Policy 925 - Record Retention and Data Disposal Policy

Section: Information Technology
Policy Number: 925
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 5/1/19

Policy Statement

The purpose of the Record Retention and Data Disposal Policy is to establish mandatory University-wide records retention and disposal plans as part of an overall records management program that applies to all departments and authorized users at St. John’s University (St. John’s).  This policy outlines the practices for managing, maintaining, and disposing of records in an orderly, reasonable, and lawful manner. 

Scope and Applicability

This policy applies to the University Community. Adherence to this policy helps safeguard the confidentiality, integrity and availability of the University’s information assets, and protects the interest of the University, its customers, personnel and business partners.

Policy

Record Retention

Records are classified as follows:

  • Active
  • Archived for Retention 
  • Prepared for Disposal

Active records are those that are currently being used in the operations and transactions of the business or are otherwise part of current activities such that they need to be organized, classified, and maintained in a form suitable for fast and reliable access for individuals authorized to use the records.  Active records are stored in a primary storage medium, such as accessible file cabinets for paper, and disk storage for electronic records. 

Disposition

A review of the record is conducted after the expiry of the retention period or, if that is not feasible, the record is retained, and a later review date is set. The review is conducted by the appropriate personnel in consultation with relevant stakeholders.

Decisions must not be made with the intent of denying access or destroying evidence.

Data Disposal 

Once a record is no longer active, it may be archived for a period of time as set forth in the St. John’s Records Retention Schedule.  

To reduce records storage requirements and associated costs, all records that have no such value to St. John’s are destroyed on a regular basis.  If a class of records is not referenced in the Records Retention Schedule, it is considered as having no value for retention and is destroyed once the record’s immediate purpose is completed. Such records may include the following:

  • Extra copies of records that have no value.
  • Publications, trade journals, and magazines that require no action and have no value as defined above.
  • Correspondence, memos, and interoffice communications that have been completed and have no further value as defined above.
  • Drafts of documents on which no action was taken and that require no follow-up.
  • Personal email messages and other documents not relating to St. John’s business.

Destruction of Records Containing Confidential Information: Records are destroyed in a manner that ensures the confidentiality of the records and renders the information unrecognizable. The approved methods to destroy records include:

  • Shredding
  • Burning
  • Pulping
  • Pulverizing
  • Magnetizing

Disposal of Electronic Media: All external media are sanitized or destroyed in accordance with industry standard compliant procedures.

  • Do not throw any media containing sensitive, protected information in the trash.
  • Return all external media to your supervisor
  • External media must be wiped clean of all data.  The [Insert Appropriate Personnel] have very definitive procedures for doing this – so all external media must be sent to them.
  • The final step in this process is to forward the media for disposal by a certified destruction agency.

Disposal of IT Assets: Department managers coordinates with the IT Department on disposing of surplus property that is no longer needed for business activities.

PCI DSS compliance requires that cardholder data is handled uniquely and independently to other data classifications. For cardholder data the following requirements are fulfilled:

  • Sensitive Authentication Data (SAD) are rendered unrecoverable upon completion of the authorization stage of the payment process. 
  • SAD is the following information on credit/debit cards:
    • Full Track Data – Magnetic strip on the back of the card or the chip on the front of the card.
    • CAV2/CVC2/CVV2/CID – The three or four digit value, typically on the back of the card next to the signature section.
    • PIN/PIN BLOCK – Personal identification number entered by the cardholder during a card-present transaction, and/or encrypted PIN block present within the transaction message.
  • Primary Account Number (PAN) should only be stored if explicit authorization has been granted by CIO If the PAN is stored the following requirements must be met:
    • The PAN is masked when displayed. The maximum number of digits permitted to be displayed are the first 6 and last 6 digits.
    • Access to the full sixteen digits of the PAN is only available to roles required to do so for legitimate business reasons. 
    • The PAN is rendered unreadable anywhere it is stored.
    • PANs are never sent via end to end user messaging.

Definitions

The following are the definitions relevant to the policy:

  • Record: Information created, received, and maintained by an organization or person in the transaction of business or in pursuance of legal obligations. 
  • Computing Resources: All University information processing resources including all University owned, licensed, or managed computing services, hardware, software, and use of the University network via physical or wireless connection regardless of the ownership of the computer or device connected to the network.
  • Institutional Data: All data owned or licensed by the University
  • University Community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests or agents of the administration, external individuals and organizations accessing University network services, and other authorized users.

Compliance

The University reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to and reviewed and approved by the CIO, the Director of Information Security, or the equivalent officer(s).

All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security. 

Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by the University.

Related Policies, Standards or Regulations

  • 906 Email Policy
  • 920 Asset Management Policy
  • Records Retention Schedule