Laws and regulations are violated due to data not being retained for the required duration of time or inappropriate data being stored.
The organization:
a. Retains each collection of personally identifiable information (PII) for [Assignment: organization-defined time period] to fulfill the purpose(s) identified in the notice or as required by law;
b. Disposes of, destroys, erases, and/or anonymizes the PII, regardless of the method of storage, in accordance with a NARA-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; and
c. Uses [Assignment: organization-defined techniques or methods] to ensure secure deletion or destruction of PII (including originals, copies, and archived records).
(1) DATA RETENTION AND DISPOSAL | SYSTEM CONFIGURATION
The organization, where feasible, configures its information systems to record the date PII is collected, created, or updated and when PII is to be deleted or archived under an approved record retention schedule.
A privacy impact assessment determines the extent and nature of PII in the organization, and appropriate handling mechanisms are defined.
No statewide control
Obtain data privacy policy and procedures; other relevant documents or records and ascertain if:
(I) the organization retains each collection of personally identifiable information (PII) for organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law;
(ii) the organization disposes of, destroys, erases, and/or anonymizes the PII, regardless of the method of storage, in accordance with a NARA-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access;
(iii) the organization uses organization-defined techniques or methods to ensure secure deletion or destruction of PII (including originals, copies, and archived records); and
(iv) the organization, where feasible, configures its information systems to record the date PII is collected, created, or updated and when PII is to be deleted or archived under an approved record retention schedule.