Data Deletion Policy

General
1

Purpose

The purpose of this policy is to define the activities associated with the provision of data retention and destruction plans and programs that protect information systems, networks, data, databases and other information assets. Additional policies governing data management activities will be addressed separately.

Scope

The scope of this data retention and destruction policy is all information technology systems, software, databases, applications and network resources needed by the Company to conduct its business. The policy is applicable to all Company employees, contractors and other authorized third-party organizations.

Statement of Compliance

This policy is designed to be compliant with the U.S. Data Protection Act of 1998, Freedom of Information Act of 2000, Fair and Accurate Credit Transactions Act of 2003, Personal Information Protection and Electronic Documents Act in Canada, Gramm-Leach-Bliley Act, and Europe’s General Data Protection Regulation.

Data retention and destruction policy compliance is managed by the IT department, with support from department leadership and subject matter experts. To achieve compliance, data retention and destruction programs must include appropriate procedures, and identify staffing and technology resources to meet compliance requirements. Compliance verification (especially for data destruction) is performed monthly by the IT department, internal audit or other appropriate entity.

Policy

The Information Technology (IT) department is responsible for managing all data retention and destruction activities for the Company. Other departments, such as Finance and Accounting, Operations and Human Resources, are also responsible for providing the IT department with their requirements for data retention and destruction. The IT department is responsible for developing, executing and periodically testing data retention and destruction procedures. The IT department also acknowledges it will comply with appropriate industry standards for data retention and destruction in its activities.

  1. The company shall develop comprehensive data retention and destruction plans in accordance with good data management practices as defined by established standards.

  2. Data retention and destruction activities shall be performed as part of the company’s data management program, which administers and manages the overall technology data management program, which includes:

o Planning and design of data retention and destruction activities;

o Identification of data retention and destruction teams, defining their roles and responsibilities and ensuring they are properly trained and prepared to perform their duties;

o Planning, design and documentation of data retention and destruction plans;

o Scheduling of updates to data retention and destruction risk analyses;

o Planning and delivery of awareness and training activities for employees and data retention and destruction team members;

o Planning and execution of data retention and destruction plan exercises;

o Designing and implementing data retention and destruction maintenance activities to ensure that plans are up to date and ready for use;

o Preparing for management review and auditing of data retention and destruction plan(s); and

o Planning and implementation of continuous improvement activities for data retention and destruction activities and plans.

  1. Formal risk assessments (RAs) and business impact analyses (BIAs) shall include requirements for data retention and destruction activities; RAs and BIAs shall be updated at least annually to ensure they are in alignment with the business and its technology requirements.

  2. Data retention and destruction plans shall address electronic data stored on electronic media such as CDs, hard disk drives, solid state disk drives, magnetic tape and other appropriate media.

  3. Data retention and destruction plans shall address data stored on non-electronic media (e.g., paper files, microfiche).

  4. Data retention and destruction plans shall address electronic information systems (e.g., servers, routers, switches) and components (e.g., cabling and connectors, power supplies, storage racks) and other assets that are currently out of production or scheduled to be phased out of production environments.

  5. Data retention plans shall establish the storage requirements and associated metrics (e.g., length of storage, type of storage media) for electronic and non-electronic information as well as systems supporting the IT infrastructure.

  6. Data destruction plans shall establish the parameters for destruction of electronic data (e.g., overwriting, reformatting, degaussing, firmware-based erasure, physical data media destruction), non-electronic data (e.g., shredding of hard copy), and systems and components (e.g., third-party destruction services).

  7. Data retention and destruction plans shall be periodically reviewed and tested in a suitable environment to ensure that data, databases, media, systems and other relevant elements can be retained or destroyed and that management and employees understand how the plans are to be executed as well as their roles and responsibilities.

  8. All employees must be made aware of the data retention and destruction program and their own roles and responsibilities.

  9. Data retention and destruction plans and other documents are to be kept up to date and will reflect existing and changing circumstances.