The guideline should be based on business needs and common sense:
- I can afford it.
- If my main systems are affected, the backups are (likely) far enough away that they are not affected.
- consider what is likely to affect you: electrical outage, fire, flood, riot, building collapse, a police investigation in the office upstairs keeps you from using your office; your landlord sells the building and locks you out without proper notice; earthquake, hacking, .. what is more likely and less likely?
- I can get to the backups fast enough.
( fast enough is up to you.. how soon can you get another place with a similar computing setup that allows you to load your backed up data and get back to business? )
- The backups are useful
( #1 - you test them periodically, #2 - your 'plan B' work site can read your tapes or disks)
- in the event I cannot get to the backups, then somebody trusted can handle that.
- in the event that any person trusted with backup duties leaves the company, we have a security plan that changes passwords and keeps them from tampering (even if the employee is great today).
Again, it depends on your business.
If you run a small plumbing or painting shop, you can probably take home a DVD with billing & customer info. Your business might be shut down if you lose your garage / warehouse / equipment anyhow.
If you run a charter boat.. similar. No boat = no business, so just keep the minimum records you need for settling accounts and taxes.
If you have an accounting / trading / education business, then you might be able to set up shop in a day or less.. if you have an arrangement in place. Even then, test the backups, and test the "emergency arrangement". Do this BEFORE you really need to rely on this stuff so you reduce the number of curve balls you need to take on when disaster strikes.
If you deal with any financials, credit info, or privacy-regulated info.. then you want to make sure you have an active inventory of the backup devices, data, and a written policy about the storage and destruction. Then follow it, and document that you follow it. (CYA!)
I've known IT managers that kept backups in a fire/water rated safe on the same premises.
Others took them home.. or just left them in car trunk (not good, especially in heat) .
Some exchanged with local businesses.. lumber yard traded backups with plumber down the block.
Some went as far as setting up a "mirror" system at home. The IT manager had a full (old) server in her/his basement, and could - if it was required, restore data and run a very slow version of what we normally considered web space and email.
I've considered using either a bank safety-deposit box; or using a secure mailer( water and crush-resistant) and mailing it to a relatively secure PO Box.
Finally, if you have no way to execute a "plan B" off site - then there is no sense in killing yourself to protect the backups. Sure, you want a backup for day-to-day restore needs .. but if you have noplace to go if your primary site burns down, then just off-site protect enough data to CYA in case the lawyers or accountants come looking.