Retention and Disposal Policy - Legal & HR 

Data retention is the process of keeping data for a set period of time, while data destruction is the process of permanently deleting data. Data retention is often used in order to comply with legal or regulatory requirements, while data destruction is often used in order to protect the privacy of individuals or to prevent data breaches.

Retention and Disposal 

Business workforce members shall store and dispose of documents, equipment, media, and other printed material containing confidential information, in a manner that; reasonably safeguards the confidentiality of the information; protects against the unauthorized use or disclosure of the confidential information; and renders the confidential information secure or appropriately destroyed.

Documents can include, but are not limited to:

  • Policies and procedures (retained for six years from the last date in effect)

  • Authorizations

  • Requests for Amendment

  • Notices of Privacy Practices (retained for six years from the last date in effect)

  • Research related documentation

  • Training records

  • Incident response documentation 

  • Privacy audit documentation

Storage of confidential data shall be kept to the minimum necessary to perform business functions and shall be kept in accordance with data retention and disposal policies. 

Management shall provide methods (shredders, secure recycling bins, etc.) for securely disposing of hardcopy/paper covered information.

Electronic media or equipment storing or accessing confidential data must be securely disposed of.

Retention of Covered Data

Confidential data shall be retained according to the procedures listed below:

  • An inventory of document types shall be incorporated in Business document retention schedule with required retention periods and specific statutory requirements noted in the document retention matrix.

  • The document retention matrix shall be updated at least annually and whenever regulations change that impact document retention requirements.

  • A copy of the document retention matrix shall be distributed to all workforce members responsible for document use and management.

  • It is the responsibility of all members of Business workforce to appropriately retain and store documents that have been identified as necessary to retain to meet regulatory and potential civil litigation requirements.

  • It is the responsibility of the privacy officer, the security officer, or designee to regularly audit retention activity to reasonably ensure all documents that are required to be retained are retained in such a way that they are accounted for and readily available if needed.

  • Inappropriate destruction of documents (e.g., destruction prior to the end of the appropriate retention period or incomplete destruction where confidential data can be restored or salvaged from documents destroyed) shall result in appropriate sanctions (see Workforce Sanctions policy).

  • Unless deemed necessary by the privacy officer, the security officer, or legal counsel, all documents shall be confidentially destroyed at the end of their required retention period.

  • The privacy officer, the security officer, or designees will reasonably ensure appropriate policies, procedures and practices have been implemented and are followed to reasonably ensure document destruction is done in such a way as to protect the privacy of the information being destroyed.

  • In the event of a civil or regulatory action involving such records, the document destruction process shall be suspended until such time that the legal or regulatory matter has been resolved.

Disposal of Covered Data in Hardcopy 

Paper/hardcopy documents shall be placed in a secure disposal bin found in various locations around Business offices. Documents in these bins are securely shredded by a third-party service to render them unreadable.

Re-use of Media 

Any media or devices containing covered data shall be securely sanitized prior to re-use according to the Sanitization procedure below. If a device/media cannot be sanitized, it must be destroyed according to the Disposal of Covered Data in Electronic Format procedure below.


Any storage media, including but not limited to, hard disk drives, USB or other removable media, or other storage devices shall be wiped by the IT department prior to disposal or reuse using DBan (Darik's Boot and Nuke according to US Department of Defense Standards. After sanitization, the results must be logged.

Disposal of Covered Data in Electronic Format 

Any electronic media, device, or other equipment containing covered data must be securely disposed of.

If a storage device is no longer needed or cannot be properly sanitized, the IT Department must securely shred or destroy the media/device ensuring that data is not recoverable.

Sanitization/Disposal Logging

Any media, device, or equipment sanitized prior to re-use or destroyed as part of the disposal process shall be logged with the following:

  • Device name

  • Type of device/media

  • Data contained on the device

  • Method for sanitization/disposal

  • The date sanitized/destroyed

  • The responsible part who disposed or securely wiped the device