| Policy identification number: IT-0003 | |
File: Information Technology Policies | ||
Disposal of Personally Identifiable Information | ||
Policy Summary This policy establishes the requirements and responsibilities for the disposal of papers and electronic documents that contain Personally Identifiable Information (PII). | ||
Policy Owner Vice President, Finance & Adminsitration | Approval Date January 30, 2019 | Effective Date January 30, 2019 |
Search Terms disposal, personally, identifiable, information, vpfa, d | Scheduled for Review Spring 2024 | |
I. GeneralPapers and electronic documents that are identified as containing PII will be disposed of when they are no longer needed. These papers and electronic documents will be redacted or disposed of so that the PII contained in them will be made unreadable or indecipherable through any means. Per the FLC Information Technology Security policy, personnel designated as “stewards” (as defined in the Information Technology Security policy), or a designee assigned to a functional area, department, or office, by the appropriate Vice President are responsible for:
|
II. Determining Eligibility for DisposalPaper and electronic documents that contain Personally Identifiable Information will be disposed of when no longer needed or according to the specifications detailed in the Colorado State Archives Records Management Manual for Higher Education, Schedule 8. The retention guidelines presented in Schedule 8 can be superseded because of litigation holds, or other State and Federal regulations/laws. In these circumstances, any paper, electronic documents, or computer hardware will be retained as directed by the Attorney General’s Office or at the discretion of the Information Technology department. |
III. Disposal of Personally Identifiable InformationWhen no longer needed, paper documents that contain PII will be destroyed by shredding, erasing or otherwise modifying so that the PII contained within is made unreadable or indecipherable through any means. When eligible for disposal, electronic documents that contain PII will be destroyed by erasing, deleting, or otherwise modifying so that the PII contained within is made unreadable or indecipherable through any means. When no longer needed, physical computer drives or mobile devices that contain PII will be destroyed or rendered unreadable by the Information Technology Department, or a designated vendor in accordance with technical guidelines for media sanitization as presented in the National Institute of Standards and Technology Special Publication 800-88. |
IV. Reason for PolicyThe proper and timely disposal of electronic documents and paper that contain Personally Identifiable Information is required by Colorado Revised Statutes C.R.S. § 24-73-101. |
V. ResponsibilitiesFor following the policy: All employees and contracted vendors For enforcement of the policy: Information Security Officer For oversight of the policy: Vice President for Finance & Administration For notification of policy: Policy Librarian |
VI. DefinitionsElectronic Documents: Electronics documents are created and stored on a computer system or application. Common types electronic documents include emails, database tables and reports, web pages, spreadsheets, text files, presentations, and digital images. Personally Identifiable Information (PII): as defined in the Data Classification Policy |
VII. Cross-Referenced PoliciesHigher Education Records Schedule 8 of the Colorado State Archives Records Management Manual 6-12: Information Technology Security NIST Special Publication 800-88: Guidelines for Media Sanitization |
VIII. Revision HistoryNew policy - January 2019 |