Data Retention and Destruction

Data Destruction: Physical destruction of the record or ensuring that personal identifiers are removed from a record so that the record is no longer personally identifiable. — 34 CFR 300.611(a) and 303.403(a)

Overview

Part C and Part B 619 programs collect, maintain, and use significant amounts of personally identifiable information (PII) and non-personally identifiable information to meet federal and state requirements, to provide services to eligible children and families, and to support general administration. Examples of non-PII are fiscal information, local agency/program information, correspondence, federal and state applications, minutes of advisory groups, and monitoring results. These data are maintained in both paper and electronic format.

It is critical that Part C and Part B 619 governance policies address record retention and data destruction. In developing their own policies and procedures, it is essential to review relevant federal and state agency regulations regarding data retention and destruction.

According to federal IDEA regulations, some PII data may be kept indefinitely, such as child’s name, parent contact information, and providers’ names, as well as entry and exit dates, attendance records, grades, classes attended, and services provided [34 CFR 303.416(b) and 34 CFR 300.624(b)]. Other data are maintained for a preestablished period based on federal and state agency requirements. Some Part C and Part B 619 programs retain data longer for use in state accountability longitudinal data (PII and non-PII) initiatives.

Agencies that administer Part C and Part B 619 programs must follow federal record retention requirements. The U.S. Department of Education’s General Administrative Regulations at 34 CFR Part 76 specify that a state and its subgrantee (local educational agencies) must keep records of compliance with program requirements and use of grant funds. Part 76 applies to Part B and Part C of IDEA. The Part C regulations at 34 CFR 303.414(b)(2) specify that references to state and local educational authorities mean the lead agency under Part C.

Uniform Guidance regulations that apply to Parts B and C of IDEA at 34 CFR 200.333 specify that applicable records related to the federal award be retained for a period of 3 years from the submission of the final expenditure report for that fiscal year. The regulation contains several extensions to this time frame. Of particular importance to the data retention and destruction policy is the following statement: “If any litigation, claim, or audit is started before the expiration of the 3-year period, the records must be retained until all litigation, claims, or audit findings involving the records have been resolved and final action taken.” The Family Educational Rights and Privacy Act (FERPA), which also applies to Parts B and C of IDEA, contains a similar provision stating that educational agencies/institutions cannot destroy educational records if there is an outstanding request to inspect or review them.

According to IDEA regulations, parents must be informed when PII — collected, maintained, or used — is no longer needed to provide the child with services. Further, parents may request that their child and family’s personally identifiable data be destroyed consistent with these IDEA requirements. This applies to the destruction of any PII — collected, maintained, or used — whether it is contained in the child’s record or elsewhere (34 CFR 303.416 and 34 CFR 300.624).

Other federal noneducation requirements, including Medicaid and the Health Insurance Portability and Accountability Act (HIPAA), may also apply to the timeline for retention of specific types of records. These additional federal provisions must be taken into account when developing a policy on records retention and destruction of data. Any federal requirements are minimal and state agencies may have longer required records retention time periods. It is important that any data governance policy in this area adhere to both federal and state timelines.

The Privacy Technical Assistance Center (PTAC) indicates that data destruction can include destroying, erasing, or anonymizing child and family data so that the data are unreadable (paper records), irretrievable (digital records), or purged of personal identifiers. State policies should address information contained in databases, server backups, file extracts, copies, and nonelectronic PII (e.g., paper, pictures).

PTAC identifies three categories of data destruction that may be helpful in the development of state policies (ordered from least to most aggressive):

  • Clear: Uses programmatic software-based techniques, protects against simple data recovery, typically involves Read and Write commands (e.g., resetting a device to its factory state).
  • Purge: Uses state-of-the-art lab techniques to make data recovery infeasible.
  • Destroy: Uses state-of-the-art lab techniques to make data recovery infeasible and renders media unable to store data.

For additional information, refer to the PTAC Best Practices for Data Destruction.

Careful consideration should also be given to the state agency’s current or planned efforts to use longitudinal data for accountability purposes. These data-linking and -sharing efforts could include State Longitudinal Data Systems (SLDS) or Early Childhood Integrated Data Systems (ECIDs).

Finally, state data governance policies on retention and destruction should specify required state timelines for the destruction of data when the data are no longer necessary or required to be maintained, consistent with any applicable federal requirements.

Part C and Part B 619 programs do not operate independently of the state agency in which they are housed. Thus, the structure of any data governance already within an agency is of particular importance. After first taking into consideration all relevant federal requirements, Part C and Part B 619 programs should review any data policies regarding record retention and data destruction developed by the agency in which their program resides. Existing policies might need to be updated with specific references or provisions related to Part C or Part B 619, in which case the considerations and the template below may be helpful in proposing language.

Where no policy on data retention and destruction exists or a separate policy related to Part C or Part B 619 is needed, the template following the Considerations section is fully editable and prepopulated with language to expedite writing new data retention and destruction policies.

The DaSy Data System Framework emphasizes the importance of data governance policies including record retention and destruction in its Data Governance section, Quality Indicator DG6.

Considerations

Use the questions below to discuss the components of a comprehensive data retention and destruction policy. Where appropriate, procedures and operational guidance that detail specific actions that implement this policy should be created.

1. Data Retention and Destruction Policy: General Provisions

  1. Which federal requirements for record retention and destruction of data apply to your Part C or Part B 619 program?
  2. Are there additional state agency policies related to record retention and destruction of data that apply to your Part C or Part B 619 program? If yes, which are they?
  3. What specific Part C or Part B 619 data retention and destruction policies or procedures, if any, exist?
  4. What types of data (e.g., PII, programmatic, fiscal, monitoring, applications) will be covered under this policy?
  5. Which participating agencies will be required to follow this policy and under what mechanisms (e.g., contracts, subgrants, or interagency agreements)?
  6. What program or state longitudinal data-sharing or -linking efforts are considered under this policy (e.g., SLDs and/or ECIDS)?
  7. How will the public be informed about this policy? How is this policy included in your agency’s privacy statement? Where will it be posted on the state’s website?
  8. Which agency/program should be contacted with questions about this policy?
  9. Which agency/program is responsible for ensuring adherence to this policy?
  10. Which agency/program is responsible for monitoring adherence to this policy, and how will the monitoring be conducted?
  11. Which agency/program is responsible for managing the implementation of this policy including provision of training and technical assistance?
  12. What sanctions will apply when this policy is not followed?
  13. How often will this policy be reviewed for necessary revisions?

2. Data Retention and Destruction Policy: Record Retention

  1. What is the retention timeline for each type of data included in this policy (e.g., PII, fiscal information, local agency/program information, correspondence, federal and state applications, minutes of advisory groups, and monitoring results)? Are the timelines different for state or local retention or for paper vs. electronic records?
  2. What procedures and schedule will be required for data storage and archiving records, who is responsible for overseeing the process, and how it will be monitored)?

3. Data Retention and Destruction Policy: Destruction of Data

  1. Which method and process of data destruction are appropriate for each type of data listed above based on the sensitivity of the data? (See PTAC categories of data destruction above.)
  2. What timeline is required for the destruction of each type of data?
  3. Who oversees that data destruction is executed on schedule and as required?
  4. What procedures are followed if/when there is a request for data destruction (e.g., parent request to remove PII child information from paper records and the program database)?
  5. What procedures are followed for informing parents about the agency’s decision to destroy their PII data?

Template

Use, and modify as needed, this template for developing a data retention and destruction policy. Select the highlighted text and replace with your state/program information.

Download Template for Data Governance Data Retention and Destruction Policy (Word document)