Data Retention: Policies and Best Practices

Data management, storage, and collection are all parts of data retention. Policies, rules, and laws governing businesses, organizations, and governments specify how and how long data must be preserved. Data retention programs are motivated by regulatory requirements, disaster recovery needs, and the requirement to feed analytics tools.

Requirements for data retention can be divided into four categories.

  • Regulations from the government, such as those issued by the FTC and IRS
  • International standards, such as ISO/IEC 27040, ISO 9001, ISO 17068:2017, and 27001
  • Regulations from industry, such as GDPR, PCI-DSS, and CCPA
  • Internal rules, such as version control and employee record retention

American Requirements on Data Retention

In the U.S. there is no single law governing data retention; rather, regulations are spread out among a number of federal and state statutes. The Federal Trade Commission Act, which governs data privacy at the federal level, contains standards for data retention.

The following other U.S. laws mandate the keeping of some data:

  • Act on Fair Labor Standards
  • Financial Privacy Act
  • Act governing the portability of health insurance (HIPAA)
  • Act governing federal information security (FISMA)

Data preservation for service providers is governed by the Electronic Communication Transactional Information Act, which requires companies to keep all records for 90 days and be prepared to make them available “upon the request of a governmental authority.”

Rules for Data Retention

There are a number of industry-specific restrictions in addition to governmental obligations for data retention, such as the following.

Government Information Security Management Act (FISMA) FISMA, which mandates data retention for a minimum of three years, applies to contractors and federal agencies.

Through approved regional delegation agreements, National Energy Commission (NERC) Bulk power system owners, operators, and consumers are required to abide by the rules for data retention. These organizations are required to keep records for a compliance period between three and six months that demonstrate their adherence to NERC Reliability Standards.

The Banks’ International Regulatory Framework (Basel III) Banks are required to store data history going back three to seven years in accordance with Basel III data retention regulations.

Act of Sarbanes-Oxley (SOX) To be in compliance with the SOX’s data retention standards, pertinent auditing and review documents must be kept for seven years after an audit or review of the financial statements is finished.

Health plans, healthcare clearinghouses, and healthcare providers are all subject to Health Insurance Portability and Accountability Act (HIPAA’s) data retention obligations if they electronically transfer any personal health information. They are required to keep health information for a minimum of six years after it was created.

Operating Manual for the National Industrial Security Program (NISPOM) All government contractors that produce or work with classified material must adhere to the NISPOM’s data retention guidelines. The NISPOM states that unless otherwise instructed, classified material created or received under a contract should be kept for two years.

Standard for Payment Card Industry Data Security The PCI-DSS and its varied data retention requirements apply to every business that accepts credit card payments. The organization may establish policy, but it must also provide the necessary information for yearly audits. Regarding email archiving, certain recommendations are given.

If you have any questions on data retention policies and best practices, contact JENLOR today for more information!