Skip to Content

Position Statement: Data retention in evaluation and research

Our position on how long you should keep data after project completion.

Introduction

Data collection is a fundamental part of evaluation, social research, and market research. In a way, data are the lifeblood of these fields; after all, without data we would be unable to analyse anything, draw conclusions, or develop recommendations.  

But data are also something that must be handled with sensitivity and security. In most cases the information we collect is not ours, but given by others, and often includes elements that are personal to those that have provided it. Therefore we must respect this. The collection, protection, and retention of data are governed by a range of policies. In particular, researchers and evaluators do not normally have the right to retain identifiable data indefinitely, but must dispose of it securely after a certain time.

But what time is the "right" time? We have observed across our work a range of retention times, and in the deliberations of our committee we have sought clarity on what timeframe is appropriate for the kinds of work we review. This has identified a significant contradiction between the guidance of different Australian Government agencies on this issue.

To support ethical and high quality research and evaluation, we have developed this position statement to clarify the guidance and provide support to researchers and evaluators around their projects.

There's a difference between NHMRC and OAIC requirements

The National Health and Medical Research Council (NHMRC) published their Management of Data and Information in Research: A guide supporting the Australian Code for the Responsible Conduct of Research in 2019. At Section 2.3, they set out guidelines for the retention of all data collected as part of research, stating:

In general, the minimum period for retention of research data is 5 years from the date of publication. However, for any particular case, the period for which the data should be retained should be determined by the specific type of research, subject to any applicable state, territory or national legislation.

The guide then identifies examples where this might be varied, such as student assessments (12 months), clinical trials (15 years), and data in itself of cultural or historical value such as oral histories (permanently). However, the general advice of 5 years has created a de facto standard in research and evaluation, as well as for ethical review bodies.

By contrast, the Office of the Australian Information Commissioner (OAIC) provides a different position in their Privacy (Market and Social Research) Code 2021 at Section 19(2):

If:
  1. a Research Organisation holds identifiable research information about an individual; and
  2. the Research Organisation no longer needs the information for any purpose for which the information may be used or disclosed by the Research Organisation under this Code; and
  3. the information is not contained in a Commonwealth record; and
  4. the Research Organisation is not required by or under an Australian law, or a court/tribunal order, to retain the information;
  5. the Research Organisation must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de‑identified.

Section 19A(1) further states:

A Research Organisation must retain identifiable research information only while the details of the identity of the individual whom the information is about continue to be necessary to be retained for research purposes. The information must be destroyed or de-identified once these purposes have been achieved. Where identifiable research information has been returned to a third party (in accordance with APP6) any copies, including archived copies, must be destroyed or de-identified.

On the face of it, this creates a contradiction. The adherence to a 5-year retention of identifiable data after publication of findings where there is not permission from the person identified for said identifiable data to be published, would likely contravene section 19 of the Privacy (Market and Social Research) Code 2021.  

Our position: the OAIC Code has legal precedence

The presence of this apparent contradiction is an opportunity for our HREC to provide clarity on our position in relation to review processes and how our committee will review applications where there is a period of data retention, especially where said data include identifiable information about stakeholders.

As the Privacy (Market and Social Research) Code 2021 is a registered Australian Privacy Principles code under the Privacy Act (Cth) 1988, it is a legislative instrument binding upon all members of the Australian Data and Insights Association (ADIA). This includes most market and social research organisations operating in Australia (and thus, a significant proportion of our applicants). Non-member organisations, while not legally bound to the Code, are encouraged to voluntarily comply. By contrast, compliance with the NHMRC guide is only a requirement for the receipt of funding by NHMRC and ARC, though again organisations are encouraged to follow the guide.

From a legislative standpoint, this means that the Privacy (Market and Social Research) Code 2021 has precedence and should be followed in this situation. Moreover, the NHMRC guide explicitly acknowledges:

The storage, retention and disposal of research data should:
  • be consistent with any copyright or licensing arrangements that are in place
  • be in accord with research discipline-specific practices and standards
  • comply with relevant privacy, ethical and publication requirements
  • comply with other relevant laws, regulations and guidelines.

This means that our position is as follows:

The retention of data collected as part of evaluation, market research, and social research projects should, where practical, be limited to the period in which such data are required for the purposes for which they were collected. After this point, said data should be securely disposed of. This is especially applicable for data including identifiable information about stakeholders where consent has not been given for said identifiable information to be published.

Retention timeframes can still vary 

Our position does not set out a strict timeframe for the disposal of data. This is because this timeframe will vary by: 

  • the project being conducted;
  • the data being collected;
  • the stakeholders who have provided the data; and,
  • any permissions said stakeholders have provided for the use of that data outside of the project.

We also agree with the NHMRC that in some cases, research and evaluation data has the potential to be the only artefact relating to the subject of research or the evaluand. In such cases, there may be grounds for the indefinite retention of data. However, such cases are the exception.

Moreover, stakeholders can and should have the right to withdraw data provided as part of a project in most circumstances. Once data are de-identified and/or published, this withdrawal process is not practically possible. Therefore stakeholders should be made aware of the time point beyond which withdrawal is not possible.

De-identified data also represent an important consideration. While in principle, de-identification should render data safe for retention over a longer period, in practice de-identified data may be re-identifiable in concert with other information, including publicly available information. Therefore this risk needs to be managed, and a reasonable starting point is to treat all de-identified data as potentially re-identifiable and build in security measures to protect data.

As part of project planning, we recommend that researchers and evaluators should:

  • Consider and outline the retention and disposal plans for data collected as part of the project, especially identifiable data; 
  • Provide a clear timeframe (or timeframes) over which data will be retained; 
  • Ensure that these timeframes represent the minimum possible time necessary; and,
  • Provide a rationale for the timeframes chosen, with consideration of the NHMRC and OAIC codes.
  • Ensure that stakeholders providing their data are aware of these timeframes as relevant, as well as the rights and timeframes by which they can withdraw data.

Summary

The responsible retention and disposal of data in research and evaluation is not just a matter of good practice, it is a legal and ethical imperative. While the NHMRC provides useful guidance on data retention timeframes, the Privacy (Market and Social Research) Code 2021 carries legislative weight for a significant number of our clients and has precedence, particularly when dealing with identifiable information. 

Our position is that as a principle, data should only be retained for as long as it is necessary for the purposes for which it was collected. Once those purposes are fulfilled, the data must be securely disposed of or de-identified. This approach respects both the privacy rights of stakeholders and the legal obligations of research organisations. 

We acknowledge that retention timeframes will vary depending on the nature of the project, the type of data collected, and the permissions granted by stakeholders. In rare cases, indefinite retention may be justified, but this must be carefully considered and clearly documented.

Ultimately, researchers and evaluators must plan for data retention and disposal from the outset of their projects. This includes setting clear timeframes based on legal and professional obligations and ensuring stakeholders are informed of their rights. By doing so, we can uphold the integrity of our work while safeguarding the trust placed in us by those who share their data.