Skip to main content
日本語
日本語

Data Retention and Destruction Policy

Amanda
Updated

Purpose

The purpose of this policy is to define the activities related to data retention and destruction, safeguarding MuseArrIve’s information systems, networks, data, databases, and other information assets. Additional policies governing data management will be addressed separately.

Scope

This policy applies to all information technology systems, software, databases, applications, and network resources necessary for MuseArrIve’s business operations. It is applicable to all MuseArrIve employees, contractors, and authorized third-party organizations.

Statement of Compliance

This policy aligns with the U.S. Data Protection Act of 1998, Freedom of Information Act of 2000, Fair and Accurate Credit Transactions Act of 2003, Personal Information Protection and Electronic Documents Act in Canada, Gramm-Leach-Bliley Act, and Europe’s General Data Protection Regulation.

Policy Overview

  • Data Management Responsibility:

    • The IT department manages data retention and destruction activities.
    • Other departments (Finance, Accounting, Operations, HR) provide their requirements to IT.
    • IT develops, executes, and tests data retention and destruction procedures.
    • Compliance with industry standards is a priority.

  • Data Retention and Destruction Program:

    • Includes planning, design, documentation, and risk analysis.
    • Identifies teams, roles, and responsibilities.
    • Conducts awareness training and exercises.
    • Ensures plans are up-to-date and ready for use.
    • Undergoes management review and auditing.
    • Focuses on continuous improvement.

  • Risk Assessments and Business Impact Analyses:

    • Include data retention and destruction requirements.
    • Updated annually to align with business needs.

  • Types of Data Covered:

    • Electronic data (CDs, hard drives, magnetic tape, etc.).
    • Non-electronic data (paper files, microfiche).
    • Systems/components (servers, routers, switches).

  • Retention and Destruction Plans:

    • Specify storage requirements and metrics.
    • Address electronic and non-electronic information.
    • Cover out-of-production assets.
    • Destruction parameters (overwriting, physical destruction).

  • Testing and Awareness:

    • Regularly review and test plans.
    • Ensure understanding among MuseArrIve management and employees.
    • Raise awareness of the program and individual responsibilities.

  • Document Maintenance:

    • Keep plans up-to-date to reflect changing circumstances.

 

MuseArrIve Data Retention and Destruction Specifications

Following are specific data retention and destruction technical requirements:

General

  • Retention Activities:
    • Frequency and types of data/system retention activities.
  • Destruction Activities:
    • Frequency and types of data/system destruction activities.
  • Responsibility:
    • Internal staff or outside third parties responsible for data retention and destruction.
  • Notification:
    • Point of contact for identifying problems with retention and destruction activities.

Data/System Retention Procedures

  • Data Storage and Retention:
    • How electronic and non-electronic data is stored and retained.
  • System Storage and Retention:
    • How systems are stored and retained.
  • Location:
    • Where data/systems are stored.
  • Validation:
    • Process to ensure retention procedures function properly.

Data/System Destruction Procedures

  • Destruction Metrics:
    • Parameters for data destruction (time frames, methods).
  • Destruction Process:
    • Steps for data/system destruction.
  • Validation:
    • Process to verify data/media destruction.

Retention and Destruction Requests

  • Processing Requests:
    • Handling data restoration and destruction requests.

Policy Leadership

Mr. Cong Hoang Tri is the corporate owner responsible for MuseArrIve’s data/system retention and destruction activities. Issues related to these activities should be coordinated with IT management and other relevant parties.

Policy Responsibilities

  • Approval:
    • Approval by designated executive.
  • Implementation:
    • Planning and execution of policy activities.
  • Maintenance and Updating:
    • Keeping the policy current.
  • Monitoring and Review:
    • Regular review of policy effectiveness.
  • Improvement:
    • Defining and implementing enhancements.

Management Review

The Customer Support team will annually review and update this data retention and destruction policy. Changes will be managed through a change management process.

Penalties for Noncompliance

Failure to comply with this policy may result in verbal reprimands, notes in personnel files, termination, or other appropriate remedies.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.