Data retention
Policy reference
- APM 30.11 University Data Classification and Standards
- APM 30.14 Cyber Incident Reporting and Response
- APM 65.02 Records Inventory, Retention and Disposition
Purpose
This Access Control standard supports APM 65.02 Records Inventory, Retention and Disposition other relevant university policies.
Scope
These standards are for all managed and unmanaged systems that access, store or process University of Idaho data (see APM 30.14 C-6) or using University of Idaho technology resources (see APM 30.12 C-1) at the Low, Moderate- or High risk levels (see APM 30.11) not otherwise covered by an approved systems security plan or investigation and litigation hold.
Documentation of the system and office of record if not currently known is expected to be completed as part of the ongoing data modernization project. This standard may be updated accordingly upon completion of that project.
Standards
1. The UI records retention schedule
- The UI records retention schedule is maintained by OIT
- The UI records retention schedule follows State of Idaho General Records Retention Schedule with the addition of:
- Systems of record
- Copies of records outside of the system of record must only be retained while administratively valuable and in approved storage location for the level of risk associated with the record.
- Offices of record
- The data trustee or data steward will be the Office of record unless otherwise required by University Policy or applicable laws.
- Systems of record
- Other retention requirements will be used as needed including but not limited to:
- State and Federal law
- Data management plans
- Research requirements
- Other contractual requirements
- Offices of record must retain records to meet the UI records retention schedule
- Offices of record must store records in the appropriate system of record as defined in the UI records retention schedule.
- Records covered by the UI records retention schedule must be labelled with the retention label that supports the required retention period where possible.
2. Document lifecycle
- SharePoint and OneDrive, including storage sites, individual OneDrive, and Teams Files retention, are configured with a default retention policy of 10 years based on last modified date
- Files may be deleted earlier through other means
- Exception for files/folders are available through retention labels with the following settings:
- Delete after 3-years
- Delete after 7-years
- Delete after 10-years
- Never archive
- Retain permanently
- Email retention is set to archive email after 2-years by default
- Retention labels will be available for the following:
- Delete after 3-years
- Delete after 7-years
- Delete after 10-years
- Never archive
- Retain permanently
- Email archive is not configured to delete items after any period of time
- Retention labels will be available for the following:
- Inactive Teams within Microsoft Teams will be deleted after 400 days, including corresponding shared files
- General storage
- System owners will be expected to configure cloud storage systems to have at most a 10-year limit for data/documents not covered by the general records retention schedule or otherwise covered by an approved systems security plan or investigation and litigation hold.
- Systems owners may configure longer limit with a documented reason.
Other References
- State of Idaho General Records Retention Schedule
- Idaho Code §74-101
- UI records retention schedule
- Media Protection
Definitions
- Investigation and litigation holds
Any record pertaining to anticipated or ongoing investigation, legal action or proceeding, audit, or similar activity as defined by OIT or the Office of General Counsel. - Document
Any file, physical or digital, that holds university data defined in APM 30.14 - Record a.k.a. Public Record
“Includes, but is not limited to, any writing containing information relating to the conduct or administration of the public’s business prepared, owned, used or retained by any state agency, independent public body corporate and politic or local agency regardless of physical form or characteristics. Provided, however, that personal notes created by a public official solely for his own use shall not be a public record as long as such personal notes are not shared with any other person or entity.”
(Idaho Code §74-101) - System of record
The authoritative location for the storage and retention of the relevant records. - Office of record
“The administrative unit or academic department responsible for managing the relevant records.” (APM 65.02) - Teams Channels & Files
Files, including posts, from Teams which are stored within M365 Group mailboxes & sites, including channel posts and shared files - Teams Chats
Chats from Teams which are stored within exchange mailboxes, including direct and group messages but not including shared files, which fall under OneDrive.
Standards Owner
The OIT Information Security Office (oit-security@uidaho.edu)
Revision History
5/28/2026 — Original standard