Data Privacy Week – topic 4: How long should I retain sensitive personally identifiable information?

As discussed yesterday, collection of and access to sensitive personally identifiable information (PII) needs to occur based upon a legitimate purpose. Minimizing the amount and type of PII collected and reducing the number of places it is stored is best practice. Once the PII has been collected and used for its intended purpose, it’s important to evaluate how long it needs to be retained. Both regulatory requirements and business reporting and system functions will drive the length required for retention.

Have you ever fallen into the trap of saving extra copies of information due to fear of losing the original? Do you tend to save copies of student grades or gradebooks outside of Banner or Blackboard “just in case”? No sensitive PII should ever be kept “just in case.” Retention guidelines should be implemented into policies and procedures, and individuals responsible for following through on them should be identified. Caution should always be exercised before deleting information from large data ecosystems that have multiple stakeholders or connect across multiple systems. Impact of deletion should be fully vetted, understood and agreed upon by data system owners and stewards.

For more information visit the WSU Privacy SharePoint Site. For any privacy related questions or concerns, please reach out to the privacy officer at privacy@wichita.edu or via phone at 316-978-4447 (4HIP).