There are many reasons for market researchers to develop and implement a good data retention policy. Most importantly, specific statutes and regulations may impose specific requirements, and if a researcher is sued, there are laws requiring data be preserved for discovery purposes.

In addition to legal reasons, data retention makes sense from a business perspective—having information stored, and easily accessible, helps researchers respond to requests from customers, suppliers or others. When developing a data retention policy, researchers should keep the following in mind:

What is “data”?
It’s important to think of “data” broadly (as any type of “information”), and not just as survey results or personal information about respondents. Data may also take a number of forms, including, but not limited to:

  • E-mails and attachments
  • Instant messages
  • Voicemail
  • Word-processing files
  • Spreadsheet files
  • Database files
  • Financial and accounting files
  • Marketing and sales records
  • Material contracts
  • Human resource files, including personnel and payroll files
  • Browser cookies
  • Intranet files
  • Graphics files
  • Desktop faxes
  • Incomplete or deleted files

Many statutes which require data retention include specific definitions of what types of information must be kept on file to satisfy the statute. Accordingly, it’s necessary to consult each applicable statute to ensure that all required “data” is retained.

What are some reasons for retaining data?
There are a number of reasons a researcher may need to retain data. First, and most importantly, some statutes and regulations expressly require it. Consider, for example, the following statutes (this list is not exhaustive; consult with an attorney about whether these statutes, or others, apply to your particular research activities):

  • The Health Insurance Portability and Accountability Act (HIPAA), Pub. L. 104-191, 110 Stat. 1936, designed in part to protect the confidentiality and security of healthcare information, requires that records of a company’s HIPAA policies and procedures be kept for 6 years.
  • The Sarbanes-Oxley Act, 18 U.S.C. §1514A, which only applies to publicly-traded companies, designed to protect shareholders and the public from accounting errors and fraudulent practices and improve the accuracy of corporate disclosures. The Act has retention requirements ranging from employment applications (3 years) to bank statements (permanent).
  • The California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof. Code §§ 22575-22579, does not impose a specific retention requirement, but the California Attorney General has suggested that a company’s privacy policy disclose how long each type of data is retained.
  • IRS regulations impose various retention requirements. As a general rule, the statute of limitations for IRS audits is 6 years, and tax records should be kept for at least this long, but there are provisions for extension of this limit. Consult with a tax attorney to develop sound data retention policies for tax purposes.
  • Finally, state data security and data breach laws also require businesses to retain data and records of breaches for certain periods.

In addition to specific laws and regulations requiring data retention, researchers have a duty to preserve potentially relevant documents and files if litigation is foreseeable. Federal Rule of Civil Procedure 37(e), also known as the “safe harbor” provision, forbids a court from imposing sanctions on a researcher for failing to preserve electronically stored information “absent exceptional circumstances,” but some courts have found that ordinary negligence suffices to justify sanctions.

On top of these reasons, retaining data makes good business sense. From a customer service perspective, a researcher who has a good bank of data will be in a better position to answer the questions of customers or respondents. Accurate and complete financial records may also make an organization more attractive to potential investors and buyers.

Finally, although data retention was occasionally expensive in the past, advances in technology have made retaining data incredibly cheap (with free cloud storage providers, for example). There’s no reason for researchers not to keep all the data they need.

Are there legal reasons to delete data?
The law may not only require that a researcher retain data—it may require researchers to delete certain types of data as well. For example (this list is not exhaustive):

  • The Children’s Online Privacy Protection Act (COPPA), U.S.C. §§ 6501-6506, which applies to websites directed to children under 13, requires that data collected from children not be retained any longer than is necessary for the purpose for which it was collected.
  • California’s Eraser Law, part of SB 568 (“the Privacy Law”), gives California minors the right to remove (or request that the operator remove) content or information posted to an operator’s site or service while the minor was still under 18.
  • Similarly, in 2014, the European Court of Justice declared EU Citizens have a Right to be Forgotten, and can request that websites remove search results that are inadequate or have become irrelevant.

How do I develop a data retention policy?
The particulars of a sound data retention policy may vary considerably according to applicable laws and regulations, contractual obligations, the type and uses of data at issue, and the cost of storing data. But the development of a data retention policy should include, at a minimum, the following steps.

Step One: Identify Applicable Statutes and Regulations
Determine whether the nature of data being collected (if health related, for example) or the identity of respondents (if children, for example) implicates specific statutes or regulations with data retention requirements. Consult with a lawyer regarding applicable statutes and regulations.

Step Two: Assess Litigation Risks
As a general matter, and as an ongoing practice, researchers should determine whether litigation is foreseeable. If a researcher is embroiled in a dispute or knows it has violated the law, for example, extra steps should be taken to retain and preserve all data that might be relevant to the suit. While legal counsel should be consulted, in all likelihood a “preservation memo” will be issued, requiring the preservation of all documents relevant to the litigation.

Step Three: Develop a Written Data Retention Policy
It’s important to lay out your data retention policy in a well-organized, clearly written document accessible to all employees. A data retention policy should include the following sections, at least:

  • Purpose: Lay out the broad aims of the data retention policy. Consider these purposes when writing the rest of the policy.
  • Applicable Laws: Identify every applicable statute or regulation that requires data retention, and address each in an independent section of the policy.
  • Record Retention and Deletion Schedule: Describe schedule and procedure for deleting information. Information subject to deletion must be permanently destroyed. Have policies in place to ensure deleted information cannot be reconstructed.
  • Litigation Plan: As discussed above, the rules change when you’re being sued, or anticipate litigation. Describe the procedures to be followed when a complaint is filed, or litigation becomes reasonably foreseeable.
  • Review Schedule: Laws and business practices change, and can change frequently. Your data retention policy will have to therefore be adjusted and updated accordingly.

Step Four: Make the Policy Available to Employees and Train Them
Data retention policies should be written simply and clearly, and organized so that employees can easily understand them. Make the policy readily available to employees, and hold training sessions to make sure employees understand the ins and outs of the policy.

TAKEAWAYS

1. Know the applicable laws. There is no single law governing data retention. Accordingly, don’t think of data retention as subject to one single law or regulation. Instead, consider data retention as components of a plethora of individual laws and regulations.

2. Develop a smart policy. Write a well-organized, clear data retention policy, and make sure employees have access to it. Hold data retention training. Make sure employees understand its importance, and enforce your policy!

3. Periodically review the policy. Set up a regular schedule for reviewing data retention practices for efficiency and legality. Consult with a lawyer and determine whether any applicable laws have changed, or are likely to be changed.

4. Pause regular procedures when a lawsuit is foreseeable. When you’re sued, or are likely to be sued, the rules for data retention change. If data is relevant to the suit, and discoverable, you have to keep it!

This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.