BD Performing Arts Data Disposal Policy
Purpose:
The purpose of this policy is to establish guidelines for the proper disposal of physical and digital data to ensure the security and confidentiality of sensitive information handled by BD Performing Arts.
Scope:
This policy applies to all employees, contractors, and third-party vendors of BD Performing Arts who handle or manage sensitive information.
Policy:
1. Physical Data Disposal
1.1 Definition:
Physical data refers to any printed or written information that contains sensitive or confidential information, including but not limited to paper documents, photographs, and other tangible media.
1.2 Guidelines:
- Identification: Identify all physical data that contains sensitive information and is no longer needed.
- Shredding: Use cross-cut shredders to destroy paper documents. Shredding must render the information illegible and irretrievable.
- Secure Storage: Until shredding, store physical data in locked bins or secure areas to prevent unauthorized access.
- Vendor Services: If using a third-party shredding service, ensure they are certified and provide a certificate of destruction.
- Verification: Conduct regular audits to ensure compliance with physical data disposal procedures.
2. Digital Data Disposal
2.1 Definition:
Digital data refers to any electronic information stored on computers, servers, external drives, mobile devices, or other digital storage media.
2.2 Guidelines:
- Identification: Identify all digital data that contains sensitive information and is no longer needed.
- Data Wiping: Use approved data wiping software that meets industry standards (e.g., DoD 5220.22-M) to securely erase data from storage devices.
- Encryption: Prior to disposal, ensure all data is encrypted to prevent unauthorized access in case of incomplete data wiping.
- Device Disposal: Physically destroy storage devices that cannot be securely wiped, such as by degaussing, crushing, or shredding.
- Cloud Data: Ensure all sensitive data stored in cloud services is permanently deleted according to the cloud provider’s secure deletion protocols.
- Vendor Services: If using a third-party service for digital data disposal, ensure they are certified and provide a certificate of destruction.
- Verification: Conduct regular audits to ensure compliance with digital data disposal procedures.
3. Training and Awareness
- Employee Training: All employees will receive training on data disposal procedures upon hire and annually thereafter.
- Policy Review: This policy will be reviewed annually and updated as necessary to comply with legal requirements and industry best practices.
4. Compliance and Enforcement
- Compliance: Employees are expected to comply with this policy at all times. Non-compliance may result in disciplinary action, up to and including termination.
- Reporting: Report any incidents of improper data disposal immediately to the IT department or compliance officer.
5. Documentation
- Records: Maintain records of all data disposal activities, including the type of data, method of disposal, date of disposal, and personnel involved.
- Audit Trail: Ensure an audit trail is maintained for all data disposal activities to verify compliance and for accountability purposes.
Contact Information:
For any questions or concerns regarding this policy, please contact the Technology Department
Approval:
This policy has been approved by the management of BD Performing Arts and is effective as of June 13, 2024.