All institutional data will be stored, backed-up, archived and disposed of in a manner consistent with its sensitivity, requirements and best practices. Data classification is a key component for making consistent and appropriate decisions related to data storage and retention.

Unneeded non-authoritative data (duplicate copies, outdated records, non-business-related files) accumulate in operational locations need to be removed when no longer needed. Purging not only saves IT resources, but also avoids the possibility of compromising sensitive data in these sources that may not be as well protected as the authoritative masters.

The purpose of this policy is to direct the implementation of standards and procedures for storing, archiving, and disposing of institutional data. Records Retention Specialist the Functional Records Retention Specialist keep abreast of record retention requirements, and advise functional and technical areas about those requirements.

Security Assurance Security Assurance reviews and evaluates functional areas for compliance with documented policies and procedures.

Specific Provisions: Data on Protected Storage

    • Data (Protected Confidential) will be stored only in approved locations and on approved equipment or storage facilities.
    • On roll employees should refrain from making duplicate copies or shadow files of authoritative data resources.
    • Temporary duplicate copies of electronic data created for legitimate reasons must be protected in a like manner to the authoritative data, and removed in a timely manner.
    • Standards for storing electronic data containing sensitive data should be created and periodically reviewed.
    • Standards for storing hardcopy containing sensitive data should be created and periodically reviewed.
    • Periodic reviews should be performed by Security Assurance to ensure compliance with data management policies, standards, and procedures.

Data Backups and Off-site Storage

    • All data located on our own IT Resources will be backed-up on a regular basis consistent with data classification standards applicable to the data being backed-up.
    • Backups of data whose loss would impact the operation or viability of the company confidential matters will be taken off-site or written off-site to a secure location in a timely manner.
    • Any backup media containing confidential data taken off-site or backup data sent off-site will be encrypted.

Data Storage

    • The need to retain data in locations will be reviewed on an ongoing basis.
    • Data no longer needed for routine operations, but which must be retained, will be archived in a timely manner.
    • The management & IT supervisor representative will develop criteria for deciding when data can be archived.
    • They will also develop procedures for archiving of data

Data Retention

    • Data Stewards and Data Managers will be knowledgeable about standards, and procedures regarding retention of data.
    • Data Managers & Record Retention Specialists will develop procedures to ensure that required data is always accessible, especially as backup media ages, previously supported media is discontinued, supported data formats and standards change, and security controls change.

Data Disposal

    • The need to retain operational and archived data will be reviewed on an ongoing basis.
    • Data no longer needed for routine operations and which need not be retained in archive will be destroyed in a timely manner.
    • Archived data which need no longer be retained will be destroyed in a timely manner in compliance with State record retention policies.
    • Data managers in collaboration with functional Record Retention Specialists will develop procedures for disposing of data in compliance with monthly & yearly record retention schedules.


    • Data is stored on paper, it should be kept in a secure place where unauthorized people cannot access it
    • These guidelines also apply to data that is usually stored electronically but has been printed out for some reason
    • People should make sure paper and printouts are not left where unauthorized people could see them, like on a printer.
    • printouts should be shredded and disposed of securely
    • When data is stored electronically, it must be protected from unauthorized access, accidental deletion and malicious hacking attempts.
    • Data should be protected by AD passwords that are changed on a periodic basis and never shared between employees
    • If data is stored on removable media, these should be kept locked away securely when not being used
    • Data should only be stored on designated drives and servers.
    • Servers containing personal data should be sited in a secure location
    • Data should be backed up frequently- the backups should be tested regularly, in line with the company’s standard backup procedures-i.e. either in authorized shared drives which can be accessed via company LAN or VPN or on One Drive.
    • All servers and computers containing data should be protected by approved security software and firewalls