DATA RETENTION AND DESTRUCTION - 5310.6
Policy: Information asset owners shall retain and/or destroy records of personal information in accordance with the state entity’s record retention and destruction policy and the Privacy Individual Access Standard (SIMM 5310-B). Information asset owners shall take reasonable steps to keep personal information only as long as is necessary to carry out the purposes for which the information was collected.
However, no record of personal information shall be destroyed or otherwise disposed of by any state entity unless:
- It is determined by the state entity head that the record has no further administrative, legal, or fiscal value;
- The state entity head has determined that an audit has been performed forany record subject to audit; and
- The Secretary of State has determined that the record is inappropriate for preservation in the State Archives.
Destruction of Electronically Collected Personal Information
An information asset owner shall, upon request by the record subject, securely discard without reuse or distribution, any personal information collected through a state entity’s website.Implementation Controls: NIST SP 800-53: Appendix J-Privacy Control Catalog, and SIMM 5310-B
No Revisions for this item.