Data Storage & Disposal

  • Procedure Type: Information Technologies
  • Procedure Title: Data Storage & Disposal
  • Procedure Number: NA
  • Office Responsible: Information Technologies
  • Related Policies: Information Technologies & Resources
  • Related Procedures: NA
  • Related Laws: NA
  • HLC Criterion: NA

Objective
In accordance with the Information Security and Acceptable Use Policy, any College Data must be handled in accordance with OCC rules for records retention and minimum security standards during the entire lifecycle of acquisition, storage, and eventual destruction (if applicable).

Electronic vs. Paper Storage
The Information Security Office recommends storing records in electronic format when possible and cost-effective. (For example, the original paper files may be required for some types of documents, or there may be such a volume of stored documents that scanning them is cost-prohibitive.) Electronic storage typically facilitates backups and allows for audit logging; electronic storage is less susceptible to fire, flood, or other factors that are likely to destroy a single paper record.

Paper Records
Paper records containing Confidential or Controlled Data must be stored in an access-controlled drawer, cabinet, or room with adequate protection against theft, fire, and flooding. Paper records must be shredded when no longer needed or required. The Information Security Office recommends a cross- cut shredder that yields a shred size of no larger than ½-inch squares. Locked “shred” bins are also acceptable, if keys to access such bins are limited to the shredding vendor and authorized personnel only.

College Information Systems
Electronic records containing Confidential or Controlled Data must be stored in systems that meet the minimum security standards for servers and applications. Records must be removed when no longer needed to reduce security exposure and cost of storage. When an information system or electronic media is no longer needed or required for College use the disk drive is physically destroyed by IT.

Personally-Owned Equipment
Electronic records stored on personally owned equipment should be moved to College Information Systems as soon as feasible.

Records Retention
Data Owners are responsible for understanding the records retention schedule applicable to data under their control, including both retention and destruction schedules. Data should not be kept longer than specified by applicable records retention requirements, unless required by litigation hold or similar preservation requirement. When no longer needed or required, the data should be destroyed according to records retention guidelines.

Exemptions
In the event that compliance with this data storage and disposal Procedure cannot be met, please contact itsecurity@oaklandcc.edu to submit an exemption request which will be approved or denied by IT. Denied exemption requests may be appealed to the CIO for final decision.

Change Log

07-01-2018  Effective date

OCC Logo