Policy Template for Data Retention and Disposal

The purpose of this policy is to mitigate threats of non-compliance with regulatory, legal and contractual requirements regarding data retention and disposal policies.

This policy applies to all data assets of {{organization.name}}, whether owned or provided by a third party. {{organization.name}} data assets include, without limitation: Intellectual Property (IP), Personally Identifiable Information (PII) and Personal Health Information (PHI) for employees, customers, other third parties, Business Sensitive Information (BSI), financial information, other non-public data or information assets deemed the property of {{organization.name}}.

Data Owner is the person who is ultimately responsible for the data and information being collected and maintained by his or her department or division. All data within {{organization.name}} must be assigned a Data Owner, either directly or indirectly through their roles and responsibilities in the organization. The responsibilities of the Data Owners include defining data retention and destruction requirements and making sure they are enforced.

Person or entity that interacts with, accesses, uses or updates data for the purpose of performing a task authorized by the data owner. Data users must use data in a manner consistent with the purpose intended and comply with this policy and all policies applicable to such data use.

{{organization.name}}’s Business Sensitive and Financial Information is retained in accordance with the schedule provided below.

All PII and PHI data shall be retained for as long as there is a business purpose or a legal requirement to do so.

All active Customer Data shall be retained for as long as the Customer continues to be an active Customer of {{organization.name}} or unless a request has been made by the active Customer for the deletion of data.

All Customer Data, after termination of contract, must be retained in accordance with the contractual agreement between Customer and {{organization.name}}.

Customer Data retention policies may be implemented against Customer Data on an ad-hoc basis as may be agreed between {{organization.name}} and Customer.

Disposal of customer data will be carried out in accordance with the contractual agreement between {{organization.name}} and Customer. In the absence of any contractual agreement, an automatic script or manual script (for ad-hoc requests) is initiated on {{organization.name}} platform containing customer data. This activates a full hard delete of customer data on the platform.

All electronic documents containing {{organization.name}} business sensitive information must be purged upon reaching its’ retention life span.

All printed material must be shredded prior to disposal.

In the event {{organization.name}} is served with any subpoena or request for documents or any employee becomes aware of a governmental investigation or audit concerning {{organization.name}} or the commencement of any litigation against or concerning {{organization.name}} such employee shall inform the Senior Management and any further disposal of documents shall be suspended until such time as the Senior Management, with the advice of counsel, determines otherwise. The Senior Management shall take such steps as is necessary to promptly inform all staff of any suspension in the further disposal of data.