how long to keep dissertation data

Guideline on retention of study information and data

Considerations for retaining information/data |  Minimum period researchers should keep information/data |  Explaining data retention to participants |   Suggested language for an information consent letter |  Safe and secure storage of information/data |  Retention in an identifiable or de-identified/coded, or anonymized format |   Sharing with an Open Access source/databank |  Frequently Asked Questions

Researchers collect various types of information and data during the life of a project. Research data and information includes, but is not limited to, the following:

• study participant personal information such as names, mailing addresses, email addresses, and phone numbers,
• experimental data such as responses to questionnaires, tasks, and activities,
• research team meeting notes and other related research materials, and
• records of interactions with participants (e.g., consent forms, emails).

Data retention is an important part of the life cycle of information, and researchers have a responsibility to assess privacy risks and threats to security of information, and implement appropriate measures to protect the information ( TCPS2, Article 5.3, Application ).

Considerations for retaining study information and data

The TCPS2, Article 5.3, Application states:

• “Appropriate data retention periods vary depending on the research discipline, research purpose and the kind of data involved."
• "In considering the adequacy of proposed measures for safeguarding information during its full life cycle, REBs should not automatically impose a requirement that researchers destroy the research data. Stored information may be useful for a variety of future purposes."

What is a retention period?

• A retention period is the amount of time the research team intends to keep participant information and data.
• A retention period is the time in which the information and data will be held, allowing for purposes such as requirements from publishers, funders, and research integrity inquiries.
• Stating a minimum retention period versus a maximum period is recommended to allow flexibility for the research team and lets participants know the minimum amount of time their data will be stored. For example, if the minimum data retention period is 7 years, this means that data will be stored for at least 7 years but could be stored for longer if necessary.
• Read below the factors for deciding on a retention period and further considerations.

Factors to consider when deciding on a retention period

• First Nations Principles of OCAP® (ownership, control, access, and possession)
• CARE Principles for Indigenous Data Governance
• "In some situations, formal data sharing with participants may occur, for example, by giving individual participants copies of a recording or transcript as a gift for personal, family or other archival use.”  TCPS2, Article 5.3, Application
• data custodians may share data and information with researchers for a specific use, and require the researcher’s copy be deleted when the study is completed
• project partners, sponsors, or funders may have their own policies that require destruction after a defined period
• Health Canada Regulated Clinical Trial data must be retained for a minimum of 15 years
• Guidance for records related to Health Canada Regulated Clinical Trials
• oral history data, for example, may be archived for historical or preservation purposes
• University of Waterloo Policy 73
• TCPS2, Chapter 9, Research Involving First Nations, Inuit and Métis Peoples of Canada and specifically Article 9.18, Intellectual Property Related to Research
• researchers should retain data as long as necessary before and after publication of research results to be able to respond to a possible allegation of research misconduct (e.g., falsification of data)
• some sponsors or funders may have requirements for retaining data (e.g., NIH funded studies require researchers to retain data for 6 years after the final resolution date of a RCR case)
• data should be kept for at least 1 year after the end of a study unless otherwise stated in case of allegations of academic misconduct
• management of materials related to student assessments are governed by Policy 46  as well as the Freedom of Information and Protection of Privacy Act (FIPPA) .                                                               

Minimum period that researchers should keep the data and information they collect

The time periods outlined do not imply when data is to be destroyed, rather this is the minimum amount of time data should be retained.

Recommended minimum retention periods

Explaining data and information retention to study participants

Participants should be informed how long their information and data will be held.

The language in the table below is intended to inform and educate participants about the following:

• how information and data collected for research purposes will be maintained and securely stored
• who will have access to participant information and data (e.g., will it be only individuals associated with the research project or will other researchers via an open access repository have access, etc.) and whether data will be identifiable, de-identified/coded or completely anonymized
• the minimum time period that information and data will be stored
• how information and data may be used in future (with participant permission) for additional purposes to make full use of the data and not burden participants by collecting the same data repeatedly 
• for example, removing or deleting data may not be possible if the data set has been anonymized or de-identified and the key linking the data to a participant’s identity has been destroyed

Researchers are not required to use the exact language below since each research project will have varying contexts and nuances. Carefully consider the points above and how they may or may not relate to your project and ensure all relevant information is explained in a manner accessible to the participant sample (i.e., use plain language).

Suggested language for a participant information consent letter

Safe and secure storage of data and information collected from participants.

As outlined in the TCPS2, Article 5.3, Application , researchers have a responsibility to safeguard participant information and the associated study data through:

• “all stages of the research life cycle and implement appropriate measures to protect information.”

Researchers also have an obligation to the following as outlined in the TCPS2, Article 5.3, Application , associated with the guiding core principles of Respect for Persons and Concern for Welfare :

• “Safeguarding information helps respect the privacy of participants and helps researchers fulfill their confidentiality obligations.”
• “In adopting measures to safeguard information, researchers should follow disciplinary standards and practices for the collection and protection of information gathered for research purposes."
• "Researchers shall assess privacy risks and threats to the security of information for all stages of the research life cycle and implement appropriate measures to protect information.”

Refer to the Guideline for researchers on securing research participants’ data

Retention of participant information and data in an identifiable, de-identified/coded, or anonymized format

Data that is genuinely de-identified can be retained for as long as necessary without further participant consent.  

For data to be considered de-identified one of the following must be met:

• US Safe Harbor Standards
• Expert determination
• Standards identified in the De-identification Guideline for Structured Data

A secondary use of data or information that is outside of the scope of the initial research collection purpose requires a research ethics review regardless if the data is de-identified or not. 

S haring data with an Open Access source/databank

Be clear about this process with participants in the information and consent letter and explain the following:

• how and where data will be kept
• how other researchers will access the data and whether permissions will be required or whether it will be freely available
• explanation of what personal information will be removed from the data
• limits on withdrawal of data after it has been shared with the databank
• whether participants will have an opportunity to review their data before placement in the databank
• voluntariness along with the benefits and possible risks with data sharing

See suggested language for information and consent letters

Frequently asked questions

Does the University of Waterloo impose a requirement that researchers destroy the information and data they collect from study participants?

• No. The TCPS2, Article 5.3, Application states: “REBS should not automatically impose a requirement that researchers destroy the research data. Stored information may be useful for a variety of purposes.”
• Researchers are to be aware of their responsibilities for data retention and to indicate at least a minimum period for how long they will hold the information they collect about participants as well as the associated study data. This is to be outlined in the research ethics application and in information letter to participants.
• See Considerations for retaining study information and data

• Study participants can interpret ‘indefinitely’ as meaning ‘forever’ which results in concerns that their information will be shared or used by others without their consent.
• A minimum data retention period should be agreed upon by the research team.
• Researchers are to retain data as long as necessary before and after publication of research results to be able to respond to a possible allegation of research misconduct (e.g., falsification of data).
• The TCPS2, Article 5.3, Application states: “REBS should not automatically impose a requirement that researchers destroy the research data. Stored information may be useful for a variety of purposes.”
• It is recommended that researchers state a minimum retention period rather than a maximum period to give as much flexibility as possible.  
• A minimum retention period tells participants the minimum amount of time they could withdraw consent after participation, where feasible, and allows researchers to hold information to meet the changing requirements from publishers, funders, and/or research integrity inquiries. 
• Outlining a minimum retention period allows researchers to retain data for as long as necessary – preferably, and whenever possible, in a de-identified or anonymized format. 
• if retained data will be held in an identifiable , de-identified/coded, or anonymized format, and
• how long after participation a participant can ask for their information or data to not be used (i.e., withdrawn).
• Whenever possible, researchers are encouraged to retain only de-identified/coded or anonymized information and data.
• See Guidelines for researchers on securing participant’s data

What should I tell participants if they want to make a request to withdraw their data?

• Participants should be told of any limitations to when they can withdraw their data. For example, if the data has been anonymized three months after collection, participants cannot withdraw their data after that time.
• If the data has been collected anonymously , such that no names or identifiers are associated with the data, participants are not able to request their data be withdrawn after participation as there is no way to link their responses to the data collected.

Back to Top                                                                                                                                                                            February 2023

• Research Process
• Manuscript Preparation
• Manuscript Review
• Publication Process
• Publication Recognition
• Language Editing Services
• Translation Services

Research Data Storage and Retention

• 4 minute read
• 58.8K views

Table of Contents

You’ve completed your research study, published your articles, made your presentations, and disseminated your research. At this point, you may be wondering whether you should retain your research records, and if the data related to your research should be destroyed.

Like many topics in the world of research, there is no one simple answer, as it can depend on your research institution, government requirements, as well as individual publisher requirements. The importance of data storage in research, however, can’t be underestimated. It’s critical that you understand the requirements and recommendations related to the retention of your research data.

In this article, we’ll cover the basics of retention of research records and destruction of data, as well as examples of poor data storage and retention in research. We’ll also touch on government guidelines, and recommendations or requirements that your institution may have.

Retention of Research Data

What should you do with research materials and data once your project has been completed? There are many different guidelines and regulations regarding how long you should retain research data and records, and it comes down typically to keeping things as long as you possibly can. United States regulations, for instance, require data and research records to be stored for a minimum of three years upon completion of the research. However, some institutions require you to keep data for a longer period of time, while different disciplines may demand even longer storage terms. Ideally, you should take all of this into consideration before your research project has begun.

For example, any research that has to do with identifiable and private health information falls under HIPAA requirements, which typically require research data to be retained for a minimum of six years. Sponsors and funders may have different requirements, as well. So, knowing the requirements around your type of research, the institution, publisher, funder and federal regulations is critical as the principal investigator. A safe practice is to store data for as long as reasonably possible, until it is highly unlikely that you might be in a position to have to defend yourself or your research against any possible allegation of misconduct related to your work.

Electronic and Hard-Copy Data Storage and Protection

In the past, retaining records meant saving boxes and boxes of paperwork, authorization forms and more. Now, fortunately, electronic data storage makes the task much easier. With the benefits of using digital storage comes, of course, great responsibility. In some ways, it can be much trickier, as electronic data is much more difficult to protect. There are tools available to assure that data is stored safely, whether it is on your individual computer, in the cloud, or any other type of storage. If private information, like health information and names, as well as private contact information, happens to get hacked, stolen or lost, it can be devastating for all those involved in the research project. That situation can negatively affect your research participants, the sponsoring organizations, research institutions and project publishers that have supported your work. In addition, the loss of data will surely have a negative impact on the research project itself.

Even with electronic storage capabilities, many materials in research studies may still be hard-copies, like paper surveys, writing samples, research journals and paper notes. Whether hard-copy or electronic, all research data has to be stored in a way where access is limited to only personnel who have permission and authorization to access such materials. Paper copies should be kept in a locked file cabinet with just one key. Electronic data should only be accessed utilizing encrypted passwords that are changed often. Any identifying information, like names and addresses, should be removed, and written hard-copy data after it’s been transferred to electronic data storage should be destroyed.

Poor Data Storage and Retention in Research

The ethics and morality around data storage, retention and disposal run deep. There have been highly publicized cases of researchers being cited for misconduct around any and all of these unfortunate incidents. For example, a principal investigator not limiting access to private health information, or a researcher losing a laptop that had the only copy of unprotected and sensitive research data.

One of the most common mistakes is holding on to data for too long. Researchers and research institutions might incorrectly believe that retaining data longer than is legally required is “safer” than deleting it. But poor data storage can also mean retaining data longer than is needed. The longer data is stored, the higher the possibility of security breaches. It can also mean unnecessarily increasing the research organization’s burden to protect data security and access.

The best solution is to implement a data storage policy that addresses legal requirements in a way that is responsible, ethical, and reasonable. Again, ideally, that is done before the research has even begun, and ultimately it’s the principal investigator’s role to evaluate if extended storage is warranted, given the associated benefits and risks of keeping data related to a research project.

Elsevier Author Services

As a researcher, you have many hats to wear. How can you make your research the best it can be? Utilize Elsevier’s Author Services , including language editing, native speaker translation services, scientific illustrations, and more. Reach the highest standard with Elsevier Author Services.

Confidentiality and Data Protection in Research

Journal Acceptance Rates: Everything You Need to Know

You may also like.

How to Write a Cover Letter for Your Manuscript? Here are the Tips and Examples

Publishing Biomedical Research: What Rules Should You Follow?

Writing an Effective Cover Letter for Manuscript Resubmission

How to Find and Select Reviewers for Journal Articles

How to Request the Addition of an Extra Author Before Publication

Paper Rejection: Common Reasons

How to Write a Journal Article from a Thesis

Input your search keywords and press Enter.

We use cookies to help our site work, to understand how it is used, and to tailor ads that are more relevant to you and your interests.

By accepting, you agree to cookies being stored on your device. You can view details and manage settings at any time on our cookies policy page.

Managing and storing data

Discover how to describe, document and store your research data.

What is research data management?

Research data management (RDM) refers to organising, documenting, formatting and storing your research data throughout your research project, in ways that support its discoverability, potential sharing and re-use, and preservation. These practices are informed by legal, statutory, ethical and funder requirements. This management is applied from the planning stages of a project through to day-to-day management and long-term preservation and sharing.

What we consider to be research data

The University of Surrey considers research data to be any material collected, observed, processed, or created for the purpose of analysis and on which research findings and outputs are based. This includes data and documentation which are commonly accepted in the scholarly community as necessary for validation or replication of research findings. Research data may be in digital or non-digital formats. This could include:

• Audio, video, and images or photographs
• Text documents and spreadsheets
• Code, scripts, algorithms, models, and software
• Protocols and methodologies
• Specimens and samples
• Collections of digital objects
• Lab notebooks, field notes, and diaries
• Questionnaires and codebooks
• Interview schedules and transcripts
• Test responses
• Slides, artefacts, specimens, samples

Why manage your research data?

At its heart, good research is good research data management. Having a strategy for how you are going to manage your data and documentation during your project will make every stage of research easier and more secure, especially when it comes to sharing and preserving your data for verification and reuse.

Ways to manage research data

Consider including some of the below in your data management plan .

Files, versions, and formats

File naming.

Keeping your files organised is often easier said than done. A simple file naming convention can help you quickly know what your files contain without having to open them. Common strategies for naming files:

• Use a consistent structure for sorting that makes sense for your project
• Names should be descriptive, but not too long
• Don’t embed important information for files in folders (e.g. sample01test04.txt, NOT sample01/test04.txt)
• Use numerical dates in YYYYMMDD or YYMMDD order
• Avoid spaces, full stops, or special characters in file names.

For more strategies and examples check out Edinburgh’s advice , Stanford’s case study , and Broman & Woo 2017 Data Organization in Spreadsheets .

Managing research inevitably means managing versions of files. Often software has version control built into it. If not, then the simplest strategy is to use the file name to indicate the version. Whole numbers (1, 2, 3) can be used for major changes and decimals for minor changes (1.1, 2.1, 3.2). For collaborative documents you can also include a log at the beginning of the file to record who and what changes have been made to the document and when. Take a look at an example of version control .

For software and code development, GitHub is a popular free option aimed at open collaboration and sharing of code. Surrey also has its own GitLab if you need the same functionality with additional privacy or security. Learn a bit more about getting started with GitHub .

One of the best ways to keep track of versions is by deleting files. If you want to keep some earlier versions of work, then only keep major changes and delete any minor change versions. Deleting unnecessary files is some of the best data management you can do.

For more information, check out Software Carpentry’s video on data management and version control and Edinburgh’s online module . Have evolving datasets with many versions? Datastorr for R might be able to help you develop a workflow for maintaining and distributing successive versions of datasets.

Before beginning it’s worth thinking about what file formats you will be creating and using during your research. You may want to consider:

• The quality, size, and compression needed
• Whether it is a widely used format in your field
• How easily the format can be shared, transformed, or exported
• The long-term viability of the format.

If possible, try to use open and non-proprietary formats or widely used formats to make your data more openly accessible and reduce their risk of becoming obsolete. York has good advice on how to future proof your file formats .

Data repositories often have recommended formats for deposit. If you have a repository in mind, check if they have any deposit requirements. For example, you can see the UK Data Service’s recommended formats for deposit.

Documentation

Documentation is the foundation of good research and should be started early. It makes your research understandable, verifiable, and reusable – first for you and then for others. Imagining these future users can help you assemble the best documentation for your project.

It can be embedded within research files, like in code, scripts, headers, summaries, label descriptions or built-in program documentation. One of the best ways to ensure the quality of your data is to automate your data creation or analysis as much as possible, which in turn becomes indispensable documentation. Take a look at an  example from biology .

Documentation exists at several levels:

• Project or study level:  For example research questions, methods, instruments, and the context of data collection and analysis
• File or data level:  For example what each file contains, how files relate to each other, the components, structure, and logic of data files
• Variable level:  For example code books or data dictionaries with definitions of variables, ranges, etc
• Metadata level:  For example structured descriptions of a study or dataset consisting of defined elements to facilitate discovery and reuse, usually created as part of a  data repository deposit ; sometimes  discipline specific . (All of Surrey’s shared and preserved data must have a metadata record in  our repository ).

The UK Data Service provides extensive advice on how to  document your data , including  data level documentation  and  study level documentation . More documentation to consider:

• Creating a  README file  for your project
• Using electronic lab notebooks (Cambridge’s  guide  and  comparison table )
• Registered Reports
• Publishing your protocols .

Storage and collaboration

Two of the biggest risks to research data are accidental loss or unauthorised access. We can mitigate those risks by adopting a few simple practices for storing our data.

Use University storage

During active research the best place to house your data is on University storage, where it will be regularly backed up and subject to greater access controls. This includes the University’s SharePoint or OneDrive software.

Best storage for collaborating

If you have collaborators and are concerned about having stronger access controls to your files, then SharePoint can afford you more protection and control over files than OneDrive.

Surrey Drop-off can be used for temporary one-off transfers of large files between you and your collaborators.

Sensitive data

If you have sensitive and personally identifiable data, contact IT Services ( [email protected] ) about appropriate storage options.

Where not to store data

Local hard drives, portable storage devices, laptops, and tablets are NOT recommended for research data storage. Don’t use third party cloud storage (e.g. Dropbox, Google Drive, etc.) – especially if you have sensitive data. These are not as secure or as protected as University storage.

Unreliable internet

If you don’t have reliable access to the internet during your research, then regularly sync your working copy with a master copy on university storage. Consider building in a schedule for syncing your data as part of your research workflow.

Data collection tools

If using an approved third-party online data collection tool (such as Qualtrics or Gorilla), be sure to move the data to University storage and delete it from the tool as soon as possible, i.e. at the close of collection or end of project.

For more check out data protection pages on privacy, security, and information management .

Special requirements

If you have special storage or computing requirements,  IT Services can work with you to meet any technical or security requirements and help you cost it into bids.

• UK Data Service’s guide to managing and sharing data
• Qualitative Data Archive’s Managing Qualitative Data module
• JISC research data management toolkit
• Messy data? Try Open Refine
• Data and software carpentries curricula
• Software Sustainability Institute's  top tips
• PLOS best practices in research reporting .

Research data management policy

Research data management policy companion guide, research data deposit guide.

Researcher@Library

Research data – how long should it be kept.

Researchers are tasked with collecting, storing and the retention of research data beyond the completion of their research project. Do you know exactly how long you should retain your research data? Carmela Gallo from the University of Melbourne’s Legal and Risk team offers key advice on research data management for researchers.

According to Management of Data and Information in Research: A guide supporting the Australian Code for the Responsible Conduct of Research (2.3 Storage, retention and disposal),

“The period for which data should be retained should be determined by prevailing standards for the specific type of research and any applicable state, territory or national legislation. In general, the minimum period for retention of research data is 5 years from the date of publication.”

However, researchers should not be misled in believing that all research data retention period requirements are 5 years from the date of publication based on the above statement. As a researcher at the University of Melbourne, you need to be aware that the University of Melbourne Records Retention & Disposal Authority provides the legal mechanism for the retention and disposal of university records in accordance with the Victorian Public Records Act 1973. This includes research data.

By applying the disposal classes to your research data, you will be meeting your compliance obligation.  Below is a summary of the retention periods for research data from the University of Melbourne Records and Retention Disposal Authority

3.2 : Datasets of regulatory or community-wide significance

Includes data created that is:

• part of genetic research, including gene therapy
• controversial or of high public interest,
• costly or impossible to reproduce
• relates to the use of an innovative technique for the first time,
• of significant community or heritage value to the state or nation
• required by funding or other agreements to be retained permanently

3.3 Datasets from clinical trials

Temporary – Minimum 15 years after completion of research activity

3.4 Datasets from involving minors

Temporary – Minimum 15 years after the child reaches the age of 18

3.5 Datasets not involving clinical trials or minors

Temporary – Minimum 5 years after completion of research activity

… under certain circumstances

However, under certain circumstances, there may be other factors that will override these retention periods for research data. Below are two examples:

• Are there legal requirements by funders such as government bodies and publishers that require a different retention period than those specified in the University Retention and Disposal authority? If so, is this well documented?
• The University has recently adopted a set of  open access principles that encourages sharing of data (if appropriate) beyond its publication. If you decided to put your research on open access, consider how long does the research data need to be made accessible and why? The retention period and justification should be documented.

Researchers will need to consider regulatory responsibilities, ethical, legal, cultural and other guidelines when determining how long to retain research data. The University of Melbourne Records Retention and Disposal Authority is one of those guidelines. From a records perspective, it is important that researchers determine and document the retention and disposal requirements from the beginning. It is important that this information is readily available into the future.

Want to learn more?

For more information on research data management, you can attend this upcoming Researcher@Library webinar, ‘File Management 101: Taming the digital chaos’ on Thursday 23 July, 2020 at 1pm with Peter Neish from the Digital Scholarship team.

About the author

Carmela Gallo works as a Records Analyst in Records & Information, Legal and Risk at the University of Melbourne. For more information on research data and record-keeping, subscribe to the Records Services Update e-newsletter by emailing [email protected] or browse past editions available from their website .

Image credit: Andrew Pons on Unsplash

• Researching
• Online Learning
• Researcher Data Management
• Stewardship

One Response to “Research Data – How long should it be kept?”

What are the best practices for securely storing and accessing research data during the retention period, especially for sensitive data such as genetic research or data involving minors? Tel U

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.