- Created by Justin Lytle - Admin, last modified by Dwyer, Dana on Sep 14, 2020
Policy identification number: IT-0003
File: Information Technology Policies
Disposal of Personally Identifiable Information
This policy establishes the requirements and responsibilities for the disposal of papers and electronic documents that contain Personally Identifiable Information (PII).
Vice President, Finance & Adminsitration
January 30, 2019
January 30, 2019
disposal, personally, identifiable, information, vpfa, d
Scheduled for Review
Papers and electronic documents that are identified as containing PII will be disposed of when they are no longer needed. These papers and electronic documents will be redacted or disposed of so that the PII contained in them will be made unreadable or indecipherable through any means.
Per the FLC Information Technology Security policy, personnel designated as “stewards” (as defined in the Information Technology Security policy), or a designee assigned to a functional area, department, or office, by the appropriate Vice President are responsible for:
II. Determining Eligibility for Disposal
Paper and electronic documents that contain Personally Identifiable Information will be disposed of when no longer needed or according to the specifications detailed in the Colorado State Archives Records Management Manual for Higher Education, Schedule 8.
The retention guidelines presented in Schedule 8 can be superseded because of litigation holds, or other State and Federal regulations/laws. In these circumstances, any paper, electronic documents, or computer hardware will be retained as directed by the Attorney General’s Office or at the discretion of the Information Technology department.
III. Disposal of Personally Identifiable Information
When no longer needed, paper documents that contain PII will be destroyed by shredding, erasing or otherwise modifying so that the PII contained within is made unreadable or indecipherable through any means.
When eligible for disposal, electronic documents that contain PII will be destroyed by erasing, deleting, or otherwise modifying so that the PII contained within is made unreadable or indecipherable through any means.
When no longer needed, physical computer drives or mobile devices that contain PII will be destroyed or rendered unreadable by the Information Technology Department, or a designated vendor in accordance with technical guidelines for media sanitization as presented in the National Institute of Standards and Technology Special Publication 800-88.
IV. Reason for Policy
The proper and timely disposal of electronic documents and paper that contain Personally Identifiable Information is required by Colorado Revised Statutes C.R.S. § 24-73-101.
For following the policy: All employees and contracted vendors
For enforcement of the policy: Information Security Officer
For oversight of the policy: Vice President for Finance & Administration
For notification of policy: Policy Librarian
Electronic Documents: Electronics documents are created and stored on a computer system or application. Common types electronic documents include emails, database tables and reports, web pages, spreadsheets, text files, presentations, and digital images.
Personally Identifiable Information (PII): as defined in the Data Classification Policy
VII. Cross-Referenced Policies
Higher Education Records Schedule 8 of the Colorado State Archives Records Management Manual
6-12: Information Technology Security
NIST Special Publication 800-88: Guidelines for Media Sanitization
VIII. Revision History
New policy - January 2019