Information Technology

Records Disposition Standard

California State University, Monterey Bay is committed to effective records management that includes meeting legal and regulatory requirements for record retention, minimizing the space needed for and the cost of records retention, and appropriately destroying outdated records.

Comments or feedback on this standard should be directed to The Office of the Chief Information Officer at (831) 582-4700.

Scope

This standard applies to all records, regardless of medium held by CSU Monterey Bay and all employees of CSUMB and CSUMB auxiliary organizations.

Standard

Disposition of records shall be conducted in a timely manner following the retention period and based on their information classification level.

Failure to adhere to disposition schedules can lead to the unnecessary expenditure of resources to store, maintain, search for, and produce records. Records not disposed of at the end of their retention period remain subject to records requests under statute or legal proceedings.

Determining disposition date

Retention periods are counted form the date of creation of the record, unless other instructions (e.g., “3 years from termination”) are noted in the Records Retention and Disposition Schedule. Disposition would normally occur following the end of the month of year that marks the end of the retention period; thus, disposition of a record for which the retention period ends on July 10 would take place as soon after July 31 as practicable.

Cautions regarding disposition

There may be conditions under which records destruction must be deferred even if they have reached or exceeded the end of their retention period. These conditions include:

  • External requirements under state and federal laws or regulation or when grants or contracts retention periods override University retention periods
  • Records that have been requested pursuant to statute or legal proceedings (e.g., California Public Records Act, Subpoena)
  • Records that have not been requested but are deemed likely to be requested pursuant to statute or legal proceedings including potential litigation must be retained following notification by the campus Risk Manager.
  • Records related to on ongoing investigation must not be disposed of without prior consultation with campus counsel.

Disposition based on classification level

To protect the confidentiality of information and the related privacy rights of CSUMB students, faculty, staff, donors, patrons, vendors, and others, Level 1-Confidential and Level 2-Internal Use information contained in all software and/or computer files, storage media devices and hard copy must be sanitized prior to disposal. The sanitization process ensures that recovery of information is not possible. Several methods can be used to sanitize media; however, the two major types of sanitization are clearing and destroying.

Clearing

Clearing information is a level of media sanitization that protects the confidentiality of information against a robust keyboard attack. Simple deletion of items does not suffice for clearing. Clearing must not allow information to be retrieved by data, disk, or file recovery utilities and must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. Overwriting is an acceptable method for clearing media. The security goal of overwriting is to replace written data with random data.

There are several overwriting software products to overwrite storage space on media. CSUMB Information technology can provide software tools and instructions to securely clean the data from ATA based hard drives and other storage media. Overwriting cannot be used for media that are damaged or not rewritable. In such cases, media should be destroyed.

Destroying

Destruction of media is the ultimate form of sanitization. After media are destroyed, they cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods. Hard copy destruction can be accomplished using a variety of methods, with cross-cut shredding being the most common practice. Straight cut shredding is not a compliant destruction method. Departments may shred media on site or contact Business Support Services for a listing of approved document destruction vendors.

Recommendations for sanitizing media types are found in the Media Sanitization Standard.

Roles and responsibilities

The Information Security Officer is responsible for “publishing” the CSUMB Records Retention and Disposition Schedules and for providing copies to the Office of the Chancellor upon request.

It is the responsibility of each CSUMB and CSUMB auxiliary employee to adhere to the Records Management Standard and to the supporting standards and procedures.

It is the responsibility of department heads to ensure that employees under their supervision comply with the Records Management Standard and with the supporting standards and procedures.

Revision control

This standard will be subject to revision in response to changes in technology, regulatory compliance, and/or CSUMB operational initiatives.

Last reviewed/updated

06/21/2019 by Chip Lenno, CIO/ISO