Data Retention Standards by Funder/Organization
While these are a guide to the general standards for the major organizations, each organization can require specific grants and publications to have different retention standards. Always check to see if there are specific additional requirements before making decisions on a data management plan.
National Science Foundation (NSF) – 3 Years
NSF states that all grants should maintain their records for a minimum of three (3) years after submission of all required reports.
National Institute of Health (NIH) – 3 Years
NIH Grant recipients generally must retain financial and programmatic records, supporting documents, statistical records, and all other records that are required by the terms of a grant or may reasonably be considered pertinent to a grant for a period of 3 years from the date the annual FFR is submitted.
National Endowment for the Humanities – 3 Years
Financial records, supporting documentation, statistical records, and all other records pertinent to the NEH award must be retained for three years from the final FFR's submission date.
FISMA (Federal Information Security Management Act) Data Retention Requirements – 3 Years
Archiving practices are an important measure in fully complying with FISMA regulations. It requires data retention for a minimum of three years.
The ISO 27001 compliance framework requires organizations to retain data logs for at least three years.
In 2011, the Compliance Monitoring and Enforcement Program (CMEP) clarified the National Energy Commission (NERC) Rules of Procedure related to data retention requirements. It instructs entities to keep data needed to demonstrate compliance with NERC Reliability Standards for an entire compliance verification period. Meaning that they must retain the current, in-force version of a policy, plan procedure, or other document for the entire three to six-year auditing period.
The Basel II Capital Accord requires banks to have Business Continuity and Disaster Recovery plans. Plus, it requires them to retain 3-7 years of data history.
Sarbanes-Oxley Act of 2002 (SOX) was modified in 2003 to require relevant auditing and review documents to be retained for seven years after the audit or review of the financial statements is concluded.
The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to keep HIPAA-related documents for at least 6 years from when the document was created. In the case of policies, the time requirement is six years from the date it was last in effect. This applies to “policies and procedures implemented to comply [with HIPAA] and records of any action, activity or assessment,” CFR §164.316(b)(1) and (2) and include HIPAA audit logs.
The Privacy Rule doesn’t specifically stipulate how long medical records should be retained. Covered entities and BAs must refer to their state laws governing the retention of medical records.
According to the National Industrial Security Program Operating Manual (NISPOM), contractors should return data upon contract completion unless the material has been declassified. At maximum, classified material received or generated under a contract can be retained for 2 years unless directed otherwise. Classified information no longer needed should be processed for disposal.
Organizations that fall under the Payment Card Industry Data Security Standard (PCI-DSS) are allowed to set their own requirements at the corporate level yet are also required to submit annual statements for audit.
While NIST outlines fundamental security requirements, it does not directly specify the duration for retaining logs. As a result, it is advisable for contractors to adhere to the requirements dictated by their respective agencies as part of best practices.