1. Purpose

This policy establishes guidelines for the storage, retention, archiving, and disposal of institutional data, ensuring that all data is managed in accordance with its sensitivity, regulatory requirements, and industry best practices. Proper data classification is essential for making informed decisions regarding data storage, security, and retention.

To optimize IT resources and minimize security risks, non-authoritative, redundant, or outdated data—such as duplicate copies, obsolete records, and non-business-related files—must be removed when no longer required.

2. Roles and Responsibilities

• Records Retention Specialist – Monitors record retention requirements and advises functional and technical teams on compliance.
• Security Assurance Team – Conducts periodic reviews and assessments to ensure compliance with data storage policies and security measures.
• Data Stewards & Data Managers – Ensure proper classification, storage, retention, and disposal of data per established policies.

3. Data Classification & Storage

3.1 Protected Data Storage

Data classified as “Protected Confidential” will be stored only in approved locations using authorized equipment and storage facilities.

• On-roll employees should not create duplicate or shadow copies of authoritative data sources.
• Temporary duplicate copies, if created for legitimate purposes, must be safeguarded like authoritative data and removed promptly.
• Standards for electronic and hardcopy storage of sensitive data should be periodically reviewed and updated.
• Security Assurance will conduct periodic audits to ensure compliance with data management policies.

3.2 Data Backups & Off-Site Storage

• All data stored on IT resources will be regularly backed up in accordance with data classification standards.
• Mission-critical confidential data must be backed up off-site in a timely and secure manner.
• Any backup media containing confidential data that is taken or sent off-site must be encrypted.
• The necessity of retaining data in specific locations will be regularly evaluated.
• Archived data will be stored securely based on retention requirements.
• Management and IT supervisors will develop procedures for archiving data based on predefined criteria.

4. Data Retention & Accessibility

• Data Stewards & Managers must adhere to established retention standards and procedures.
• Required data must remain accessible, accounting for:
  • Aging backup media
  • Changing storage formats
  • Updated security protocols
  • Advancements in IT infrastructure

5. Data Disposal

• The necessity of retaining operational and archived data will be regularly reviewed.
• Data that is no longer required for routine operations and does not need archiving must be securely destroyed.
• Archived data no longer subject to retention requirements will be disposed of in accordance with state and regulatory record retention policies.
• Data Managers and Record Retention Specialists will establish disposal procedures aligned with monthly and yearly retention schedules.

6. Additional Security Guidelines

6.1 Physical & Electronic Data Security

• Paper-based data must be stored securely, restricting unauthorized access.
• Printed documents containing sensitive information should be securely shredded when no longer needed.
• Electronic data must be protected against unauthorized access, accidental deletion, and cyber threats.

6.2 Access Controls & Authentication

• Data must be secured with periodically changed AD passwords, which must not be shared among employees.
• Data should only be stored on designated servers and authorized drives.
• Removable media containing sensitive data must be securely locked away when not in use.
• Servers storing personal data must be housed in secure environments with restricted access.

6.3 IT Infrastructure & Security Measures

• All servers and computers containing data must be equipped with approved security software and firewalls.
• Data backups must be tested regularly and stored on authorized shared drives accessible via the company LAN, VPN, or OneDrive.