data retention policy

Contributor(s): Brien Posey and Andrew Burton

A data retention policy, or records retention policy, is an organization's established protocol for retaining information for operational or regulatory compliance needs.

When writing a data retention policy, you need to determine how to:

  • Organize information so it can be searched and accessed at a later date
  • Dispose of information that is no longer needed

Some organizations find it helpful to use a data retention policy template that provides a framework to follow when crafting the policy.

Regulatory compliance

A data retention policy must consider the value of data over time and the data retention laws an organization may be subject to. In 2006, the U.S. Supreme Court recognized that it is not financially possible to retain all information indefinitely. However, organizations must demonstrate that they only delete data that is not subject to specific regulatory requirements and use a repeatable and predictable process to do so. This means various types of information are held for different lengths of time. For example, a hospital's retention period for employee email would be different than that of its patient records.

One pixel Carol Stainbrook discusses the importance
of creating a data retention policy that's well
defined for your organization

While it is common for an organization to establish its own data retention requirements, there are certain data retention laws that must be adhered to. This is especially true for organizations operating within regulated industries. For example, publically traded companies within the U.S. must establish a Sarbanes-Oxley Act (SOX) data retention policy. Similarly, healthcare organizations are subject to Health Insurance and Portability and Accountability Act (HIPAA) data retention requirements and organizations that accept credit cards must adhere to a Payment Card Industry Data Security Standard (PCI DSS) data retention and disposal policy.

Simply retaining data is not enough. Federal laws commonly require organizations in regulated industries to create a documented data

Proper data disposal

When a protected record's age exceeds that of the applicable data retention policy, the record needs to be disposed of properly. Organizations are not required by law to dispose of old data, but it is often in their best interest to do so since old email messages, documents and database records could be subpoenaed in the event of litigation.

Many organizations use an automated system, typically a dedicated archive software product, to securely delete data that no longer falls within the required data retention period. Automation ensures data will be disposed of in the proper time frame without manual intervention. Some organizations may use their backup software's archiving functionality to automate data disposal.

This was last updated in September 2015

Continue Reading About data retention policy

Dig Deeper on Archiving and backup

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What issues have you run into when creating your organization's data retention policy?


File Extensions and File Formats