Retention
For any research project which uses personal data, the motto “as long as necessary, as short as possible,” is important. The Principal Investigator should periodically review their research data set/s to assess whether personal data is still required.
When planning and designing a research project, the Principal Investigator should establish at what stage personal data will be: pseudonymised (de-identified), archived, anonymised. and/or securely deleted as applicable. This ensures that the retention period for personal data is appropriate to the requirements of the research project. Irrevocably anonymised data can be stored indefinitely.
In line with the principle of transparency, the retention period or the criteria used to calculate that retention period should be shared with the research participant in your project specific Information Leaflet.
Determining the retention period for research projects using personal data
Research data should be retained in a secure manner by the University for as long as it is of continuing use to the University. If the research data may be of value to the University (in terms of secondary analysis), consider this at the outset, so that participants are informed at the time of data collection of any possible future use of their data. This practice not only reflects the ethical principle of informed consent, but the principle of fair and lawful use of data, transparency, purpose limitation and storage limitation under Article 5 GDPR.
The following is a non-exhaustive list of the criteria to consider when calculating the retention period. Please note this is guidance only, and ultimately the Principal Investigator is responsible for justifying the retention period.
| Criteria | Term | Rationale |
|---|---|---|
| Research data is processed for undergraduate or postgraduate programmes. | Retain for 3 years post award of qualification. | This is to allow sufficient time for verification of results or appeal by the student. This retention period can be longer for any undergraduate or postgraduate programmes which also fall under the criteria listed below. |
| Research project is funded. | Retain for the period required by the funder or Co-ordinator (if a collaboration). | To comply with funder requirements |
| Publication requirements (follow up, verification). | Retain for the duration required by the publisher. | To comply with publication requirements |
| Involves participants recruited from HSE sites. | Retain research data and consent forms for a minimum period of 7 years post end of study in line with the HSE policy on research. | To comply with HSE requirements |
| Subject to a contract (research services etc.). | Retain for the period of time specified within the contract. | To comply with the contract terms and conditions |
| Evidence novel IP etc. | Retain indefinitely. | To comply with IP law |
| Poses a higher risk to the participant. | Retain for the duration of the project plus 7 years | In case of any potential legal claims |
| Any other legislative or regulatory reason. | Retain in line with that requirement (for example, 25 years minimum after the trial has ended for clinical trials). | To comply with legal or regulatory requirements |
| Data is required for follow up (longitudinal studies) or biobanks. | Retain indefinitely. | Best practice for longitudinal studies or biobanks |
| Personal data provided by a third-party for secondary use | Retain for the duration agreed with the provider under contract. | To comply with the contract |
Individuals’ rights in relation to the retention of their personal data may override the retention periods indicated above. If any request is received from a research participant to remove their personal data from a research project, contact the College Research DPO for advice without delay at researchdpo@tcd.ie
Each request will be assessed on a case-by-case basis.
Retention of consent-related documentation
Consent Forms are a form of personal data, often containing contact details, and the participants unique identifier. They should only be stored for as long as you are processing the participant’s personal data for research purposes (to evidence the ethical principle of informed consent, or compliance with the Health Research Regulations, if health research).
Please be aware of any other retention requirements regarding consent which may be imposed by the funder, publisher, law, regulation or best practice in your particular area of research.
If you are unclear about how long you should retain personal data, the College Research DPO can be contacted for advice, at researchDPO@tcd.ie.
Please note that if your research, requires a risk assessment or DPIA, the DPO’s office will provide tailored advice on retention specific to your project.
Further guidance
-
1. Data Protection Commission guidance on the principles of GDPR. Please see here.
- 2. Trinity’s current records retention schedule. Please see here.
- 3. Guidance on data management - CESSDA Data Management Expert Guide. Please see here.
- 4. Guidance on data anonymisation. Please see here.
- 5. HSE Policy for Consent in Health and Social Care Research. Please see here.