Skip to main content

Retention periods

Find out how long you need to keep your data

Retention periods define how long you need to keep data after you complete your research project. You must adhere to the retention periods that pertain to your data.

Retention periods for research data vary depending on what the data is, and what research the data is related to. Retention periods are specified in:

In most cases data will continue to be of value to you and to the wider research community for a long time beyond its minimum retention period. In fact, funders and publishers are increasingly encouraging, or even mandating, that researchers retain and share their data.

Data should only be destroyed if specifically required by ethical, legal, or contractual obligations. In cases where data must be destroyed, you mustn’t do so before the end of the minimum retention period. Destruction of data must be authorised, documented, and performed using secure destruction methods. Destruction of research data must be coordinated through Archives and Records Management Services (ARMS). If you believe your data is eligible for destruction and wish to destroy it, then you must complete an Application to Dispose of University Records form and contact the University’s Disposal Officer (

Minimum retention periods
    • Research data related to...
      Projects of national or international significance or of community or heritage value, projects that would be difficult or impossible to repeat, or areas such as gene therapy.
      Must be kept...
    • Research data related to...
      Projects involving human subjects with potential long-term effects.
      Must be kept...
      For 20 years after project ends, or until research subjects have reached 25 years of age, whichever is longer
    • Research data related to...
      Projects with potential long-term environmental effects
      Must be kept...
      For 20 years after project ends
    • Research data related to...
      Patent applications
      Must be kept...
      For life of patent (usually 20 years)
    • Research data related to...
      Clinical trials
      Must be kept...
      For 15 years after trial ends or otherwise in accordance with applicable requirements of the Therapeutic Goods Agency (TGA) or Department of Health and Ageing
    • Research data related to...
      All other research
      Must be kept...
      For 5 years after project ends
    • Research data related to...
      Short-term projects that are for assessment purposes only, such as projects completed by students
      Must be kept...
      For 12 months after project ends

    You can delete the following types of data at any time without authorisation or documentation, provided you no longer need them for reference or administrative purposes:

    • duplicate copies of data files
    • unused forms or templates
    • routine system logs
    • calibration or test data
    • temporary working copies of datasets used to prepare the final version
    • paper copies of data that have been captured in electronic form.

    Third party data

    In some cases you may be granted temporary permission to use externally owned highly confidential/sensitive datasets (including government and health datasets) for the purposes of a particular research project. The terms and conditions of use in relation to these data may specify that data must be completely and securely destroyed from all University systems, such as (but not limited to):

    • When the lead investigator who’s authorised to use the data leaves the University, and/or
    • When the project for which you applied to use the data comes to a close, and/or
    • After a time period specified in the agreement relating to the use of the data.

    Data of this type must be destroyed in accordance with the terms and conditions of use.

Destruction of research data
  • Destruction of research data must be authorised and documented. You can apply for authorisation to destroy research data by completing an Application to Dispose of University Records form. Destruction of research data should be irreversible. This means that there should be no reasonable possibility that the data could be recovered or reconstituted after it’s been destroyed. Any destruction methods used should be performed safely and in accordance with health and safety requirements.

    You must use secure destruction methods to destroy research data containing personal identifying information, personal health information, commercial confidential information, or other sensitive information that needs to be disposed of. For further information on secure destruction techniques, contact ICT via the University Service Desk on +61 2 9351 2000 (select option 2 for ICT) or the Self Service Portal.

    If you use any third party service providers such as Iron Mountain for data destruction you must ensure that they’re accredited, that they transport physical media containing sensitive data in a secure manner, and that they provide a certificate of destruction.

    Hardcopy data:

    Paper documents that don’t require secure destruction can be shredded using a document shredder.

    You can request confidential waste services through Campus Infrastructure Services (CIS) for secure destruction of research data in paper form.

    Digital data on desktops and laptops:

    If you’re storing data on hard drives of laptops or desktops, then you must encrypt your devices using disk encryption tools such as BitLocker (Windows) or FileVault2 (Mac). This can’t ensure the complete deletion of data, but does ensure that any residual data will remain secure and protected even if it’s recovered after deletion.

    Digital data on external storage devices:

    If you’re using external devices such as USB or flash drives for data backup, then you must again use disk encryption. To securely dispose of data on external devices, the password or key used to encrypt the device must be destroyed. This will render the device unusable.

    Digital data on CD, DVD, or Blu-ray:

    Optical media disks can be shredded in the same way as paper. Many (but not all) document shredders are also capable of shredding optical disks.

    Digital data on the RDS:

    You must encrypt highly confidential electronic data (e.g. data with personal identifiers) before it’s stored on the Research Data Store (RDS). To securely dispose of the data, the encrypted files must be deleted from active storage on the RDS and the password or key used for encryption must also be destroyed to prevent the decryption of any copies remaining on the backups of the RDS.

    Digital data in REDCap:

    REDCap should be used purely for data collection, not for data storage. Once the project is complete you should export your data from REDCap and place it on the RDS. Ideally, you should use REDCap’s ‘De-identification options’ when exporting your data, so that no sensitive information is exported. However, if this isn’t possible and you do need to export identifiable data from REDCap, it must be encrypted before it’s placed on the RDS. Once the data has been exported, the REDCap project must be deleted and the deletion approved by a REDCap administrator. The data will be completely destroyed after one year, once the backups of the REDCap servers have been entirely overwritten.

    Digital data on eNotebooks:

    At present there’s no method for securely destroying data stored on the LabArchives eNotebook platform, so personal identifying and other confidential information must not be stored on an eNotebook if it may ultimately require secure destruction.