Data Storage Policy

All institutional data will be handled in a manner consistent with its sensitivity, specific requirements, and industry best practices. Data classification plays a crucial role in making informed decisions regarding data storage and retention. Unnecessary non-authoritative data, including duplicate copies, outdated records, and non-business-related files, must be removed from operational locations when they are no longer required. This not only conserves IT resources but also prevents the potential compromise of sensitive data in these sources, which may not have the same level of protection as authoritative masters. The objective of this policy is to provide guidance on the standards and procedures for the storage, archiving, and disposal of institutional data. The Records Retention Specialist, in their functional role, keeps abreast of record retention requirements and advises both functional and technical areas accordingly. Security Assurance conducts reviews and assessments of functional areas to ensure compliance with documented policies and procedures. Specific Provisions – Data on Protected Storage:

Data classified as “Protected Confidential” will only be stored in approved locations and on approved equipment or storage facilities.

On-roll employees should refrain from creating duplicate copies or shadow files of authoritative data resources.

Temporary duplicate copies of electronic data, created for legitimate reasons, must be protected in the same manner as authoritative data and removed promptly.

Standards for storing electronic data containing sensitive information should be established and periodically reviewed.

Standards for storing hardcopy data containing sensitive information should be established and periodically reviewed.

Security Assurance should conduct periodic reviews to ensure compliance with data management policies, standards, and procedures.

Data Backups and Off-site Storage:

All data stored on our IT Resources will be regularly backed up in accordance with data classification standards.

Backups of data that, if lost, would impact the operation or viability of the company’s confidential matters will be taken off-site or securely stored off-site in a timely manner.

Any backup media containing confidential data taken off-site or backup data sent off-site will be encrypted.

The necessity of retaining data in specific locations will be continually assessed.

Data no longer required for routine operations but needing retention will be archived promptly.

Criteria for deciding when data can be archived and procedures for archiving data will be developed by management and IT supervisor representatives.

Data Retention

Data Stewards and Data Managers will be well-versed in standards and procedures regarding data retention.

Procedures will be developed to ensure that required data is always accessible, particularly as backup media ages, supported media changes, data formats evolve, and security controls are updated.

Data Disposal

The necessity of retaining operational and archived data will be reviewed continuously.

Data no longer needed for routine operations and not requiring archival will be securely destroyed in a timely manner.

Archived data that no longer needs to be retained will be destroyed in compliance with state record retention policies.

Data managers, in collaboration with functional Record Retention Specialists, will establish procedures for disposing of data in accordance with monthly and yearly record retention schedules.

Additional Guidelines

When data is stored on paper, it should be securely kept where unauthorized individuals cannot access it. This also applies to printed electronic data.

Printed materials should be securely disposed of, preferably through shredding.

Electronically stored data must be safeguarded against unauthorized access, accidental deletion, and cyber threats.

Data should be protected by periodically changed AD passwords that are not shared between employees.

Removable media containing data should be securely locked away when not in use.

Data should only be stored on designated drives and servers.

Servers containing personal data should be located in secure environments.

Data should be regularly backed up and tested according to company backup procedures, either on authorized shared drives accessible via the company LAN or VPN, or on One Drive.

All servers and computers containing data should be equipped with approved security software and firewalls.