Records Disposition Standard
California State University, Monterey Bay is committed to effective records management that includes meeting legal and regulatory requirements for record retention, minimizing the space needed for and the cost of records retention, and appropriately destroying outdated records.
Comments or feedback on this standard should be directed to The Office of the Chief Information Officer at (831) 582-4700.
This standard applies to all records, regardless of medium held by CSU Monterey Bay and all employees of CSUMB and CSUMB auxiliary organizations.
Disposition of records shall be conducted in a timely manner following the retention period and based on their information classification level.
Failure to adhere to disposition schedules can lead to the unnecessary expenditure of resources to store, maintain, search for, and produce records. Records not disposed of at the end of their retention period remain subject to records requests under statute or legal proceedings.
Determining disposition date
Retention periods are counted form the date of creation of the record, unless other instructions (e.g., “3 years from termination”) are noted in the Records Retention and Disposition Schedule. Disposition would normally occur following the end of the month of year that marks the end of the retention period; thus, disposition of a record for which the retention period ends on July 10 would take place as soon after July 31 as practicable.
Cautions regarding disposition
There may be conditions under which records destruction must be deferred even if they have reached or exceeded the end of their retention period. These conditions include:
- External requirements under state and federal laws or regulation or when grants or contracts retention periods override University retention periods
- Records that have been requested pursuant to statute or legal proceedings (e.g., California Public Records Act, Subpoena)
- Records that have not been requested but are deemed likely to be requested pursuant to statute or legal proceedings including potential litigation must be retained following notification by the campus Risk Manager.
- Records related to on ongoing investigation must not be disposed of without prior consultation with campus counsel.
Disposition based on classification level
To protect the confidentiality of information and the related privacy rights of CSUMB students, faculty, staff, donors, patrons, vendors, and others, Level 1-Confidential and Level 2-Internal Use information contained in all software and/or computer files, storage media devices and hard copy must be sanitized prior to disposal. The sanitization process ensures that recovery of information is not possible. Several methods can be used to sanitize media; however, the two major types of sanitization are clearing and destroying.
Clearing information is a level of media sanitization that protects the confidentiality of information against a robust keyboard attack. Simple deletion of items does not suffice for clearing. Clearing must not allow information to be retrieved by data, disk, or file recovery utilities and must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. Overwriting is an acceptable method for clearing media. The security goal of overwriting is to replace written data with random data.
There are several overwriting software products to overwrite storage space on media. CSUMB Information technology can provide software tools and instructions to securely clean the data from ATA based hard drives and other storage media. Overwriting cannot be used for media that are damaged or not rewritable. In such cases, media should be destroyed.
Destruction of media is the ultimate form of sanitization. After media are destroyed, they cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods. Hard copy destruction can be accomplished using a variety of methods, with cross-cut shredding being the most common practice. Straight cut shredding is not a compliant destruction method. Departments may shred media on site or contact Business Support Services for a listing of approved document destruction vendors.
Recommendations for sanitizing media types are found in the Media Sanitization Standard.
Roles and responsibilities
The Information Security Officer is responsible for “publishing” the CSUMB Records Retention and Disposition Schedules and for providing copies to the Office of the Chancellor upon request.
It is the responsibility of each CSUMB and CSUMB auxiliary employee to adhere to the Records Management Standard and to the supporting standards and procedures.
It is the responsibility of department heads to ensure that employees under their supervision comply with the Records Management Standard and with the supporting standards and procedures.
This standard will be subject to revision in response to changes in technology, regulatory compliance, and/or CSUMB operational initiatives.
06/21/2019 by Chip Lenno, CIO/ISO