ITSHeaderImage

Policy Regarding Data Retention for ITS-Owned Systems

Draft

September 17, 2013

Purpose

This policy establishes the retention period of data within systems owned by ITS and for which ITS is responsible for the disposition of deleted data.  This includes system and log files that are a routine record of events on systems.

Scope

This policy addresses user data that has been deleted by the user from the system as well as system and log files that provide hardware or operating system event data used to diagnose problems.  This policy does NOT include retention of data records not owned by ITS such as financial records, Human Resource documents, student records, and health data which are governed by specific legal requirements and under the purview of those departments. 

Roles

The retention of data and determination of useful retention of system logs is determined by system administrators under the direction of the Director of User and Technical Services and the Director of Administrative Systems.  System administrators and database administrators are responsible for the execution of retention and adherence to the schedule.

Record Types

This policy addresses electronic data generated by systems in various formats (.txt, .tar, .zip, etc), faculty and staff deleted email in Exchange and Cyrus, data stored on Dragon, WesFiles and all systems provided for the user for the storage of data. For user generated data, retention refers to the length of time a document is available for recovery once deleted by the user from the system.

This retention policy does not include data and email stored in Wesleyan’s Google Apps instance.  Mail on in the user’s Trash folder in Google (as of the latest revision only Student email is delivered to Google) is retained for 30 days and is not recoverable beyond that.

Litigation Hold

When ITS receives a litigation hold for electronic data, the data and email as well as any associated backups as of the day of the hold are copied and quarantined.  Any backup retention policies that would delete files older than 30 days are removed so that files are retained.  At the time, the University is required to supply electronic documents, data from the frozen copies and any relevant data from the intervening period are provided.  Circumstances from each case will dictate the parameters of the data required. 

Records Retention

ITS has document outlining the retention of system logs, responsible party and location.

User data, for the purpose of this document, data or email that has already been deleted by the user is retained via backup copies.  Data that resides on user desktops/laptops is retained for 30 days beyond deletion. Once 30 days has passed, this data is permanently removed and no longer able to be recovered.  Data that resides on ITS provisioned storage (shared network drives and file locations) is retained for 120 days beyond deletion. 

Email Trash: Wesleyan does not perform mandatory purge of data in the users Trash folder in Cyrus or Exchange.  Deleted mail remains in these folders until the user empties the trash from the system. The 30 day retention applies to email that has been purged from users’ Trash.