Guideline on retention of study information and data

Considerations for retaining information/data| Minimum period researchers should keep information/data| Explaining data retention to participants| Suggested language for an information consent letter| Safe and secure storage of information/data| Retention in an identifiable or de-identified/coded, or anonymized format| Sharing with an Open Access source/databank| Frequently Asked Questions

Researchers collect various types of information and data during the life of a project. Research data and information includes, but is not limited to, the following:

study participant personal information such as names, mailing addresses, email addresses, and phone numbers,
experimental data such as responses to questionnaires, tasks, and activities,
research team meeting notes and other related research materials, and
records of interactions with participants (e.g., consent forms, emails).

Data retention is an important part of the life cycle of information, and researchers have a responsibility to assess privacy risks and threats to security of information, and implement appropriate measures to protect the information (TCPS2, Article 5.3, Application).

Considerations for retaining study information and data

The TCPS2, Article 5.3, Application states:

“Appropriate data retention periods vary depending on the research discipline, research purpose and the kind of data involved."
"In considering the adequacy of proposed measures for safeguarding information during its full life cycle, REBs should not automatically impose a requirement that researchers destroy the research data. Stored information may be useful for a variety of future purposes."

What is a retention period?

A retention period is the amount of time the research team intends to keep participant information and data.
A retention period is the time in which the information and data will be held, allowing for purposes such as requirements from publishers, funders, and research integrity inquiries.
Stating a minimum retention period versus a maximum period is recommended to allow flexibility for the research team and lets participants know the minimum amount of time their data will be stored. For example, if the minimum data retention period is 7 years, this means that data will be stored for at least 7 years but could be stored for longer if necessary.
Read below the factors for deciding on a retention period and further considerations.

Factors to consider when deciding on a retention period

principles or requirements such as:
- First Nations Principles of OCAP® (ownership, control, access, and possession)
- CARE Principles for Indigenous Data Governance
formal data sharing with participants or groups:
- "In some situations, formal data sharing with participants may occur, for example, by giving individual participants copies of a recording or transcript as a gift for personal, family or other archival use.” TCPS2, Article 5.3, Application
sponsor or funder requirements including limitations stipulated by a data custodian or project partner such as:
- data custodians may share data and information with researchers for a specific use, and require the researcher’s copy be deleted when the study is completed
- project partners, sponsors, or funders may have their own policies that require destruction after a defined period
regulatory requirements
- Health Canada Regulated Clinical Trial data must be retained for a minimum of 15 years
- Guidance for records related to Health Canada Regulated Clinical Trials
study methodology
- oral history data, for example, may be archived for historical or preservation purposes
intellectual property rights including the following:
- University of Waterloo Policy 73
- TCPS2, Chapter 9, Research Involving First Nations, Inuit and Métis Peoples of Canada and specifically Article 9.18, Intellectual Property Related to Research
responsible conduct of research (RCR):
- researchers should retain data as long as necessary before and after publication of research results to be able to respond to a possible allegation of research misconduct (e.g., falsification of data)
- some sponsors or funders may have requirements for retaining data (e.g., NIH funded studies require researchers to retain data for 6 years after the final resolution date of a RCR case)
academic requirements to retain information related to course objectives for both graduate and undergraduate research:
- data should be kept for at least 1 year after the end of a study unless otherwise stated in case of allegations of academic misconduct
- Faculty are obliged to retain data related to evaluation and assessments, including research data for one year post submission of final grades per WatClass TL 55
  - management of materials related to student assessments are governed by Policy 46 as well as the Freedom of Information and Protection of Privacy Act (FIPPA).

Minimum period that researchers should keep the data and information they collect

The time periods outlined do not imply when data is to be destroyed, rather this is the minimum amount of time data should be retained.

Recommended minimum retention periods

Research Type	Recommended minimum period	Reason
Undergraduate research including thesis projects and Graduate course projects	1 year after last use retain until the end of the term in which the work was submitted or after the resolution of any grade revision request or appeal	In case of allegations of academic misconduct, data should be kept for 1 year. Faculty are obliged to retain data related to evaluation and assessments, including research data for one year post submission of final grades per WatClass TL 55. Researchers are encouraged to separate students’ work which is being assessed or graded from their own. Management of materials related to student assessments are governed by Policy 46 as well as Freedom of Information and Protection of Privacy Act (FIPPA).
Master’s level research research not affiliated with faculty research projects	1 year after last use retain to the end of the term in which the work was submitted or after the resolution of any request or appeal	Data should be kept for 1 year in case of allegations of academic misconduct. Faculty are obliged to retain data related to evaluation and assessments, including undergraduate and graduate research data for one year post submission of final grades per WatClass TL 55. Researchers are encouraged to separate students’ work which is being assessed or graded from their own. Management of materials related to student assessments are governed by Policy 46 as well as Freedom of Information and Protection of Privacy Act (FIPPA).
Master’s level research research associated with faculty research projects	Minimum of 7 years unless otherwise indicated by the funder	7 year retention periods align with many requirements from our most common research funders as well as Canadian Revenue Agency general requirements as well as WatCLASS standards.
PhD and Faculty Research	Minimum of 7 years unless otherwise indicated by the funder	7 year retention periods align with many requirements from our most common research funders as well as Canadian Revenue Agency general requirements as well as WatCLASS standards.
Health Canada Regulated Clinical Trials	Minimum of 15 years, according to Health Canada and University of Waterloo Regulations	Guidance for records related to Health Canada Regulated Clinical Trials
National Institute for Health (NIH) or US funders	US federal grants suggest a minimum retention of 3 years	3-year period for retention begins ‘after the last report’ but other confounding factors can influence this minimum retention period. For example, if a research misconduct investigation occurs, data must be kept for an additional 6 years after the end of the investigation. See the US Office for Research Integrity for more information.

Explaining data and information retention to study participants

Participants should be informed how long their information and data will be held.

The language in the table below is intended to inform and educate participants about the following:

how information and data collected for research purposes will be maintained and securely stored
who will have access to participant information and data (e.g., will it be only individuals associated with the research project or will other researchers via an open access repository have access, etc.) and whether data will be identifiable, de-identified/coded or completely anonymized
the minimum time period that information and data will be stored
how information and data may be used in future (with participant permission) for additional purposes to make full use of the data and not burden participants by collecting the same data repeatedly
who to contact if a participant changes their mind and no longer wants their data used in the study along with an explanation of limitations associated with removing data, if any
- for example, removing or deleting data may not be possible if the data set has been anonymized or de-identified and the key linking the data to a participant’s identity has been destroyed

Researchers are not required to use the exact language below since each research project will have varying contexts and nuances. Carefully consider the points above and how they may or may not relate to your project and ensure all relevant information is explained in a manner accessible to the participant sample (i.e., use plain language).

Suggested language for a participant information consent letter

Type of data	Suggested language for an information consent letter
Anonymous online survey	This survey is anonymous in that identifying information will not be linked to your responses. Once you have submitted your responses it will not be possible to remove your data because we have no way of knowing which responses are yours. Only those associated with this study will have access to these records which are secured by [encryption/password protected]. We will keep our study records for a minimum of [specify number] years.
Electronic/Paper data and no collection of health information	Protecting your confidentiality/What we will do with your data If planning to anonymize data: Identifying information such as names, emails, etc., will be removed from your responses (data) and stored separately for [insert time, e.g., “3 months”] and then permanently deleted. You may change your mind and ask to have your information deleted by contacting us within this time. Afterwards, it will not be possible to remove your responses because we will have no way of knowing which data are yours. The anonymized data set will be secured on [encrypted/password protected] computers for at least [specify number] years. If planning to de-identify/code data and retain identifiable information separately: Identifying information such as names, emails, etc., will be removed from your responses (data) and stored securely and separately. This identifying information will only be accessible to the research team. Data collected for this study will be secured on [encrypted/password protected] computers for at least [specify number] years. You may change your mind and ask to have your responses deleted by contacting us within this time. Please note it is not possible to remove data once results have been submitted for publication or otherwise shared publicly.
Data collected with the intent to archive or share, as in an Open Access database, biobank, or databank, including oral life history data.	Biobanks and biorepositories: See guideline for biobanks and biorepositories. Researchers are encouraged to provide clear information about how and with whom data will be shared or archived, including information about whether it will be identified, anonymized, de-identified/coded and the process, if any, for individuals to access the data. Oral life history or other archives or databanks: Data related to your participation will be submitted to [explain open access database or other data repository]. This data will be completely anonymized by removing [explain what information will be removed and what information might remain] before submission. This process is integral to the research process as it allows other researchers to verify results and avoid duplicating research. Other individuals may access this data by [explain process for accessing data]. Should you choose, you may review all data that will be submitted before it is entered in [database or repository]. If you decide to withdraw your data [explain process for withdrawals and any limitations on this]. Inclusion of your data in [open access database or other data repository] is voluntary. If you would like more information on this database or repository contact: [provide contact information].
Collection of health information from study participants	With your permission, we will gather some of your health information [provide examples of types of data]. To ensure the confidentiality of your information, you will be identified by [describe confidentiality procedure, for example, a participant code known only to the principal investigator and or others]. Any publications or reports that result from this study will be presented as grouped data (i.e., averages of all the participants). In the case where it may be useful to present data from a particular participant, your name or other identifying information will not be shared. Your information will be encrypted, and any paper data will be securely stored. Identifiable data will only be accessible to members of the research team. We will keep study records for a minimum of [specify number] years. You can withdraw your consent to participate and ask that your data be destroyed by contacting one of the researchers within this time. Consent cannot be withdrawn once papers and publications have been submitted. *Note:* If obtaining personal health information from a third party, for example, from a doctor’s office, a data sharing agreement must be in place with the Health Information Custodian. In all cases, researchers should follow the Data Sharing and Information Security Guidelines.

Safe and secure storage of data and information collected from participants

As outlined in the TCPS2, Article 5.3, Application, researchers have a responsibility to safeguard participant information and the associated study data through:

“all stages of the research life cycle and implement appropriate measures to protect information.”

Researchers also have an obligation to the following as outlined in the TCPS2, Article 5.3, Application, associated with the guiding core principles of Respect for Persons and Concern for Welfare:

“Safeguarding information helps respect the privacy of participants and helps researchers fulfill their confidentiality obligations.”
“In adopting measures to safeguard information, researchers should follow disciplinary standards and practices for the collection and protection of information gathered for research purposes."
"Researchers shall assess privacy risks and threats to the security of information for all stages of the research life cycle and implement appropriate measures to protect information.”

Refer to the Guideline for researchers on securing research participants’ data

Retention of participant information and data in an identifiable, de-identified/coded, or anonymized format

Data that is genuinely de-identified can be retained for as long as necessary without further participant consent.

For data to be considered de-identified one of the following must be met:

US Safe Harbor Standards
Expert determination
Standards identified in the Deidentification Guideline for Structured Data

A secondary use of data or information that is outside of the scope of the initial research collection purpose requires a research ethics review regardless if the data is de-identified or not.

Sharing data with an Open Access source/databank

Be clear about this process with participants in the information and consent letter and explain the following:

how and where data will be kept
how other researchers will access the data and whether permissions will be required or whether it will be freely available
explanation of what personal information will be removed from the data
limits on withdrawal of data after it has been shared with the databank
whether participants will have an opportunity to review their data before placement in the databank
voluntariness along with the benefits and possible risks with data sharing

Frequently asked questions

Does the University of Waterloo impose a requirement that researchers destroy the information and data they collect from study participants?

No. The TCPS2, Article 5.3, Application states: “REBS should not automatically impose a requirement that researchers destroy the research data. Stored information may be useful for a variety of purposes.”
Researchers are to be aware of their responsibilities for data retention and to indicate at least a minimum period for how long they will hold the information they collect about participants as well as the associated study data. This is to be outlined in the research ethics application and in information letter to participants.
See Considerations for retaining study information and data

Can I hold participant information ‘indefinitely’?

Study participants can interpret ‘indefinitely’ as meaning ‘forever’ which results in concerns that their information will be shared or used by others without their consent.
A minimum data retention period should be agreed upon by the research team.
Researchers are to retain data as long as necessary before and after publication of research results to be able to respond to a possible allegation of research misconduct (e.g., falsification of data).

Do I need to state the information I collect will be destroyed after a set amount of time?

The TCPS2, Article 5.3, Application states: “REBS should not automatically impose a requirement that researchers destroy the research data. Stored information may be useful for a variety of purposes.”
It is recommended that researchers state a minimum retention period rather than a maximum period to give as much flexibility as possible.
A minimum retention period tells participants the minimum amount of time they could withdraw consent after participation, where feasible, and allows researchers to hold information to meet the changing requirements from publishers, funders, and/or research integrity inquiries.
Outlining a minimum retention period allows researchers to retain data for as long as necessary – preferably, and whenever possible, in a de-identified or anonymized format.

How should I explain to participants how long I will retain data?

It is recommended that researchers include the following in the information and consent letter:
- if retained data will be held in an identifiable, de-identified/coded, or anonymized format, and
- how long after participation a participant can ask for their information or data to not be used (i.e., withdrawn).
Whenever possible, researchers are encouraged to retain only de-identified/coded or anonymized information and data.
See Guidelines for researchers on securing participant’s data

What should I tell participants if they want to make a request to withdraw their data?

Participants should be told of any limitations to when they can withdraw their data. For example, if the data has been anonymized three months after collection, participants cannot withdraw their data after that time.
If the data has been collected anonymously, such that no names or identifiers are associated with the data, participants are not able to request their data be withdrawn after participation as there is no way to link their responses to the data collected.