Welcome to the final blog of the Four Seasons of Data Management Series. Through ‘Spring’ inception, ‘Summer’ primetime, and ‘Fall’ retirement periods, we reach the last leg of this journey: ‘Winter’ Removal. In this blog, we will concentrate on the stage when information/data has reached the end of its life and must be permanently removed, disposed of, and destroyed.
Data Hoarding
While removing retired/obsolete data seems like a natural progression, it is not a common practice for many organizations. Most companies tend to keep it longer than the required retention period. Even though it might be done with practical intention (‘we may need it later’) – data hoarding is costing the business; in storage, power, maintenance, and other costs. Keep in mind that unless the data is creating value, there is no reason at all to keep it around. Most importantly, it poses danger to the organization as it opens itself up to legal liability. Check out ‘How Data Hoarding Is Costing Your Business’.
Policy and Procedure
It is critical to implement policies and procedures to ensure that final disposition of sensitive information, both the electronic format and the system/media that host it, are addressed appropriately. Particularly if you store any protected health information (PHI), check out this related FAQ to understand what is required by HIPAA Privacy and Security Rules and ensure that you are in compliance.
The policy and procedure should also address system/media sanitization requirements prior to redeploying it. In general, sanitization is the process of removing data from system/media to achieve reasonable assurance that the data may not be easily retrieved and reconstructed. Resource from NIST SP 800-88 provides guideline for organizations, system and data owners in making sanitization decisions based on the level of sensitivity and confidentiality of the information.
Consider These Controls
As far as controls are concerned, consider these that reinforce the above mentioned:
- Establish data removal/disposal policy and procedure. This should be part of the overall data handling policy.
- Sanitize all system and data storage media before disposal or redeployment. Various types of sanitization are: clearing (overwriting media with non-sensitive data over and over), purging (degaussing or exposing the media to a strong magnetic field, and destroying (disintegration, pulverization, incinerating, shredding).
- Dispose of data, information, and media in a timely way. Do not delay; automate the process as much as possible.
- Maintain disposal records or redeployment records. Once data is destroyed, document it and create audit trail of the activity.
- Train the resources. Training also plays a very significant role to ensure that the resources responsible for the activities are able to execute the disposition tasks properly, consistently, securely.
End Notes
Data management has become increasingly important as more and more organizations face various compliances which regulate how they must deal with particular types of data/information from start to end, ‘spring’ to ‘winter’. Hence, a comprehensive approach to managing your organization’s data within each stage, involving policy, procedures and controls are imperative. As this marks the end of this blog series, I want to thank you, the readers, for following this along. It’s been a fun journey…wish you all the best!
Learn more in the rest of ‘The Four Seasons of Data Management’ Series:
Part 1: ‘Spring’ Inception
Part 2: ‘Summer’ Primetime
Part 3: ‘Fall’ Retirement
Part 4: ‘Winter’ Removal