Skip to Main Content

Data Management & Retention Best Practices: Data Retention Standards

This guide provides Information for users on best practices for data retention and curation

Agency Retention Standards

Data Retention Standards by Funder/Organization 

While these are a guide to the general standards for the major organizations, each organization can require specific grants and publications to have different retention standards.  Always check to see if there are specific additional requirements before making decisions on a data management plan.  

National Science Foundation (NSF) – 3 Years 

NSF states that all grants should maintain their records for a minimum of three (3) years after submission of all required reports. 

National Institute of Health (NIH) – 3 Years 

NIH Grant recipients generally must retain financial and programmatic records, supporting documents, statistical records, and all other records that are required by the terms of a grant or may reasonably be considered pertinent to a grant for a period of 3 years from the date the annual FFR is submitted.

National Endowment for the Humanities – 3 Years 

Financial records, supporting documentation, statistical records, and all other records pertinent to the NEH award must be retained for three years from the final FFR's submission date.

FISMA (Federal Information Security Management Act) Data Retention Requirements – 3 Years 

Archiving practices are an important measure in fully complying with FISMA regulations. It requires data retention for a minimum of three years. 

ISO 27001 Data Retention Requirements – 3 years

The ISO 27001 compliance framework requires organizations to retain data logs for at least three years. 

NERC Data Retention Requirements – 3 to 6 Years  

In 2011, the Compliance Monitoring and Enforcement Program (CMEP) clarified the National Energy Commission (NERC) Rules of Procedure related to data retention requirements. It instructs entities to keep data needed to demonstrate compliance with NERC Reliability Standards for an entire compliance verification period. Meaning that they must retain the current, in-force version of a policy, plan procedure, or other document for the entire three to six-year auditing period. 

Basel II Data Retention Requirements – 3 to 7 Years 

The Basel II Capital Accord requires banks to have Business Continuity and Disaster Recovery plans. Plus, it requires them to retain 3-7 years of data history. 

SOX Retention Requirements – 7 Years 

Sarbanes-Oxley Act of 2002 (SOX) was modified in 2003 to require relevant auditing and review documents to be retained for seven years after the audit or review of the financial statements is concluded. 

HIPAA Data Retention Requirements – 6 Years  

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to keep HIPAA-related documents for at least 6 years from when the document was created. In the case of policies, the time requirement is six years from the date it was last in effect. This applies to “policies and procedures implemented to comply [with HIPAA] and records of any action, activity or assessment,” CFR §164.316(b)(1) and (2) and include HIPAA audit logs

The Privacy Rule doesn’t specifically stipulate how long medical records should be retained. Covered entities and BAs must refer to their state laws governing the retention of medical records.  

NISPOM Data Retention Requirements – 6 to 12 Months 

According to the National Industrial Security Program Operating Manual (NISPOM), contractors should return data upon contract completion unless the material has been declassified. At maximum, classified material received or generated under a contract can be retained for 2 years unless directed otherwise. Classified information no longer needed should be processed for disposal. 

PCI Data Retention Requirements – Variable 

Organizations that fall under the Payment Card Industry Data Security Standard (PCI-DSS) are allowed to set their own requirements at the corporate level yet are also required to submit annual statements for audit. 

National Institute of Standards and Technology (NIST) Data Retention Requirements – Undefined

While NIST outlines fundamental security requirements, it does not directly specify the duration for retaining logs. As a result, it is advisable for contractors to adhere to the requirements dictated by their respective agencies as part of best practices.