Data Retention and Storage

Data retention is an important but often overlooked part of the data lifecycle. Data that is stored too long can cause issues with data security, quality and privacy. Data that is not stored long enough can hinder your work and break public records laws. Most institutional data follows the university’s record retention schedules and may be subject to Ohio’s public records laws.

The university and government resources below will help you understand data management best practices and applicable policies and laws:

  • Records Retention Schedule: A records retention schedule is a legally mandated tool that classifies records created, sent or received by the university and provides instruction for records retention and disposition. Retention schedules cover records in any media format, including paper, electronic and electronic messages. 
  • Records Destruction: Part of any effective records management program is the timely destruction of obsolete records. The university's approved records retention schedules have been created based on administrative, fiscal and legal value of the records. At the end of a record's life, it should be destroyed appropriately and documented through a "Certificate of Records Destruction". 
  • Records Management Policy: The Records Management Policy establishes guidelines for retaining and disposing of documents that are essential for decision-making, historical reference, legal compliance, operational effectiveness, litigation support and documenting the university's history
  • Database Records: Retention and Disposition: Databases/systems contain many records, and possibly multiple record series. Retention and disposition of databases should be applied routinely per university retention schedules. 
  • S3 and S4 Secure Data Destruction Requirements: According to Ohio State’s Information Security Control Requirements (ISCR), all university official records, copies and data classified at the S3 and S4 security level must be securely destroyed. 
  • ISCR DAT3 Self-Assessment: This self-assessment can help you understand your office’s compliance with Ohio State’s Records Management Policy and can guide your Information Security Control Requirement (ISCR) DAT3 review.  
  • Public Records Policy: As a state-supported institution of higher education, the university is subject to the Ohio Public Records Act, Ohio Revised Code (ORC) 149.43, which requires all public offices to organize and maintain public records for which they are responsible in a way that allows the offices to identify and provide public records in response to public records requests. This policy outlines procedures and important public records rules for Ohio State staff and others who use or keep public records on the university’s behalf.  
  • Public Records Act: The Ohio Public Records Act gives citizens the right to request copies of public records held by various state and local agencies in Ohio. The Act outlines the process for making requests and agency response timeframes and responsibilities to such requests. 

Data Storage Best Practices

Following the file organization and naming best practices linked below will allow you to reduce the amount of time spent looking for records, eliminate unnecessary duplication of records, decrease security issues, risk and liability, and enable you to easily dispose of records once retention has been met.