Data retention: How long is long enough?

Data retention requirements depend on the type of data and the purposes for which it is used.  Unfortunately, there are thousands of possible requirements that can apply given those two factors.

Type and purpose condition the "external" constraints deriving from federal and state legal-regulatory requirements, from the standards of private certificatory bodies (e.g., JCAHO), and from contractual obligations to other parties with which/whom the organization has agreements.

Fiscal factors, such as tax laws and general auditing requirements, also condition data retention.  (This is particularly true for publicly-traded companies subject to Sarb-Ox.)  Public and private grantor agencies may set retention requirements for data related to projects they fund. 

Last but by no means least, operational and other purely "internal" information needs of the organization affect retention requirements.  All the risks or benefits considered relevant by the organization's stakeholders go into defining these internal standards.

In other words, it's complex, and this page can only summarize.  If you have questions about the particular data retention requirements that apply to information under your control, contact your organization's designated legal counsel.  If you're not sure whom to approach at UM, contact the Office of the General Counsel.

Retention minimums vs. maximums

External data retention requirements are usually set as minimums.  Organizations may in most circumstances elect longer periods at their discretion, weighing their particular internal needs and cost-benefit parameters.  As data storage gets ever cheaper, and retrieval systems more capable, the cost of going beyond the minimums falls.

Under what circumstances might there be maximums?  Typically maximums are set by external requirements when the confidentiality interests of the data subject dominate availability interests (the classic example is destruction of juveniles' criminal records when they reach majority).  

From an organization's "internal" perspective, the modal reason for maximums is usually cost -- viz., balancing ongoing storage and security costs against the benefits of a more comprehensive "archive."  However organizations, like individuals, may also have confidentiality interests that motivate maximum retention periods.

Record types and record series

Organizations should develop a retention schedule that defines record types and sets minimum retention periods for records series of each type.  (Where appropriate, these schedules should also set maximums.) 

How are such categories derived?  "Types" are driven by internal functional distinctions and by the categories used in applicable external requirements.  This means a data owner must understand both.  If not, the data owner must find someone who does have that understanding.

A records "series" is a collection of one or more types, on some kind of storage media.   Formally (to use Florida's definition) a series is:

"... a group of related documents arranged under a single filing arrangement and kept together as a unit because they consist of the same form, relate to the same subject, result from the same activity, or have certain common characteristics." (Florida Administrative Code, Rule 1B-24)

If two or more types of records are filed together, the combined collection is usually subject to the most restrictive rule applying to the various constituent types.  Exceptions to this principle should be noted and explained by the data collection owner.

While a retention schedule sets requirements for each data type generally, that can be over-ridden for specific records within a series -- e.g., pending litigation or audits usually "stop the clock" to assure that data remains available until proceedings are completed.   

"Originals" and copies

In a world filled with computer printers, fax machines, photocopiers and scanners, the notion of an "original" is somewhat slippery.   It is more common to refer to the "authoritative" or "master" copy of a record that is designated as the official data source.

Electronic systems that store master copies of information must generally meet security standards to assure records integrity and authenticity (e.g., digital signatures and hashing algorithms).   More on that below.

Control of access to the master copies, by both physical and technical security, is critical if a record series contains confidential information.  Access control is also fundamental to assuring data authenticity and integrity.

Any backup copies of the series must also be protected.  But note that backup copies have no independent retention schedule.  Their retention requirement is the same as the master copies for which they serve as an emergency source in the event the master is compromised.

What about email, IM, voicemail and other modern contrivances?  Strictly speaking, these are media for information not types of information, and their retention is contingent on the type of information these media are considered to contain.

Mixes of media types

Put differently, it's the content and not the container that counts for most externally imposed retention requirements.  The same retention schedules usually apply regardless of whether the information is on paper or in some kind of electronic format.

Electronic copies of records originally on paper may be acceptable as a substitute, provided, as noted above, that  there are technical means to assure that the electronic version is an unadulterated copy.  In some circumstances, however, retention of the original paper may be required as an authoritative source.

Conversely, printouts of electronic files may be considered acceptable substitutes -- e.g., in response to a discovery request for litigation.  At other times, an electronic transfer may be required, to make searching and retrieving the desired material practical.  

Does the media ever matter?   Media often conditions internal requirements, beyond the minimums set by external constraints, since it can substantially affect the economics of long-term storage (and the possibilities for successful retrieval from that storage when needed).

Data owners' responsibilities

It is up to data collection owners within an organization to assure that appropriate retention classification and scheduling occurs for all the data for which they are responsible.  They should also assure that procedures are in place to "freeze" or extend data destruction cycles when required.

To assure appropriate protections during a data series' lifecycle, collection owners must also attend to security classification based on data sensitivity.  And they must assure that the records systems used for that data meet appropriate standards.

What standards apply to records systems?  The US Department of Defense 5015.2-STD has become the de facto standard for records media and records management systems (RMS, also known as Records Management Applications or RMAs).  Many vendors offer a "5015.2 certified" version of their RMSs/RMAs.

Florida Administrative Code Chapter 1B-26.003 also provides an example of a standard, applicable to the records of the state's public agencies but useful as a standard for non-public organizations too.  If you're not in the Sunshine State, find out what standards apply in your jurisdiction.

Learn more

General Records Schedule for State and Local Government Agencies (Florida Dept of State) [PDF]
Although oriented toward public agencies, includes data on legal requirements relevant to private organizations