Data Retention in Voting

Content

Data retention in voting refers to the policies and practices governing how long election-related data is stored after an election concludes. Organizations must balance the need to preserve records for legal compliance, dispute resolution, and audit purposes against the obligation to delete personal data when it is no longer necessary — particularly under the GDPR.

What is data retention in voting?

Every online election generates data: voter rolls, authentication logs, encrypted ballots, results, and system logs. Data retention policies define how long each category of data is kept, how it is protected during storage, and when and how it is securely deleted. These policies must comply with applicable law while supporting the organization's governance needs.

Types of election data

Online elections produce several categories of data with different retention requirements:

Voter registration data: Names, email addresses, eligibility status
Authentication logs: Login records, two-factor authentication events
Ballot data: Encrypted votes and associated cryptographic proofs
Result data: Vote tallies, majority calculations, outcome records
System logs: Technical logs of platform operations and events
Election protocols: Formal documentation of the election process
Communication records: Invitations, reminders, and notifications sent to voters

Legal retention requirements

Retention requirements vary by jurisdiction and organization type:

Corporate law: Shareholder voting records may need to be retained for 10 years or more
Association law: Meeting minutes and election results are often required to be kept for the organization's lifetime
Employment law: Works council election records may have specific retention periods
Tax law: Financial decisions approved by vote may need to be retained for tax compliance
Election regulations: Some jurisdictions specify minimum retention periods for election records

The GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data be kept only as long as necessary for the purpose for which it was collected. For election data, this means voter personal data should be deleted after the election purpose has been fulfilled, retention must be justified by a specific legal basis, data subjects (voters) must be informed about retention periods, and anonymization should be considered as an alternative to deletion where aggregate data is still needed.

Retention periods by data type

Different data categories warrant different retention periods:

Voter personal data: Delete after the challenge period expires (typically 30–90 days post-election)
Authentication logs: Retain for the duration of any potential dispute period
Encrypted ballots: Retain until results are certified and any challenge period has passed
Result data: Retain for the organization's required archival period (often years)
Election protocols: Retain permanently as part of organizational records
System logs: Retain for a limited period for technical troubleshooting (30–90 days)

Secure data storage

During the retention period, election data must be stored securely:

Encryption at rest: All stored data should be encrypted
Access controls: Only authorized personnel should access election data
Segregation: Election data should be stored separately from other organizational data
Backup protection: Backups must be subject to the same retention and deletion policies
Geographic location: Data hosting location must comply with cross-border transfer rules

Data deletion procedures

When the retention period expires, data must be securely deleted:

Cryptographic erasure: Destroying encryption keys makes encrypted data permanently inaccessible
Secure overwriting: Multiple overwrite passes ensure data cannot be recovered
Certificate of deletion: Documenting that deletion was performed correctly
Backup cleanup: Ensuring deleted data is also removed from backups
Verification: Confirming that deletion was complete and irreversible

Audit trail preservation

While voter personal data should be deleted according to retention schedules, certain audit trail elements may need to be preserved longer for governance purposes. The challenge is to maintain enough information to demonstrate that the election was conducted properly while removing data that could identify individual voters or their choices.

Challenges in data retention

Organizations face several challenges in managing election data retention:

Conflicting requirements: Different laws may specify different retention periods for the same data
Ongoing disputes: Legal challenges may require extending retention beyond standard periods
Technical complexity: Ensuring complete deletion across all systems and backups
Cross-border considerations: International organizations may face varying requirements by jurisdiction
Legacy data: Historical election data from before retention policies were established

Best practices for election data management

Organizations should establish a clear data retention policy before conducting online elections, document the legal basis for each retention period, implement automated deletion schedules in the voting platform, maintain anonymized result records separately from personal data, regularly audit compliance with retention policies, and communicate retention practices to voters through privacy notices.