availability dimensions of the data relevant to all stakeholders, particularly those related to availability. This could include consideration of:

external legal-regulatory-certificatory and contractual requirements for data retention;
operational and other internal information requirements of the organization that condition retention; and
any other risks or benefits associated with data retention considered relevant by the organization.

Retention classification level • Data should normally be assigned a retention classification that reflects the most restrictive (longest duration) requirement for which it qualifies on any criterion. Exceptions to this rule should be noted and explained.

Mixed collections of data • Where multiple types of data are stored in a single collection, the collection should normally be assigned a retention classification that reflects the most restrictive (longest duration) requirement for any constituent type. Exceptions to this rule should be noted and explained.

Retention "freezes" • Procedures should exist to suspend or extend the normal retention cycle for all or part of a data collection when necessary and appropriate. Circumstances triggering a freeze could include:

a cause of legal action, pending or underway;
an audit, pending or underway;
legal-regulatory-certificatory retention requirement changed; or
internal organizational retention requirement changed.

Retention classification responsibilities • Data owners/stewards should provide a data retention assessment based on their understanding of the applicable classification criteria. Data owners/stewards may request -- or the organization may require -- an independent assessment of data retention classification.

Retention classification review • Data owners/stewards should review the accuracy and adequacy of data retention classifications at appropriate intervals. The organization may also require independent reviews.

Documentation and historical record • Documentation for data collections and systems should include current retention classification and, where relevant, past sensitivity classifications and the reason(s) for changes.