Data Storage Policy

All institutional data will be stored, backed-up, archived and disposed of in a manner consistent with its sensitivity, requirements and best practices. Data classification is a key component for making consistent and appropriate decisions related to data storage and retention.

Purpose & Scope

The purpose of this policy is to direct the implementation of standards and procedures for storing, archiving, and disposing of institutional data. Unneeded non-authoritative data (duplicate copies, outdated records, non-business-related files) accumulate in operational locations need to be removed when no longer needed.

Purging not only saves IT resources, but also avoids the possibility of compromising sensitive data in these sources that may not be as well protected as the authoritative masters.

Key Roles & Responsibilities

Records Retention Specialist

The functional Records Retention Specialist keep abreast of record retention requirements, and advise functional and technical areas about those requirements.

Security Assurance

Security Assurance reviews and evaluates functional areas for compliance with documented policies and procedures.

Specific Provisions

Data on Protected Storage
  • Data (Protected Confidential) will be stored only in approved locations and on approved equipment or storage facilities.
  • On-roll employees should refrain from making duplicate copies or shadow files of authoritative data resources.
  • Temporary duplicate copies of electronic data created for legitimate reasons must be protected in a like manner to the authoritative data, and removed in a timely manner.
  • Standards for storing electronic data containing sensitive data should be created and periodically reviewed.
  • Standards for storing hardcopy containing sensitive data should be created and periodically reviewed.
  • Periodic reviews should be performed by Security Assurance to ensure compliance with data management policies, standards, and procedures.
Data Backups and Off-site Storage
  • All data located on our own IT Resources will be backed-up on a regular basis consistent with data classification standards applicable to the data being backed-up.
  • Backups of data whose loss would impact the operation or viability of the company confidential matters will be taken off-site or written off-site to a secure location in a timely manner.
  • Any backup media containing confidential data taken off-site or backup data sent off-site will be encrypted.
Data Storage
  • The need to retain data in locations will be reviewed on an ongoing basis.
  • Data no longer needed for routine operations, but which must be retained, will be archived in a timely manner.
  • The management & IT supervisor representative will develop criteria for deciding when data can be archived.
  • They will also develop procedures for archiving of data.
Data Retention
  • Data Stewards and Data Managers will be knowledgeable about standards, and procedures regarding retention of data.
  • Data Managers & Record Retention Specialists will develop procedures to ensure that required data is always accessible, especially as backup media ages, previously supported media is discontinued, supported data formats and standards change, and security controls change.
Data Disposal
  • The need to retain operational and archived data will be reviewed on an ongoing basis.
  • Data no longer needed for routine operations and which need not be retained in archive will be destroyed in a timely manner.
  • Archived data which need no longer be retained will be destroyed in a timely manner in compliance with State record retention policies.
  • Data managers in collaboration with functional Record Retention Specialists will develop procedures for disposing of data in compliance with monthly & yearly record retention schedules.
IMPORTANT ADDITIONAL GUIDELINES
Paper Storage

Data stored on paper should be kept in a secure place where unauthorized people cannot access it. Printouts should be shredded and disposed off securely.

Electronic Protection

Data must be protected from unauthorized access, accidental deletion and malicious hacking attempts with AD passwords changed periodically.

Removable Media

Data stored on removable media should be kept locked away securely when not being used and only stored on designated drives and servers.

Server Security

Servers containing personal data should be sited in a secure location and protected by approved security software and firewalls.

Backup Procedures

Data should be backed up frequently with regular testing, either in authorized shared drives accessible via company LAN/VPN or on One Drive.