Data Backup Retention and Recovery Policy


Policy No.:ETP-O-28-1                                                                                                                                                                                           Effective:18 Mar, 2012 


KSAU-HS           King Saud bin Abdulaziz University for Health Sciences

UNIVERSITY       King Saud bin Abdulaziz University for Health Sciences

EDUTECH            CorporateOffice of Educational Technology Services

IT                      Information Technology

USER                 Any student, faculty, supporting staff or third party, who is granted an account to use KSAU-HS electronic resources or systems.

MANAGER          Manager, Network and Internet support or other authorized personnel who are in charge of the Data Center operation.

OWNERS            The personnel who operate and run a specific system or applications and are responsible for its functionality and operation.

OPERATOR        The backup or computer operation personnel who is responsible to operate computing devices and ensure its availability and functionality.


This policy guides the frequency and type of data backups.  It also addresses the length of time that backups must be retained and mandates the policies for disaster recovery.


The policy applies to all devices that hold or accumulate data in the support of University operations, which includes Data Storage, Databases, Servers, Network Devices, Security Devices, desktops, and notebooks, all users who process or store information owned by KSAU-HS, and all users responsible for data backup procedures and disaster recovery. 


  • Policy ETP-08-1 Business Continuity Planning Policy



  • Data backups will be made of all devices that contain or collect data, to include at a minimum the following devices:
  1. Servers and their internal disks.
  2. Storage Area Networks.
  3. Network switches
  4. Network Devices
  5. Network Controllers.
  6. Security Devices
  7. Desktop PCs.
  8. Notebook PCs.

Types of Data

  • Personal data is not to be stored on University equipment.
  • Confidential data—must be identified. The label on the backup media must   include what data it contains and the appropriate retention period. Care must be taken to ensure the data is securely stored.
  • Critical data—must be identified. The label on the backup media must include what data it contains and the appropriate retention period. Quick access to this data is required in the event of a disaster.
  • Non-critical data—must be identified. Non-critical data is not required to be retained for a set period of time. Typically this data is deleted after 3 months. The label on the backup media must include what data it contains and the appropriate retention period.

Data Backup Frequency

The frequency of data backups is determined by how frequently and how much a data storage element changes. Data backup will be conducted as follows:

  • Full backups weekly: all data is backed up weekly and retained for 6 months.
  • Incremental backups: conducted daily for data which changes frequently.  These are retained for 3 months.
  • DVD/Blueray Disc Backups: Used for immediate backup of critical data that cannot be reconstructed from daily backups.

Data Retention

  • The retention period is determined by the data element with the longest required retention period on that backup media. If the contents of the media are not known, then the media must be retained for a minimum of six months.

Offsite Storage

  • The back-up media, together with the back-up record, should be stored safely in a remote location, at a sufficient distance away to escape any damage from a disaster at the Data Center.
  • Data backups will be transported off site as the media set becomes filled.
  • Quarterly, the Data Center Operations will audit the offsite storage process to ensure that the storage facility is secure, and proper documentation is made making it possible to retrieve the right media.

Desktop Backups

  • The responsibility for backing up data held on the workstations of individuals regardless of whether they are owned privately or by the University falls entirely to the User.
  • All network users using personal workstations/laptops should ensure that their data is backed up using one or a combination of the following methods:
  1. Backing-up to a local device e.g. removable or optical disks.
  2. Copying  critical data on a regular basis to a remote server that is properly backed up by EduTech Operations.
  3. Backups should be scheduled regularly.
  4. All users should backup their data before updating or upgrading software on their computer.

Disaster Recovery

  • A disaster recovery plan can be defined as the on-going process of planning, developing and implementing disaster recovery management procedures and processes to ensure the efficient and effective resumption of vital University functions in the event of an unscheduled interruption.
  • All disaster recovery plans must contain the following key elements:
  1. Critical Application Assessment
  2. Backup Procedures
  3. Recovery Procedures
  4. Implementation Procedures
  5. Test Procedures
  6. Plan Maintenance


  1. Operation Manager is responsible for making and retaining an adequate number of data backup "safety" copies. He may create further policies and procedures and delegate authority to implement them.
  2. Operations Manager is responsible to review the backup report, review the security of backup media, periodically review and update the backup schedule, disaster recovery plan and periodic testing of the recovery plan.
  3. Owners are responsible to make sure that the data corresponding to their system/Application is backed up as per the approved backup schedule. 
  4. Operators are responsible for creating backup jobs, monitor and report the backup jobs, moving the backup media to an offsite storage location, testing the backed up data and testing the recovery plan.
  5. Users are responsible for the data stored in their personal computers. If the data is critical and needs to be backed up, the user should request to backup the file repository or keep the data in a centralized storage which is backed up regularly.

Approved By:

Director Corporate, Educational Technology Service
King Saud bin Abdulaziz University for Health Sciences


Related Links