Data Retention & Secure Deletion Policy

Outlines campus data retention rules and secure deletion of data.

Date	Version Number	Change Description	Referenced Section
10/23/25	1.0	New Document	Entire Document

 Review Process / Approval

Action:	Units	Date
Policy Review	Information Technology Services	9/24/25
Policy Approval	Executive Council	10/23/25

All users of university-provided technology services including, but not limited to, faculty, staff, volunteers, students, and employees of the Research Foundation, College Auxiliary Services, and other permitted third-party organizations.

Sensitive Datasets: HIPAA, FERPA, GLBA, PCI-DSS, GDPR

Data Owner: The individual who is accountable for protecting a dataset, holds the legal rights and defines policies. Data Owners are typically management-level individuals (e.g., department heads) who are ultimately responsible for the security and classification of specific data sets. They determine who has access to the data, how it should be classified, and when it should be archived or destroyed. They are accountable for ensuring that appropriate security controls are in place to protect the data.

Data Custodian: Data Custodians are the technical personnel (e.g., IT staff) who handle the day-to-day management of data, including storage, access control, and backups. They implement the security controls defined by the Data Owner, ensure data integrity, and manage data backups and recovery. They work under the guidance and direction of the Data Owner to fulfill the owner's security requirements.

User: Users are individuals who access and utilize data for business purposes. They must adhere to the security policies and procedures established by the Data Owner and implemented by the Data Custodian. User access is typically granted based on their roles and responsibilities, and they are restricted from accessing data they are not authorized to use.

Data Owner: 

• Data Classification: Determining the sensitivity of different data types and the level of protection each requires.
• Access Control: Establishing who can access which data and under what conditions.
• Security Requirements: Setting data usage rules, backup frequency, and technical controls based on importance and legal obligations.

Data Custodian:

• Implementing Security Policies: Configuring firewalls, encrypting data, and setting up access controls as directed by data owners.
• Controlling User Access: Managing user accounts, enforcing security checks, and monitoring access logs.
• Protecting Data: Planning for incidents such as ransomware attacks or hardware failures by patching vulnerabilities and managing antivirus solutions.
• Setting Up Backup Systems: Ensuring data is securely stored and can be quickly restored following any data loss.

Data User:

• Adhere to Security and Privacy Guidelines: Follow organizational policies and understand applicable privacy regulations (such as GDPR or HIPAA).
• Protect Access: Keep login credentials confidential, create strong passwords, and remain vigilant against phishing attempts.
• Report Problems: Notify IT or security teams of any suspicious activities or security issues immediately.
• Handle Data Carefully: Store, transmit, and dispose of data in accordance with best practices and company protocols.

None

Related Policies

• SUNY Plattsburgh Policy #10019.2 – Responsible Use of Technology Resources
• SUNY Plattsburgh Policy #10020.1 – Data Governance Policy

 

Method	Date
Campus Handbook	N/A
Faculty / Staff Digest	11/7/25
Student Digest	N/A
Other	N/A

There are no specific trainings identified with this policy.