Page tree
Skip to end of metadata
Go to start of metadata

Fort Lewis College Official Seal

Policy identification number: IT-0003

File: Information Technology Policies

Disposal of Personally Identifiable Information

Policy Summary

This policy establishes the requirements and responsibilities for the disposal of papers and electronic documents that contain Personally Identifiable Information (PII).

Policy Owner

Vice President, Finance & Adminsitration

Approval Date

January 30, 2019

Effective Date

January 30, 2019

Search Terms

disposal, personally, identifiable, information, vpfa, d

Scheduled for Review

Spring 2024

I. General

Papers and electronic documents that are identified as containing PII will be disposed of when they are no longer needed.  These papers and electronic documents will be redacted or disposed of so that the PII contained in them will be made unreadable or indecipherable through any means.

Per the FLC Information Technology Security policy, personnel designated as “stewards” (as defined in the Information Technology Security policy), or a designee assigned to a functional area, department, or office, by the appropriate Vice President are responsible for:

  1. Determining if the papers or electronic documents they are responsible for contain PII
  2. Determining when the aforementioned papers or electronic documents are eligible for disposal
  3. Ensuring that at least once a year, papers or electronic documents containing PII that are no longer needed are disposed of or are redacted so that the PII contained in them will be made unreadable or indecipherable through any means.

II. Determining Eligibility for Disposal

Paper and electronic documents that contain Personally Identifiable Information will be disposed of when no longer needed or according to the specifications detailed in the Colorado State Archives Records Management Manual for Higher Education, Schedule 8.

The retention guidelines presented in Schedule 8 can be superseded because of litigation holds, or other State and Federal regulations/laws.  In these circumstances, any paper, electronic documents, or computer hardware will be retained as directed by the Attorney General’s Office or at the discretion of the Information Technology department.

III. Disposal of Personally Identifiable Information

When no longer needed, paper documents that contain PII will be destroyed by shredding, erasing or otherwise modifying so that the PII contained within is made unreadable or indecipherable through any means.

When eligible for disposal, electronic documents that contain PII will be destroyed by erasing, deleting, or otherwise modifying so that the PII contained within is made unreadable or indecipherable through any means.

When no longer needed, physical computer drives or mobile devices that contain PII will be destroyed or rendered unreadable by the Information Technology Department, or a designated vendor in accordance with technical guidelines for media sanitization as presented in the National Institute of Standards and Technology Special Publication 800-88.

IV. Reason for Policy 

The proper and timely disposal of electronic documents and paper that contain Personally Identifiable Information is required by Colorado Revised Statutes C.R.S. § 24-73-101.

V. Responsibilities 

For following the policy: All employees and contracted vendors

For enforcement of the policy: Information Security Officer

For oversight of the policy: Vice President for Finance & Administration

For notification of policy: Policy Librarian

VI. Definitions 

Electronic Documents:  Electronics documents are created and stored on a computer system or application.  Common types electronic documents include emails, database tables and reports, web pages, spreadsheets, text files, presentations, and digital images.

Personally Identifiable Information (PII):  as defined in the Data Classification Policy

VII. Cross-Referenced Policies 

Data Classification Policy

Higher Education Records Schedule 8 of the Colorado State Archives Records Management Manual

6-12: Information Technology Security

NIST Special Publication 800-88: Guidelines for Media Sanitization

VIII. Revision History

New policy - January 2019