14.6 Policy on retention of data and related information#
A data retention policy is part of an NSO’s overall data management strategy. A comprehensive data retention policy outlines the business reasons for retaining specific data as well as what to do with it when targeted for disposal.
A data retention policy, or records retention policy, is an organization’s established protocol for retaining information for operational or regulatory compliance needs.
A data retention policy should treat archived data differently from backup data. Archived data is no longer actively used by the NSO but still needed for long-term retention. An NSO may need data shifted to archives for future reference or for compliance. An NSO’s backup data can help it recover in the event of data loss. A backup policy is important to make sure the NSO has the right data and that the right amount of data is backed up. Too little data backed up means that any recovery needed after a data loss will not be as comprehensive as needed, while too much can be difficult to manage. Achieving a balance between these conflicting requirements is the objective underlying a data retention policy.
The policy should cover all technologies that are used to obtain data and cover a variety of formats such as paper forms, Computer Assisted Telephone Interview (CATI) records, Computer Assisted Interview (CAI) records, electronic administrative data, data streams, scanned images and faxes.
The policy should cover legislative responsibilities for the data it collects, publishing what is collected, and doing so in a manner that will not enable identification. For proper creation and implementation of a data retention policy, especially regarding compliance, the IT team will need to work with the legal team. The legal team will know how long data must be retained by law while IT will carry out the actual implementation of the policy.
Defining a retention schedule depends on the type of data, the data collection cycle and will be according to the specific needs and policy of an NSO, and the legislation of each country. Each data collection should be retained according to its merits and can be destroyed after all processing, and likely provider queries have been resolved. Some NSOs have adapted their backup software archiving functionality to automate data disposal. In some countries, a central government agency has responsibility for the storage and archiving of important documents and files.