Hi,
ISO13485:2016, section 4.2.5 Control of Records
"The organization shall document procedures to define the controls needed for the identification, storage, security and integrity, retrieval, retention time and disposition of records."
AKA--this is up to the organization to determine how best to meet the intent of this clause.