Welcome to the Part 3 of the Four Seasons of Data Management Series – focusing on ‘Fall’ Retirement. This is the period when data/information is no longer used or relevant and hence ready for retirement. Let’s start with answers to the very basic questions of what, where, and when.
WHAT – Data Classification
If you have followed this series, you may recall that throughout ‘Spring’ Inception blog we discussed the need for classifying your data/information, and how the classification will dictate how data will be secured and handled. The classification also drives what and how we should archive, and later dispose of the data. Public data may not need to be archived, while sensitive data must be archived and fully secured (encrypted and under access control) even during retirement period.
WHERE – Data Architecture
You may also recall we discussed the importance of understanding your enterprise data architecture in ‘Summer’ Primetime. Put that knowledge of data mapping and integration to another good use now, as you will have to archive data on connecting systems as well, without impacting the systems’ data integrity. Careful planning and execution will need to be performed.
WHEN – Data Retention Requirements
Depending on what regulatory requirements your organization must comply with, your retention requirements may vary. With the Sarbanes-Oxley Act, for example, electronic and paper records related to audits and financial statements must be preserved securely for at least 7 years – different documents follow different retention schedules. And HIPAA does not even specify retention period for patient information; instead, it is left open to be governed by state law.
Needless to say, understanding data retention requirements, especially for a large company who must abide with many regulations (federal, state, local), it is not an easy matter. But with proper data/record classification, this effort can be manageable.
Consider These Activities or Controls
Several activities worth considering related to data/record retention:
- Establish and maintain data/record retention policy and procedure including documents, systems, records, and logs.
- For each system, records, logs, or documents, identify retention requirement according to applicable regulations.
- Define the appropriate format for archived data, and ensure access to it is controlled – only authorized personnel should be able to access the archives
- Periodically, verify the archived data’s integrity, to make sure it’s retrievable. You never know when you will be required to retrieve historical information quickly in the case of litigation or audits.
- Promptly remove records when retention period is over – better yet, automate this removal. This will be discussed more in “Part 4: ‘Winter’ Removal (Coming December 30th)”.
- Last but not least, if you must re-purpose the media that was used to host sensitive data, make sure you sanitize or degauss it prior to redeployment.
While all of the above may not sound too daunting, its consequences are. Section 802 of Sarbanes-Oxley Act considers it a crime, punishable by up to 20 years or a hefty fine, if you purposely alter or destroy electronic and paper documents or fail to preserve or backup a document.
What’s next?
There you have it….we are almost reaching the last of the four- seasons in data management. Come back for the final stretch of this journey to– ‘Winter’ Removal – during which data has reached the end of its life and retention periods, and thus, must be removed and disposed – safely and permanently. See you at the finish line!
Stay tuned for the rest of ‘The Four Seasons of Data Management’ Series
Part 1: ‘Spring’ Inception
Part 2: ‘Summer’ Primetime
Part 3: ‘Fall’ Retirement
Part 4: ‘Winter’ Removal
