Data Retention Policy

Policy

Office
Information Technology

POLICY SUMMARY

Pratt Institute is committed to compliance with applicable legal and regulatory standards and sound business practices in managing its records.

PolicySummary
Pratt Institute is committed to compliance with applicable legal and regulatory standards and sound business practices in managing its records. In order to achieve compliance with such standards and practices, data retention procedures have been created and will be outlined in this policy.
Purpose of this Policy
This policy is intended to assist the Institute inadequately identifying, protecting, and managing the records it needs to maintain and the process of destroying records that have reached their mandatory retention periods or are no longer necessary for the operations of the Institute. This policy will help ensure that the Institute complies with all applicable laws and regulations governing records retention and eliminates unnecessary records, which cause storage bloat.
Targeted Population
In this policy, a “record” is an electronic or paper file (document, spreadsheet, database entries) that we store in our systems, including data in which employees (faculty, staff), external contractors, and students create. All legal and business documents and formal internal and external communications fall under this policy’s purview.
This Policy applies to all Pratt Institute officers, directors, employees, affiliates, contractors, consultants, advisors, or service providers that may collect, process, or access Data. It is the responsibility of all of the above to familiarise themselves with this Policy and ensure adequate compliance.
This policy applies to all information used or collected at Pratt Institute. Examples of documents, including but not limited to:

  • Emails
  • Hard copy documents &
  • Soft copy documents
  • Video and audio
  • Protected Health Information
  • Personal Information
  • Financial Information
  • Data generated by the physical access control system

Data retention period
As a general rule, we will keep all records for a minimum of 10 years. The law may oblige us to retain individual records for a more extended period. In this case, we’ll abide by the law.
Archived Data

  • A Data Steward must be appointed to maintain the data.
  • All data archived data stored on electronic backup media must be encrypted.
  • Any medium used to store data, electronic or paper, must be safeguarded appropriately and locked away.
  • When choosing a medium for storage, factors such as air exposure, moisture, excessive heat, degradation of technology, or format changes must be considered during the record’s life expectancy.
  • Paper records should be placed in a locked file cabinet or boxed. Boxes should be appropriately labeled and dated with entry and end-of-life dates and stored in a secure area.
  • Data Stewards are required to review the archived data quarterly and ensure data is still retrievable, usable, and if the information is needed.
  • Records that are not vital or required to be kept shall be disposed of immediately after it’s no longer necessary for business operations. Data stewards are responsible for disposing of the data according to approved methods discussed later in this policy.

Discarding Records
In the absence of an Investigation, Litigation, or Legal Hold, (i) Non-Records may be destroyed or disposed of upon completion of their use, and (ii) Records may be destroyed upon the termination of the applicable mandatory retention period. The appropriate method of destruction depends on the Record’s physical form or medium and subject matter or content.

  • Records that include: Private Information, Personal Identifiable Information, Financial Information, Protected Health Information, or patient-specific identifiers should be destroyed or disposed of so that the personal data cannot partially be read or reconstructed. They should not be placed in unsecured trash or recycling receptacles unless first rendered unrecognizable.
  • Physical records will be redacted, burned, pulverized, shredded, and electronic records will be destroyed or erased securely. Physical storage devices should be electronically wiped, degaussed, or physically destroyed. Absent any special instructions or unique circumstances; records generally will be destroyed at the end of their retention period; retaining any record past its mandatory retention period should be on an exception-only basis after weighing the potential usefulness of the record against risk, cost or space limitations.
  • Records belonging to EU residents must comply with the General Data Protection Regulation (GDPR). EU residents have the “right to be forgotten,” in which case the Institute is required to remove all information that is not legally or federally mandated to be maintained. For more information about GDPR, please refer to the link below: https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection

Exemptions
In some cases, exceptions to this policy must be made. In such matters, it is required that the exemptions be appropriately documented and the record must be treated and fall under the same stipulations as archived data. Exceptions must be approved by the department data stewards, manager, and IT security. If the record is cross-referenced between information systems, access should be limited to parties required to access the record. In such cases, the department steward whose department requested the extension shall maintain the record.
Cases requiring an extension may include Legal proceedings, Federal regulations such as GDPR,FERPA, GLBA, HIPAA, or any investigations.
Definitions
Personal Information: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  • Personally identifiable information (PII): is any data that could potentially identify a specific individual. Any information that can distinguish one person from another and used for de-anonymizing anonymous data can be considered PII.
  • Financial information: refers to the nonpublic information concerning an individual’s assets, liabilities, credit, account numbers and balances, transactional data, and codes, passwords, social security numbers, tax identification numbers, driver’s license or permit numbers, and state identification card numbers.
  • Record: is an electronic or paper file (document, spreadsheet, database entries) that we store in our systems. Including files in which employees (faculty, staff), external contractors, and students create — all legal and business documents and formal internal and external communications.
  • Data Steward is a role within an organization responsible for utilizing an organization’s data governance processes to ensure the fitness of data elements – both the content and metadata. Data stewards have a specialist role that incorporates procedures, policies, guidelines, and responsibilities for administering organizations’ entire data in compliance with policy and regulatory obligations.
  • Protected Health Information is any information in a medical record that can be used to identify an individual and created, used, or disclosed in the course of providing a health care service, such as a diagnosis or treatment.

Resource Links
General Data Protection Regulation (GDPR)
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection
Family Educational Rights and Privacy Act (FERPA)
https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
Gramm-Leach-Bliley Act GLBA
https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
Health Insurance Portability and Accountability Act (HIPPA)
https://www.hhs.gov/hipaa/index.html
Pratt Institute’s Privacy Policy
https://www.pratt.edu/the-institute/administration-resources/information-technology/pratt-institute-privacy-policy/
Revision History
DATE SUBMITTED
NAME OF PERSON RESPONSIBLE
ROLE OF PERSON RESPONSIBLE
SUMMARY OF CHANGE
2-06-2019
DAVID SOTO
SYSTEMS SECURITY ANALYST
POLICY WAS WRITTEN
4-22-2019
DAVID SOTO
SYSTEMS SECURITY ANALYST
EDITED GRAMMATICAL ERRORS
10-09-2020
DAVID SOTO
SYSTEMS SECURITY ANALYST
EDITED FOR CLARITY
DOWNLOADS