1. Purpose
Define requirements for retaining and securely disposing of [ORGANIZATION]'s data assets in compliance with legal, regulatory, and business requirements.
2. Scope
This policy applies to all data in any format owned or managed by [ORGANIZATION], including electronic data, physical records, backups, and data held by third parties on [ORGANIZATION]'s behalf.
3. Policy
3.1 Retention Schedule
[ORGANIZATION] shall maintain a data retention schedule that defines minimum and maximum retention periods for each data category, reviewed and updated at least annually.
Retention periods shall be based on legal, regulatory, contractual, and business requirements.
The following minimum retention periods shall apply unless superseded by specific regulatory requirements:
| Data Category | Minimum Retention | Maximum Retention | Regulatory Basis |
|---|---|---|---|
| Financial Records | [CUSTOMIZE: 7 years] | [CUSTOMIZE: 10 years] | SOX, Tax regulations |
| Employee Records | [CUSTOMIZE: 7 years after separation] | [CUSTOMIZE: 10 years] | EEOC, labor laws |
| Customer PII | [CUSTOMIZE: Duration of relationship + 3 years] | [CUSTOMIZE: Duration + 5 years] | GDPR, CCPA, state privacy laws |
| Health Information | [CUSTOMIZE: 6 years] | [CUSTOMIZE: 10 years] | HIPAA |
| Audit Logs | [CUSTOMIZE: 1 year] | [CUSTOMIZE: 3 years] | Industry standards, compliance |
| Email Communications | [CUSTOMIZE: 3 years] | [CUSTOMIZE: 7 years] | eDiscovery, business records |
| Contracts and Agreements | [CUSTOMIZE: Duration + 6 years] | [CUSTOMIZE: Duration + 10 years] | Statute of limitations |
| Security Incident Records | [CUSTOMIZE: 3 years] | [CUSTOMIZE: 7 years] | Compliance, legal hold |
3.2 Data Disposal Requirements
Data that has exceeded its maximum retention period and is not subject to a legal hold shall be securely disposed of within [CUSTOMIZE: 30/60/90] days.
Electronic data disposal shall use methods that render the data unrecoverable: cryptographic erasure, secure overwrite (minimum 3-pass for magnetic media), or physical destruction.
Physical records shall be cross-cut shredded or professionally destroyed by an approved vendor.
Disposal of Confidential and Restricted data shall be documented with: data description, disposal method, disposal date, and the individual who performed or verified the disposal.
Third parties holding [ORGANIZATION]'s data shall be required to certify data disposal in accordance with this policy upon contract termination.
3.3 Legal Hold
When a legal hold is issued, all data potentially relevant to the legal matter shall be preserved regardless of retention schedule.
Legal holds shall be communicated by [CUSTOMIZE: Legal Department/General Counsel] to all relevant data custodians.
Data subject to legal hold shall not be destroyed, modified, or overwritten until the hold is formally released.
4. Compliance
Compliance with this policy is mandatory for all personnel within its scope. Compliance will be monitored through periodic audits, automated controls, and management review.
Exceptions to this policy must be documented with a business justification, approved by [CUSTOMIZE: CISO/Security Team], and reviewed at least annually.
5. Enforcement
Violations of this policy may result in disciplinary action up to and including termination of employment or contract, and may result in civil or criminal penalties where applicable law has been violated.
[ORGANIZATION] reserves the right to audit compliance with this policy at any time, with or without notice.
6. Review and Revision
This policy shall be reviewed at least annually by [CUSTOMIZE: CISO/Policy Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, or organizational structure.
All revisions shall be documented with version number, date, author, and description of changes.
Policy Approval
Approved By
Title
Date
Document Control