DM-02-727 Data Retention and Disposal

Data Retention and Disposal

Control ID

DM-02-727

Control Name

Data Retention and Disposal

Control Category

Data Minimization and Retention

Functional Areas

Identify

Sub-Areas

Privacy and Confidentiality

NIST Baseline Level(s)

NOT SELECTED

NIST Priority

State Implementation Required

Agency Last Implemented Date

Risk Statement

Laws and regulations are violated due to data not being retained for the required duration of time or inappropriate data being stored.

Control Description

The organization: a. Retains each collection of personally identifiable information (PII) for [Assignment: organization-defined time period] to fulfill the purpose(s) identified in the notice or as required by law; b. Disposes of, destroys, erases, and/or anonymizes the PII, regardless of the method of storage, in accordance with a NARA-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; and c. Uses [Assignment: organization-defined techniques or methods] to ensure secure deletion or destruction of PII (including originals, copies, and archived records). (1) DATA RETENTION AND DISPOSAL | SYSTEM CONFIGURATION The organization, where feasible, configures its information systems to record the date PII is collected, created, or updated and when PII is to be deleted or archived under an approved record retention schedule.

Control Example

A privacy impact assessment determines the extent and nature of PII in the organization, and appropriate handling mechanisms are defined.

State Implementation

No statewide control

Testing Procedures

Obtain data privacy policy and procedures; other relevant documents or records and ascertain if: (I) the organization retains each collection of personally identifiable information (PII) for organization-defined time period to fulfill the purpose(s) identified in the notice or as required by law; (ii) the organization disposes of, destroys, erases, and/or anonymizes the PII, regardless of the method of storage, in accordance with a NARA-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; (iii) the organization uses organization-defined techniques or methods to ensure secure deletion or destruction of PII (including originals, copies, and archived records); and (iv) the organization, where feasible, configures its information systems to record the date PII is collected, created, or updated and when PII is to be deleted or archived under an approved record retention schedule.