IT Security Policy 103 – Data Retention and Disposal

Status: Draft
Last Revision Date: 21 September 2023

Statement of Purpose

Clackamas Community College is subject to regulations that require the retention and availability of certain data. Best practices dictate that data is retained for the period required for compliance. However, college leadership may request certain data be retained for longer periods or indefinitely.

This is both an operational and information security issue for ITS. From an information security perspective, retained data must continue to be stored securely—even if not actively used. This may require different techniques than normal operations, as the data may be archived or otherwise maintained differently from active data. Additionally, data retained beyond the required period represents an unnecessary information security risk (i.e., a breach of archived data has the same implications to the college as a breach of active data).

Policy Summary

Regardless of storage location, all controlled sensitive data shall be retained for as long as required by legal, regulatory, and business requirements or as specified by the data owner (whichever is longer).

Policy

  1. The data owner shall establish the regulatory retention length in accordance with state and federal laws or other regulations governing a public institution.

  2. If data retention requirements are not explicitly documented, the Data Steward shall not dispose of any data without approval from the data owner.

  3. All controlled sensitive data that has passed its required retention period shall be deleted from Clackamas Community College electronic storage.

  4. All hardcopy controlled sensitive data that has passed its required retention period shall be disposed of using methods that meet or exceed the most stringent minimum standards of the legal or regulatory bodies with which Clackamas Community College must comply.

  5. Media containing controlled sensitive data that has passed its required retention period shall be disposed of in a secure and safe manner, following industry best practices.

  6. Outsourced destruction of media containing controlled sensitive data shall be performed by a bonded disposal vendor that provides a certificate of destruction.

  7. Controlled sensitive data shall be deleted from copying and communications equipment before such equipment is provided to any vendor for trade-in, servicing, or disposal.

  8. Clackamas Community College shall randomly sample sanitized media to ensure proper destruction.

Exemptions

Data owners, with Leadership Cabinet approval, may request an extension of retention periods beyond compliance requirements.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO).

Print Article