Policy 925 - Record Retention and Data Disposal Policy

Section: Information Technology
Policy Number: 925
Responsible Office: Information Technology
Effective Date: 5/1/19
Revised: 5/1/19; 6/11/20; 5/23/22

Policy Statement

The purpose of the Record Retention and Data Disposal Policy is to establish mandatory records retention and disposal plans as part of an overall records management program that applies to all departments and authorized users at St. John’s University (St. John’s). This policy outlines the practices for managing, maintaining, and disposing of records in an orderly, reasonable, and lawful manner.

Scope and Applicability

This policy applies to the University community. Adherence to this policy helps safeguard the confidentiality, integrity, and availability of St. John’s information assets, and protects the interest of St. John’s, its customers, personnel, and business partners.

Policy

Record Retention

Records are classified as follows:

Active
Archived for Retention
Prepared for Disposal

Active records are those that are currently being used in the operations and transactions of the business or are otherwise part of current activities such that they need to be organized, classified, and maintained in a form suitable for fast and reliable access for individuals authorized to use the records.

Use of Cryptography

Encryption keys used to encrypt data must be securely stored for the life of the relevant data in accordance with the 913 – Cryptography Policy and Standards.

Disposition

A review of the record is conducted after the expiry of the retention period or, if that is not feasible, the record is retained, and a later review date is set. The review is conducted by the appropriate personnel in consultation with relevant stakeholders.

Decisions must not be made with the intent of denying access or destroying evidence.

Data Disposal

Once a record is no longer active, it may be archived for a period as set forth in the St. John’s Records Retention Schedule.

To reduce records storage requirements and associated costs, all records that have no such value to St. John’s are destroyed on a regular basis. If a class of records is not referenced in the Records Retention Schedule, it is considered as having no value for retention and is destroyed once the record’s immediate purpose is completed. Such records may include the following:

Extra copies of records that have no value
Publications, trade journals, and magazines that require no action and have no value as defined above
Correspondence, memos, and interoffice communications that have been completed and have no further value as defined above
Drafts of documents on which no action was taken and that require no follow-up
Personal email messages and other documents not relating to St. John’s business

Disposal of Electronic Media: All external media are sanitized or destroyed in accordance with industry standard compliant procedures.

Do not throw any media containing sensitive, protected information in the trash.
Return all external media to your supervisor.
External media must be wiped clean of all data. The Office of IT has very definitive procedures for doing this so all external media must be sent to them.
The final step in this process is to forward the media for disposal by a certified destruction agency.

Disposal of IT Assets: Department managers coordinate with the Office of IT on the disposal of surplus property that is no longer needed for business activities.

PCI DSS compliance requires that cardholder data is handled uniquely and independently of other data classifications. For cardholder data, the following requirements must be fulfilled:

Sensitive Authentication Data (SAD) are rendered unrecoverable upon completion of the authorization stage of the payment process.
- SAD is the following information on credit/debit cards:
  - Full Track Data – Magnetic strip on the back of the card or the chip on the front of the card.
  - CAV2/CVC2/CVV2/CID – The three- or four-digit value typically on the back of the card next to the signature section.
  - PIN/PIN BLOCK – Personal identification number entered by the cardholder during a card-present transaction, and/or encrypted PIN block present within the transaction message.
  - Primary Account Number (PAN) should only be stored if explicit authorization has been granted by the CIO. If the PAN is stored, the following requirements must be met:
- The PAN is masked when displayed. The maximum number of digits permitted to be displayed are the first six and last six digits.
- Access to the full 16 digits of the PAN is only available to roles that require it for legitimate business reasons.
- The PAN is rendered unreadable anywhere it is stored.
- PANs are never sent via end to end user messaging.

Definitions

The following are definitions relevant to the policy:

Record: Information created, received, and maintained by an organization or person in the transaction of business or in pursuance of legal obligations
Computing Resources: All University information processing resources, including all University owned, licensed, or managed computing services, hardware, software, and use of the University network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network
Institutional Data: All data owned or licensed by the University
University community: Includes faculty, administrators, staff, student workers, graduate/technical assistants, alumni, interns, guests, or agents of the administration, external individuals, and organizations accessing University network services, and other authorized users

Compliance

St. John’s reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of noncompliance must be presented to be reviewed and approved by the Chief Information Officer (CIO), the Director of Information Security, or the equivalent officer(s).

All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security.

Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by St. John’s.