Guideline on retention of study information and data

Researchers collect various types of information and data during the life of a project. Research data and information includes, but is not limited to, the following:

• study participant personal information such as names, mailing addresses, email addresses, and phone numbers,
• experimental data such as responses to questionnaires, tasks, and activities,
• research team meeting notes and other related research materials, and
• records of interactions with participants (e.g., consent forms, emails).

Data retention is an important part of the life cycle of information, and researchers have a responsibility to assess privacy risks and threats to security of information, and implement appropriate measures to protect the information (TCPS2, Article 5.3, Application).

Considerations for retaining study information and data

• “Appropriate data retention periods vary depending on the research discipline, research purpose and the kind of data involved."
• "In considering the adequacy of proposed measures for safeguarding information during its full life cycle, REBs should not automatically impose a requirement that researchers destroy the research data. Stored information may be useful for a variety of future purposes."

What is a retention period?

• A retention period is the amount of time the research team intends to keep participant information and data.
• A retention period is the time in which the information and data will be held, allowing for purposes such as requirements from publishers, funders, and research integrity inquiries.
• Stating a minimum retention period versus a maximum period is recommended to allow flexibility for the research team and lets participants know the minimum amount of time their data will be stored. For example, if the minimum data retention period is 7 years, this means that data will be stored for at least 7 years but could be stored for longer if necessary.
• Read below the factors for deciding on a retention period and further considerations.

Factors to consider when deciding on a retention period

• principles or requirements such as:
  • First Nations Principles of OCAP® (ownership, control, access, and possession)
  • CARE Principles for Indigenous Data Governance
  • "In some situations, formal data sharing with participants may occur, for example, by giving individual participants copies of a recording or transcript as a gift for personal, family or other archival use.” TCPS2, Article 5.3, Application
  • data custodians may share data and information with researchers for a specific use, and require the researcher’s copy be deleted when the study is completed
  • project partners, sponsors, or funders may have their own policies that require destruction after a defined period
  • Health Canada Regulated Clinical Trial data must be retained for a minimum of 15 years
  • Guidance for records related to Health Canada Regulated Clinical Trials
  • oral history data, for example, may be archived for historical or preservation purposes
  • University of Waterloo Policy 73
  • TCPS2, Chapter 9, Research Involving First Nations, Inuit and Métis Peoples of Canada and specifically Article 9.18, Intellectual Property Related to Research
  • researchers should retain data as long as necessary before and after publication of research results to be able to respond to a possible allegation of research misconduct (e.g., falsification of data)
  • some sponsors or funders may have requirements for retaining data (e.g., NIH funded studies require researchers to retain data for 6 years after the final resolution date of a RCR case)
  • data should be kept for at least 1 year after the end of a study unless otherwise stated in case of allegations of academic misconduct
  • Faculty are obliged to retain data related to evaluation and assessments, including research data for one year post submission of final grades per WatClass TL 55
    • management of materials related to student assessments are governed by Policy 46 as well as the Freedom of Information and Protection of Privacy Act (FIPPA).

    Minimum period that researchers should keep the data and information they collect

    The time periods outlined do not imply when data is to be destroyed, rather this is the minimum amount of time data should be retained.

    Recommended minimum retention periods

    Research Type

    Recommended minimum period

    Reason

    Undergraduate research including thesis projects

    Graduate course projects

    1 year after last use

    • retain until the end of the term in which the work was submitted or after the resolution of any grade revision request or appeal

    In case of allegations of academic misconduct, data should be kept for 1 year.

    Faculty are obliged to retain data related to evaluation and assessments, including research data for one year post submission of final grades per WatClass TL 55.

    Researchers are encouraged to separate students’ work which is being assessed or graded from their own.

    Management of materials related to student assessments are governed by Policy 46 as well as Freedom of Information and Protection of Privacy Act (FIPPA).

    Master’s level research

    • research not affiliated with faculty research projects

    1 year after last use

    • retain to the end of the term in which the work was submitted or after the resolution of any request or appeal

    Data should be kept for 1 year in case of allegations of academic misconduct.

    Faculty are obliged to retain data related to evaluation and assessments, including undergraduate and graduate research data for one year post submission of final grades per WatClass TL 55.

    Researchers are encouraged to separate students’ work which is being assessed or graded from their own.

    Management of materials related to student assessments are governed by Policy 46 as well as Freedom of Information and Protection of Privacy Act (FIPPA).

    Master’s level research

    • research associated with faculty research projects

    Minimum of 7 years unless otherwise indicated by the funder

    7 year retention periods align with many requirements from our most common research funders as well as Canadian Revenue Agency general requirements as well as WatCLASS standards.

    PhD and Faculty Research

    Minimum of 7 years unless otherwise indicated by the funder

    7 year retention periods align with many requirements from our most common research funders as well as Canadian Revenue Agency general requirements as well as WatCLASS standards.

    Health Canada Regulated Clinical Trials

    Minimum of 15 years, according to Health Canada and University of Waterloo Regulations

    National Institute for Health (NIH) or US funders

    US federal grants suggest a minimum retention of 3 years

    3-year period for retention begins ‘after the last report’ but other confounding factors can influence this minimum retention period.

    For example, if a research misconduct investigation occurs, data must be kept for an additional 6 years after the end of the investigation.

    Explaining data and information retention to study participants

    Participants should be informed how long their information and data will be held.

    The language in the table below is intended to inform and educate participants about the following:

    • how information and data collected for research purposes will be maintained and securely stored
    • who will have access to participant information and data (e.g., will it be only individuals associated with the research project or will other researchers via an open access repository have access, etc.) and whether data will be identifiable, de-identified/coded or completely anonymized
    • the minimum time period that information and data will be stored
    • how information and data may be used in future (with participant permission) for additional purposes to make full use of the data and not burden participants by collecting the same data repeatedly
    • who to contact if a participant changes their mind and no longer wants their data used in the study along with an explanation of limitations associated with removing data, if any
      • for example, removing or deleting data may not be possible if the data set has been anonymized or de-identified and the key linking the data to a participant’s identity has been destroyed

      Researchers are not required to use the exact language below since each research project will have varying contexts and nuances. Carefully consider the points above and how they may or may not relate to your project and ensure all relevant information is explained in a manner accessible to the participant sample (i.e., use plain language).

      Suggested language for a participant information consent letter

      Type of data

      Suggested language for an information consent letter

      This survey is anonymous in that identifying information will not be linked to your responses. Once you have submitted your responses it will not be possible to remove your data because we have no way of knowing which responses are yours.

      Only those associated with this study will have access to these records which are secured by [encryption/password protected]. We will keep our study records for a minimum of [specify number] years.

      Electronic/Paper data and no collection of health information

      Protecting your confidentiality/What we will do with your data

      If planning to anonymize data: Identifying information such as names, emails, etc., will be removed from your responses (data) and stored separately for [insert time, e.g., “3 months”] and then permanently deleted. You may change your mind and ask to have your information deleted by contacting us within this time. Afterwards, it will not be possible to remove your responses because we will have no way of knowing which data are yours. The anonymized data set will be secured on [encrypted/password protected] computers for at least [specify number] years.

      If planning to de-identify/code data and retain identifiable information separately: Identifying information such as names, emails, etc., will be removed from your responses (data) and stored securely and separately. This identifying information will only be accessible to the research team. Data collected for this study will be secured on [encrypted/password protected] computers for at least [specify number] years. You may change your mind and ask to have your responses deleted by contacting us within this time. Please note it is not possible to remove data once results have been submitted for publication or otherwise shared publicly.

      Data collected with the intent to archive or share, as in an Open Access database, biobank, or databank, including oral life history data.

      Biobanks and biorepositories:

      See guideline for biobanks and biorepositories. Researchers are encouraged to provide clear information about how and with whom data will be shared or archived, including information about whether it will be identified, anonymized, de-identified/coded and the process, if any, for individuals to access the data.

      Oral life history or other archives or databanks:

      Data related to your participation will be submitted to [explain open access database or other data repository]. This data will be completely anonymized by removing [explain what information will be removed and what information might remain] before submission. This process is integral to the research process as it allows other researchers to verify results and avoid duplicating research. Other individuals may access this data by [explain process for accessing data]. Should you choose, you may review all data that will be submitted before it is entered in [database or repository]. If you decide to withdraw your data [explain process for withdrawals and any limitations on this]. Inclusion of your data in [open access database or other data repository] is voluntary. If you would like more information on this database or repository contact: [provide contact information].

      Collection of health information from study participants

      With your permission, we will gather some of your health information [provide examples of types of data]. To ensure the confidentiality of your information, you will be identified by [describe confidentiality procedure, for example, a participant code known only to the principal investigator and or others]. Any publications or reports that result from this study will be presented as grouped data (i.e., averages of all the participants). In the case where it may be useful to present data from a particular participant, your name or other identifying information will not be shared.

      Your information will be encrypted, and any paper data will be securely stored. Identifiable data will only be accessible to members of the research team. We will keep study records for a minimum of [specify number] years. You can withdraw your consent to participate and ask that your data be destroyed by contacting one of the researchers within this time. Consent cannot be withdrawn once papers and publications have been submitted.

      Note: If obtaining personal health information from a third party, for example, from a doctor’s office, a data sharing agreement must be in place with the Health Information Custodian. In all cases, researchers should follow the Data Sharing and Information Security Guidelines.

      Safe and secure storage of data and information collected from participants

      As outlined in the TCPS2, Article 5.3, Application , researchers have a responsibility to safeguard participant information and the associated study data through:

      • “all stages of the research life cycle and implement appropriate measures to protect information.”

      Researchers also have an obligation to the following as outlined in the TCPS2, Article 5.3, Application, associated with the guiding core principles of Respect for Persons and Concern for Welfare :

      • “Safeguarding information helps respect the privacy of participants and helps researchers fulfill their confidentiality obligations.”
      • “In adopting measures to safeguard information, researchers should follow disciplinary standards and practices for the collection and protection of information gathered for research purposes."
      • "Researchers shall assess privacy risks and threats to the security of information for all stages of the research life cycle and implement appropriate measures to protect information.”

      Retention of participant information and data in an identifiable, de-identified/coded, or anonymized format

      Data that is genuinely de-identified can be retained for as long as necessary without further participant consent.

      For data to be considered de-identified one of the following must be met:

      • US Safe Harbor Standards
      • Expert determination
      • Standards identified in the De-identification Guideline for Structured Data

      A secondary use of data or information that is outside of the scope of the initial research collection purpose requires a research ethics review regardless if the data is de-identified or not.

      Sharing data with an Open Access source/databank

      Be clear about this process with participants in the information and consent letter and explain the following:

      • how and where data will be kept
      • how other researchers will access the data and whether permissions will be required or whether it will be freely available
      • explanation of what personal information will be removed from the data
      • limits on withdrawal of data after it has been shared with the databank
      • whether participants will have an opportunity to review their data before placement in the databank
      • voluntariness along with the benefits and possible risks with data sharing

      Frequently asked questions

      Does the University of Waterloo impose a requirement that researchers destroy the information and data they collect from study participants?

      • No. The TCPS2, Article 5.3, Applicationstates:“REBS should not automatically impose a requirement that researchers destroy the research data. Stored information may be useful for a variety of purposes.”
      • Researchers are to be aware of their responsibilities for data retention and to indicate at least a minimum period for how long they will hold the information they collect about participants as well as the associated study data. This is to be outlined in the research ethics application and in information letter to participants.
      • SeeConsiderations for retaining study information and data

      

      Article 5.3, Applicationstates:“REBS should not automatically impose a requirement that researchers destroy the research data. Stored information may be useful for a variety of purposes.”

    • It is recommended that researchers state a minimum retention period rather than a maximum period to give as much flexibility as possible.
    • A minimum retention period tells participants the minimum amount of time they could withdraw consent after participation, where feasible, and allows researchers to hold information to meet the changing requirements from publishers, funders, and/or research integrity inquiries.
    • Outlining a minimum retention period allows researchers to retain data for as long as necessary – preferably, and whenever possible, in a de-identified or anonymized format.

    

    identifiable, de-identified/coded, or anonymized format, and

  • how long after participation a participant can ask for their information or data to not be used (i.e., withdrawn).
• Whenever possible, researchers are encouraged to retain only de-identified/coded or anonymized information and data.
• See Guidelines for researchers on securing participant’s data

What should I tell participants if they want to make a request to withdraw their data?

• Participants should be told of any limitations to when they can withdraw their data. For example, if the data has been anonymized three months after collection, participants cannot withdraw their data after that time.
• If the data has been collected anonymously, such that no names or identifiers are associated with the data, participants are not able to request their data be withdrawn after participation as there is no way to link their responses to the data collected.