This policy covers all data collected by NDI and stored on NDI-owned or leased systems and media, regardless of location. It applies to both data collected and held electronically (including emails, cloud storage, photographs, video, and audio recordings) and data that is collected and held as hard copy or paper files. The need to retain certain information may be mandated by federal or local law, federal regulations, and legitimate business purposes, as well as the EU General Data Protection Regulation (GDPR).

NDI retains only that data that is necessary to effectively conduct its program activities, fulfill its mission and comply with applicable laws and regulations.

Reasons for data retention include:

• Providing ongoing service to the data subject (e.g. sending a newsletter, publication, or ongoing program updates to an individual, ongoing training or participation in NDI’s programs, processing of employee payroll and other benefits);
• Compliance with applicable laws and regulations associated with financial and programmatic record-keeping and reporting by NDI to its funding agencies and other donors;
• Compliance with applicable labor, tax, and immigration laws;
• Other regulatory requirements;
• Security incident or other investigation;
• Intellectual property preservation
• Litigation

NDI seeks to avoid duplication in data storage whenever possible, though there may be instances in which for programmatic or other business reasons it is necessary for data to be held in more than one place. This policy applies to all data in NDI’s possession, including duplicate copies of data.

NDI has set the following guidelines for retaining all data as defined in the Institute’s data privacy policy, collected both for program and administrative purposes.

• Website visitor data will be retained as long as necessary to provide the service requested/initiated through the NDI website;
• Contributor data will be retained for the year in which the individual has contributed and then for 5 years after the date of the last contribution. Financial information will not be retained longer than is necessary to process a single transaction.
• Event participant data will be retained for the period of the event, including any follow up activities, such as the distribution of reports, plus a period of 5 years;
• Program participant data (including sign in sheets) will be retained for the duration of the grant agreement that financed the program plus any additional time required under the terms of the grant agreement;
• Data of subgrantees, subcontractors, and vendors will be kept for the duration of the contract or agreement and the length of time required by the donor;
• Employee data will be held for the duration of employment and then 5 years after the last day of employment.
• Data associated with employee wages, leave and pension shall be held for the duration of employment plus 5 years, with the exception of pension eligibility and retirement beneficiary data which shall be kept for 50 years;
• Recruitment data, including interview notes of unsuccessful applicants, will be held for 3 years after the closing of the position recruitment process;
• Consultant (both paid and pro bono) data will be held for the duration of the consulting contract plus 5 years after the end of the consultancy.
• Board member data will be held for the duration of service on the Board plus 5 years after the end of the member’s term;
• Data associated with tax payments (including payroll, corporate and VAT)will be held for 5 years;
• Operational data related to program proposals, reporting, and program management will be held for the period required by the NDI donor, but not more than 15 years.

It is recognized that NDI operates internationally. If required by local law, NDI shall retain the above information for the minimum time required to comply with local law and then follow data destruction noted below. 

Data destruction ensures that NDI manages the data it controls and processes in an efficient and responsible manner. When the retention period for data as outlined above expires, NDI will actively destroy the data covered by this policy. Unless otherwise noted above, all data, including email and items shared on cloud servers, is expected to be deleted. In order to help ensure compliance with data retention provisions, cumulative email and cloud storage above 30GB per NDI user account require authorization from the Director of Technology and NDI Legal Counsel. If an individual believes that there exists a legitimate business reason why certain data should not be destroyed at the end of a retention period, he or she should identify this data to his/her supervisor and provide information as to why the data should not be destroyed.