INFORMATION LIFECYCLE POLICY
Policy Objective
This policy is to ensure that Parkland College data is securely and properly created, managed, maintained, archived, and destroyed.
Scope
All data at Parkland College regardless of format or location.
Policy
Section 1 – Creation, Collection, and Handling
- All data created within or for, or collected on behalf of, Parkland College must be classified per the Data Classification Policy and Standards.
- Data classification indicators must be, wherever possible and practicable, readily apparent and be attached to, stamped on, or part of the data, regardless of medium.
- Collection of sensitive data must follow all proper policies and procedures including all legal, regulatory, and privacy requirements related to the data.
- Data collected on behalf of Parkland College must obey and take into consideration any copyrights, trademarks, or other indicators that restrict the access, copy, storage, or distribution of that data except where otherwise required by law, regulation, statue, or policy.
- Data owners, stewards, and other roles must be identified and clearly documented for any data that is created or collected on behalf of Parkland College.
Section 2 – Processing, Use, Transit, and Dissemination
- Proper access to data shall be superintended by the designated data owner who will remain primarily responsible and accountable for the security of the data that they own.
- Data processed or used by Parkland College faculty, staff, and students must be restricted to only the data and the individuals necessary to use or process that data.
- Data must only be processed or used through secure means and using applications that have been reviewed for security and appropriateness by Parkland College.
- Any data classified as Private or Confidential as defined in the Data Classification Policy must be secured and protected in transit.
- Private or Confidential electronic data in transit must employ encryption or other encipherment methods.
- All user, device, credential, or other electronic authentication must employ encryption.
- Private or Confidential data on physical media (such as paper) in transit must employ all efforts to ensure that the data is not visible or accessible by others while transported.
- Dissemination of data classified as Private or Confidential must be done using secure means to ensure only the intended recipient can acquire the data.
Section 4 – Storage and Retention
- All stored data must be inventoried and catalogued including the data type, owner, steward, and classification.
- Data must be stored in a secure manner to ensure only the appropriate individuals can gain access.
- Electronic data classified as Private or Confidential must be stored in areas with controlled access in such a way that only the individuals who have a valid need to know may gain access.
- Data classified as Private or Confidential on physical media (such as paper) must be kept in an area that is inaccessible to anyone without authorization to view that data (such as a locked room or locked cabinet with controlled access to keys).
- Data must be retained for as long as is required by regulation, law, statute, government directive, or organizational requirement, after which it must be disposed of and destroyed. No data shall be retained beyond its usefulness to the organization if it is not legally required or necessary to retain it. If data is deemed to be of historical importance, or the retention period is indefinite, the data shall be released to the custody of the Parkland College Archives for archival.
- All data used by Parkland College, its employees, or on its behalf must be stored on systems or services that are owned, operated by, or under the control of Parkland College. This is to ensure security and facilitate proper retention of the data. The data includes, but is not limited to, educational materials, health records, grades, administrative records, and staff, faculty, and student data.
- Records management and data retention procedures must be followed based on the type and classification of the data.
Section 4 – Disposal and Destruction
- Data must be disposed of and destroyed in accordance with the classification and defined retention period of that data.
- Data classified as Private or Confidential must be securely destroyed after or during disposition, regardless of medium.