3.1.36 Data Classification, Retention, Handling and Destruction

**This policy combines 3 previously submitted and approved policies: 3.1.36 Data Retention and Destruction; 3.2.7 Data Classification and Handling; and 3.2.9 Computer Media Disposal**

Purpose

Any person who uses, stores or accesses data contained in the information technology systems (either academic or administrative) of Piedmont University ("Piedmont" or “University”) has the responsibility to safeguard that data. Data classification is one method of determining the safeguard requirements for certain data and the appropriate College response to any unauthorized release of that data. Such safeguards and response plans are not only good stewardship for College data, but are required by certain state and federal law and regulations.
Scope

This policy governs the privacy, security and integrity of University data stored on University IT systems and outlines the responsibilities of the individuals and organizational units that manage, use, access, store or transmit that data. This policy supplements, but does not supersede, the University’s Confidentiality Agreement.
Policy
1. Piedmont University IT Services maintains systems that store data essential to the performance of University business. All members of the community have a responsibility to protect University data from unauthorized access, use, storage, transmission, disclosure, or destruction.
2. All University data is classified into four levels of security classification: Restricted (Protected) Data, Confidential (Sensitive) Data, Internal (Directory)all data except Public Data is to be considered confidential. Data, and Public Data. For the purposes of this policy, data not formally classified (Unclassified Data) will be considered Sensitive Data. For the purposes of the University’s Confidentiality Agreement,
  1. Restricted or Protected Data is data that (1) if compromised would expose members of the University and its community to a high risk of identity theft or financial fraud and (2) is protected by Federal or State law or regulations. Applicable law and regulatory requirements include (but are not limited to) the Family Educational Rights and Privacy Act (FERPA), the Fair and Accurate Credit Transactions Act (FACTA), the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and other applicable Federal and Georgia State laws. Examples of Protected Data include, but are not limited to:
    1. Name
    2. Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
    3. All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
    4. Telephone numbers
    5. Fax number
    6. Email address
    7. Social Security Number
    8. Medical record number
    9. Health plan beneficiary number
    10. Account number
    11. Certificate or license number
    12. Vehicle identifiers and serial numbers, including license plate numbers
    13. Device identifiers and serial numbers, Passport Number, or any State ID Number
    14. Web URL
    15. Internet Protocol (IP) Address
    16. Finger or voice print
    17. Photographic image - Photographic images are not limited to images of the face.
    18. Any other characteristic that could uniquely identify the individual
    19. Credit Card Information (Number, expiration date, security code)
    20. Users’ Systems Passwords
    21. Medical history or Disability
    22. Student and family financial history
    23. Student account balances
    24. Student Financial Aid history
    25. Student academic history, including student grades
  2. Confidential or Sensitive Data is data that, while not explicitly protected by federal or state law, is proprietary to the University and would, if released, expose the University and members of the community to a heightened risk of identity theft or financial fraud. Examples of Sensitive Data include, but are not limited to:
    1. historyEmployee salary or employment
    2. AddressPermanent or Local
    3. budgetsDepartment
    4. NumbersStudent registration Personal Identification
    5. manualsInternal operating procedures and operational
    6. documentsInternal memoranda, emails, reports and other
    7. plansTechnical documents such as system configurations and floor
  3. Internal or Directory Data is data The University chooses to keep private, but any disclosure would most likely not cause material harm. It can also bethat used for university communication or to link records between university systems or reports. This could include directory is that information widely available to members of the University community, but nevertheless should be handled with care, since exposure could result in increased risk of financial fraud or identity theft for the University and members of the community. Examples of Internal/Directory Data include, but are not limited to:
    1. Departmental policies and procedures
    2. Grant applications
    3. Usernames
    4. Campus wide IDs
    5. ID photos
    6. Class Rosters/Advisor Rosters
  4. Public Data is data that the University may or must make available to the public with no legal or other restrictions, via its website or various reports, press releases, reports and the like. Examples of Public Data include:
    1. Information posted on the University’s website.
    2. The University Phone Directory
    3. The University’s annual financial reports
    4. Data published in the Integrated Postsecondary Education Data System documents.
    5. Copyrighted materials that are publicly available
  5. If in doubt as to how any data should be classified among the 4 levels of security classifications above, contact your supervisor and/or treat the information as confidential.
3. The loss of unauthorized access to or disclosure agencies Data must be reported to the appropriate University officials, including the management of the organizational unit in which the data breach was discovered, the University’s Chief Information Officer (CIO) and the Technology Helpdesk so that the appropriate response to the incident, including required notification of appropriate federal and state agencies, can be initiated.
4. The loss, unauthorized access to or disclosure of Sensitive Data should be reported to the management of the organizational unit in which the data breach was discovered for their appropriate response.
5. The purposes of the University’s Confidentiality Agreement, all data except Public Data are considered confidential. Unauthorized access, disclosure or transmission of confidential information may result in disciplinary action by the University, including termination or expulsion, as outlined in the University’s Confidentiality Agreement and other relevant University policies.
6. University data are assets belonging to the University. Departments which collect, use, store and transmit University data should classify their data according to the level of risk associated with handling that data and implement appropriate safeguards to that data based on that risk. Data is generally stored in sets. The classification of a data set should be to the highest level of any data element in that set; for example, a report containing a combination of protected, sensitive directory and public data should be considered protected and provided with the safeguards appropriate for protected data. Individuals and departments must implement appropriate safeguards for accessing, transmitting and storing University data. Examples of appropriate safeguards for Protected and Sensitive Data include, but are not limited to:
  1. The data must be protected to prevent loss, theft, and/or unauthorized access, disclosure, modification, and/or destruction.
  2. The data may only be accessed or disclosed if necessary for university business purposes and consistent with applicable University policies.
  3. The data must not be downloaded, stored or transmitted unless appropriately secured and/or encrypted.
  4. The data must not be posted on any website or shared file storage space unless University standard authentication methods are used.
  5. policies.The data must be destroyed when no longer needed and in accordance with university
  6. Disposal of data should follow the guidelines as stated below.

Classification	Receipt	Storage	Transfer	Disposal
Restricted, Sensitive and/or Confidential	Encrypted methods (FTS or Encrypted CD) must be used when receiving personal information files. Special delivery mail External/Internal email to authorized recipients only. Internal file network/SharePoint restricted to relevant/authorized personnel only	Lockable units for physical files Internal email to authorized recipients only. Internal file network/SharePoint restricted to relevant/authorized personnel only. Intranet restricted to relevant personnel	Encrypted methods (FTS or encrypted CD) must be used when transferring personal information files. Internal file network/SharePoint restricted to relevant/authorized personnel only. External/Internal email to authorized recipients only. (use FTS whenever possible)	Hard copy/electronic media destruction equivalent to shredding or certified confidential waste/recycling Soft copy disposal must be in accordance with departmental procedures (archiving and deleting files) and other Piedmont protocols
Internal/ Proprietary – Business Use Only)	Internal email to necessary recipients only Internal file network/SharePoint restricted to relevant personnel only. Intranet restricted to relevant personnel only	Internal email to necessary recipients only Internal file network/SharePoint restricted to relevant personnel only. Intranet restricted to relevant personnel only	Internal email to necessary recipients only Internal file network/SharePoint restricted to relevant personnel only Intranet restricted to relevant personnel only	Hard copy/electronic media destruction equivalent to shredding or certified confidential waste/recycling Soft copy disposal must be in accordance with departmental procedures (archiving and deleting files) and other Piedmont protocols
Green (Public)	No restrictions	No restrictions	No restrictions	No restrictions

Document Retention

The University is committed to effective records retention to preserve its history, ensure that critical records are available to meet business needs, comply with legal requirements, optimize the use of space, minimize the cost of record retention, and ensure that outdated and useless records are destroyed. The University requires that University records be retained for specific periods of time and has designated official repositories for their maintenance. These records should be managed according to procedures that are outlined in the Document Retention Schedule.

Document Retention Schedule:

Document Description Include but are not limited to:	Dispose of in accordance to Data Classification	Retention Period (in Years)
Controller’s Office
Certificates of Insurance	Proprietary	1
Credit Card Receipts	Restricted	3
Accounts Payable (Checks, wires, EFT, disbursement records), Accounts Receivable, Annual Budget Documents, Audit Work Papers, Bank Reconciliations, Bank Statements, Cancelled Checks/Wire Transfers, Construction Contracts, Deposit Records, General Ledgers, Invoices or expense records, Monthly/Quarterly Investment Statements for Managers/Brokers, Earnings Records, Garnishment Records, Payroll Tax Records, W2 Statements, Garnishment Records, Purchase Orders, Tax Reports - 1098-T, Tax Reports – 1099, Check Registers	Confidential	7
Annual Financial Report (Audited), Bond Issue Docs, Capital Property Records Chart of Accounts, Deeds and Titles, Fixed Assets and Asset Depreciation Schedules, Determination Letter for Income Tax Exemption, States Sales Tax Exemption Letter, Insurance Policies, Mortgage Records, Payroll Registers, Property Appraisals, Property Tax Reports, Tax Returns – Payroll, Tax Returns 990 and 990-T, Unclaimed Property	Restricted	Permanent
Capital Equipment Records	Proprietary	4 years after Sale of Property/ Equipment
Contracts and Leases, Federal Grant Records	Restricted	7 years after expiration
Facilities Office
Construction Documents	Confidential	Permanent
Financial Aid Office
Fiscal Operations Report and Application to Participate (FISAP)	Confidential	5
The University must retain all required records for a minimum of three years from the end of the award year. However, the starting point for the three-year period is not the same for all records. For example, FFEL/DL reports must be kept for three years after the end of the award year in which they were submitted, while borrower records must be kept for three years from the end of the award year in which the student last attended.	Confidential	Minimum of three years from the end of the award year
The University may retain records longer than the minimum period required. Moreover, the University may be required to retain records involved in any loan, claim, or expenditure questioned in any FSA program review, audit, investigation, or other review. If the three-year retention period expires before the issue in question is resolved, the university must continue to retain all records until resolution is reached.	Confidential	Varies/ The Financial Aid Office currently keeps 10 years of financial aid records either stored in fireproof file cabinets or in the vault on the first floor of Daniel Hall.
There are also additional record retention requirements that apply to universities granted waivers of the audit submission requirements.	Confidential	Varies/ The Financial Aid Office currently keeps 10 years of financial aid records either stored in fireproof file cabinets or in the vault on the first floor of Daniel Hall.
Human Resources
Worker’s Compensation Claims	Confidential	30
EEOC Investigations	Confidential	7 years after conclusion
Employee Applications	Confidential	1
Employee I-9	Confidential	3 years after termination
Retirement Records, Employee Policy Manual	Confidential	Permanent
Wage and Personnel Records	Confidential	7 years after termination
Institutional Advancement
Endowment Records, Gift Agreements, Scholarships Agreements, Trusts/Bequests	Confidential	Permanent
Gift Receipts, Deceased Files	Confidential	7
Private Grant Records	Confidential	7 years after expiration
Grant Applications - Denied/Declined	Confidential	3
Title IX Compliance
Title IX Records, Investigations, Determinations, Recordings, Transcripts, Sanctions, Remedies, Appeals, Informal Resolutions, Training Materials	Restricted	7
President’s Office
Annual Budget (in Board Books), Articles of Incorporation, Attorney Opinion Letters, Attorney-Client Correspondence, Budget Variance Reports (in Board Books), By-Laws, Correspondence, legal and important matters, Institutional Planning Records (final planning reports, proposals, goal and objective statements, and instructions and explanations of process, internal planning committee materials), Litigation Files, Court Documents and Records, and Discovery Materials (cases resulting in major policy modification, pleadings, final decisions, copies of records of the courts of cases considered historical), Minutes of Board Committee Meetings, Board Policies and Resolutions	Confidential	Permanent
Registrar’s Office
Student Information System (Colleague) Student Documents, Piedmont pre-electronic printed academic transcripts for former students, Undergraduate and Graduate Catalogs, Graduation programs	Confidential	Permanent
Printed academic documents for currently enrolled students – maintain paper documents for current semester, scan for permanent maintenance, then destroy paper documents	Confidential	Permanent for electronic documents
Printed academic documents for former students	Confidential	7 for paper and Permanent for electronic

Data Destruction Policy (Paper or Electronic Media)

Purpose
The purpose of this procedure is to provide guidelines for the proper disposal of computer media (computer desktops, laptops, tablets, hard drives, and other storage devices). Piedmont University may store sensitive information on computer hard drives and other forms of electronic media. As this media reaches the end of its useful life, sensitive information on the media must be destroyed appropriately.
Procedure
Improperly disposing of computer media may expose the college to security breaches and inappropriate information disclosure risks.
General
The transfer or disposal of data processing equipment, such as computers and computer media, shall be controlled and managed according to the latest National Institute of Standards and Technology (NIST) Guidelines for Media Sanitization. Simply deleting the data and/or formatting the disk does not prevent individuals from restoring data. Sanitization of the media removes information so that data recovery using standard techniques or analysis is significantly reduced or prevented.
Data Disposal Procedures
All computer desktops, laptops, tablets, hard drives, and other storage devices that contain university data must be processed through The Office of Information Technology for proper disposal.

OIT shall ensure processes and/or procedures exist and follow that:
- Address the evaluation and disposal of sensitive information, hardware, and electronic media regardless of media format or type.
- Specify procedures for making sensitive information unusable and inaccessible. These procedures should specify the use of technology (e.g., software, special hardware, etc.) or physical destruction mechanisms to ensure that sensitive information is unusable, inaccessible, and unable to be reconstructed.
- Authorize personnel to dispose of sensitive information or equipment. Such procedures may include shredding, incinerating, or pulp of hard copy materials so that sensitive information cannot be reconstructed. Approved disposal methods include the following for Electronic Media (such as physical disks, tape cartridges, CDs, flash drives, printers, copier hard drives, etc.).
- Physical Destruction – implies the destruction of media through crushing or disassembling the asset and ensuring no data can be extracted or recreated.
shall not be released into general surplus until it has been sanitized, and all stored information has been cleared using one of the above methods. Data processing equipment that accesses, stores, processes, transmits, or receives sensitive data may only be sent to sanitization, disposal, or destruction service providers who agreed, in writing, to:Confidential, Restricted or Sensitive information IT documentation, hardware, and storage used to process, store, or transmit
- Maintain confidentiality of information.
- Destroy, sanitize, or return any equipment or components that are still capable of storing information in accordance with college policy.
- Account for each asset to the point of sanitization or destruction and disposal.
- Certify that it has disposed of the asset in accordance with the requirements of this policy.
Audit Controls and Management
Documented procedures and evidence of practice should be in place for this administrative procedure.
Enforcement

Employees found in policy violation may be subject to disciplinary action.

Up one level

Section 3 - General Policies