Data Retention Policy (for CSIR Purposes)

2021/5/17 by CSO; approved by the ITMM

This subsidiary policy to Operational Circular No. 5 sets out the minimum period of time that all CSIR-related Digital Data that is owned, controlled and/or processed by the Organization must be stored for Computer Security Incident Reponse (CSIR) purposes.


  • "Digital Data" (or, here, short, "Data"): All data in digital format that is in the possession of, controlled by, or processed by CERN.
  • "CSIR-related Digital Data": Digital Data that constitutes or relates to activity on any CERN computing facility, including but not necessarily limited to:
    • access logs
    • application logs
    • database audit records
    • electronic communication metadata
    • network traffic data
    • user activity logs
    • web server logs


In order to enable efficient and effective Computer Security Incident Response (CSIR) at and for CERN, the CERN Computer Security Team requires all persons responsible for the management of CERN computing facilities to keep full, clear and accurate records of all its CSIR-relevant Digital Data for a minimum of 13 months from the date of the logged event. The CERN Computer Security Team reserves the right to access or take copies of such records (and any relevant encryption keys) in the course of any of its incident response activities.

The Computer Security Team keeps records of each particular CSIR investigation for up to 5 years after the closure of their investigation.


The CERN Computer Security Team can provide derogations for shorter retention periods in cases where operational constraints do not allow to store logs the full retention period (e.g. due to a very high frequency of relevant records; due to prohibitive costs of or complexity when storing relevant records; due to volatility of computing resources).

Such derogations have been currently attributed to the following services: