Retention of Research Records and Destruction of Data

What do you do with your data and other research materials once the study has concluded?  Different regulations apply to how long you are required to store records after the completion of research, and you must keep records for the longest applicable period of time.  Federal regulations require research records to be retained for at least 3 years after the completion of the research (45 CFR 46) and UVA regulations require that data are kept for at least 5 years. Additional standards from your discipline may also be applicable to your data storage plan. Research that involves identifiable health information is subject to HIPAA regulations, which require records to be retained for at least 6 years after a participant has signed an authorization. Finally, research sponsors may require longer retention periods.  In sum, you must keep your research records for at least 5 years and possibly longer, depending on the longest applicable standard.  Another good practice is to retain data until there is no reasonable possibility that you will be required to defend against an allegation of scientific misconduct.

Notice that these regulations do not specify when you must destroy data, only state the minimum amount of time you must retain it.  As long as you can guarantee that your research records are secure, you can keep them indefinitely.  Of course, practical considerations of storage space may make this impossible.  Moreover, some participants may object to retention of their study records for an indefinite amount of time.  Ideally, you should define your retention policy in your consent form, so that your participants can agree to it.  Sometimes researchers wish to reuse data for subsequent studies.  If you anticipate this situation, you should state in your consent form that data may be retained for use in future studies.  In this case, you should destroy any identifying information and linking files once you have kept them for the longest applicable standard.  Especially if participants are unable to give consent to additional uses of their data, all records should be de-identified before use.  Careful data storage for subsequent use prevents researchers from collecting the same data over and over again, protecting participants from inefficient research practices and exposing them to less risk. For more information about data management, please see UVA Library's website on data management.

When research records are to be destroyed instead of stored securely, you should remember to protect your participants’ confidentiality throughout the process.  Paper records should be shredded and recycled, instead of carelessly tossed in the garbage.  Records stored on a computer hard drive should then be erased using commercial software applications designed to remove all data from the storage device.  Contact ITC for more information on erasing electronic records.  For data stored on USB drives or recorded data on tapes, CDs, or DVDs, the storage devices should be physically destroyed.  You should keep records stating what records were destroyed, and when and how you did so.