Retention Information
Personal Information of students in the University shall not retain in a longer period. Specifically, retention of personal data shall only for as long as necessary:
- for the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated;
- for the establishment, exercise or defense of legal claims; or
- for legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by an appropriate government agency.
Disposal Information
Delegating Responsibility
Third parties Disposal of personal information to a third party must follow the disposal procedure stated in Section 5 (Disposal Procedure on Electronic Storage Devices) to Section 8 (Disposal Procedure of Paper-based Documents with Digitized File Copy) of this policy. Otherwise, the specific disposal procedure must be stated in the Data Sharing Agreement.
Data management When an agreement has been terminated, that data held on third party systems must be securely disposed of. It is recommended to contact the third party and verify that disposal has been carried out and including all the details of disposal. This verification should be documented for data management purposes.
Devices with Electronic Storage Media An agreement of sharing or passing of information through any electronic storage within the University must be executed and proper procedure in removal/deleting of the information must be followed. (See Section 5 Disposal Procedure on Electronic Storage Devices)
Disposal of Electronic Storage Devices All electronic media should be cleaned/ factory settings prior to being transferred from its current owner to another user or custodian.
The following methods are recommended:
- Overwritten Method- Overwriting is a method for cleaning of hard disk storage media, replacing the old data stored with meaningless information.
- Destruction of Electronic Media-Destruction of electronic media is to physically destroy the material that is not usable by any device which is capable to read the stored information
- Clearing the Data- Removing the data from the storage device can be done by formatting or deleting the information which makes the information unreadable unless special software is used to recover the cleared data. This method is not acceptable for disposal outside the University.
Disposal of Hard Drives and other Electronic Storage
- Disposal of Hard Drives to Other Departments or outside the University-An overwritten method is recommended when transferring usable Hard Drives and other Electronic storage outside the University. The current owner must accomplish a written report indicating the model, serial number, and the date when the procedure was performed.
- Transfer of Hard Drives within the University- Transfer of usable Hard Drives and other Electronic Storage from its current owner to another owner or custodian, the hard drive must be formatted prior to transfer.
- Disposal of Electronic Media Outside the University-Disposal of all electronic media other than Hard Drives must be rendered unusable before leaving the University.
Disposal Procedure of Personal Information of the Data Subjects stored in database/computer Personal Information of the data subjects shall be deleted from the database/computer if no longer needed or has served its purpose. Moreover, the approved and secured deleting utility for any specific process or system shall be used.
Disposal Procedure of Paper-based Documents containing Personal Information The following are the recommended to use during the disposal of documents especially when it contains personal and sensitive information:
- Disposal of documents with personal information and sensitive information through shredding- Shredding is the most commonly used method as it is considered a fast, safe, and cost-effective. It is also considered sufficiently secure for a wide range of documents.
- Disposal of documents with personal information and sensitive information through Pulping-Paper is mixed with water and chemicals to break down the paper fibers before it is processed into recycled paper.
Disposal Procedure of Paper-based Documents containing Personal Information with Digitized File Copy All paper-based documents with digitized file copy shall be disposed of all together. Disposal of paper-based documents shall be based on Section 7 (Disposal Procedure of Paper-based Documents containing Personal Information) and the disposal of electronic documents shall be based on Section 6 (Disposal procedure of Personal Information of the Data Subjects stored in database/computer). The standard file deletion routines shall govern the network-based files. Any extreme sensitivity required highly technical information that is deleted shall be consulted with the IT personnel to appropriately handle the digital files.