Data Governance Toolkit: Data Retention and Destruction

DG toolkit icon

Part C and Part B 619 programs collect, maintain, and use significant amounts of information to meet federal and state requirements, to provide services to eligible children and families, and to support general administration. Part C and Part B 619 governance policies must address record retention and data destruction to establish the responsibilities and timeliness for the retention and destruction of multiple types and formats of Part C and Part B 619 data, consistent with federal and state requirements. This section contains topical information, a packet with a considerations worksheet and a policy template, and an option to request technical assistance.

Part C and Part B 619 programs collect, maintain, and use significant amounts of personally identifiable information (PII) to meet federal and state requirements. Additional administrative information is also collected (e.g., fiscal information, local agency, program information, correspondence, federal and state applications, minutes of advisory groups, monitoring results). These data are maintained in both paper and electronic format. According to federal IDEA regulations, some PII may be kept indefinitely, such as child’s name, parent contact information, and providers’ names, as well as entry and exit dates, attendance records, grades, classes attended, and services provided (34 CFR 303.416(b) and 34 CFR 300.624(b)). Other data are maintained for a preestablished period based on federal and state agency requirements. Some Part C and Part B 619 programs retain data longer for use in state longitudinal data systems.

Agencies that administer Part C and Part B 619 programs must follow federal record retention requirements. The U.S. Department of Education’s General Administrative Regulations at 34 CFR Part 76 specify that a state and its subgrantee (local educational agencies) must keep records of compliance with program requirements and use of grant funds. Part 76 applies to Part B and Part C of IDEA. The Part C regulations at 34 CFR 303.414(b)(2) specify that references to state and local educational authorities mean the lead agency under Part C.

Regulations that apply to Parts B and C of IDEA at 34 CFR 200.333 specify that applicable records related to the federal award be retained for a period of 3 years from the submission of the final expenditure report for that fiscal year. The regulation contains several extensions to this time frame. Of particular importance to the data retention and destruction policy is the following statement: “If any litigation, claim, or audit is started before the expiration of the 3-year period, the records must be retained until all litigation, claims, or audit findings involving the records have been resolved and final action taken.” Family Educational Rights and Privacy Act (FERPA), which also applies to Parts B and C of IDEA, contains a similar provision stating that educational agencies and institutions cannot destroy educational records if there is an outstanding request to inspect or review them.

According to IDEA regulations, parents must be informed when PII — collected, maintained, or used — is no longer needed to provide the child with services. Further, parents may request that their child and family’s personally identifiable data be destroyed consistent with these IDEA requirements. This applies to the destruction of any PII — collected, maintained, or used — whether it is contained in the child’s record or elsewhere (34 CFR 303.416 and 34 CFR 300.624).

Other federal noneducation requirements, including Medicaid and Health Insurance Portability and Accountability Act (HIPAA), may also apply to the timeline for retention of specific types of records. These additional federal provisions must be taken into account when developing a policy on records retention and destruction of data. Any federal requirements are minimal and state agencies may have longer timelines for required records retention. Any data governance policy in this area must adhere to both federal and state timelines.

The Privacy Technical Assistance Center (PTAC) indicates that data destruction can include destroying, erasing, or anonymizing child and family data so that the data are unreadable (paper records), irretrievable (digital records), or purged of personal identifiers. State policies should address information contained in databases, server backups, file extracts, copies, and nonelectronic PII (e.g., paper, pictures).

PTAC identifies three categories of data destruction that may be helpful in the development of state policies (ordered from least to most aggressive):

  • Clear: uses programmatic software-based techniques, protects against simple data recovery, and typically involves Read and Write commands (e.g., resetting a device to its factory state).
  • Purge: uses state-of-the-art lab techniques to make data recovery infeasible.
  • Destroy: uses state-of-the-art lab techniques to make data recovery infeasible and renders media unable to store data.

For additional information, refer to the PTAC Best Practices for Data Destruction.

Careful consideration should also be given to the state agency’s current or planned efforts to use longitudinal data. These data-linking and -sharing efforts could include State Longitudinal Data Systems (SLDS) or Early Childhood Integrated Data Systems (ECIDS).

Finally, state data governance policies on retention and destruction should specify required state timelines for the destruction of data when the data are no longer necessary or required to be maintained, consistent with any applicable federal requirements.