Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 60 – Data Retention and Destruction Policy

Effective November 3, 2022

View All Sections >

49170.10 Roles and Responsibilities

  • Department Chief Information Officer (CIO) or Designee

    • The CIO or Designee owns this policy and is responsible for ensuring that all users of department information assets are aware of this policy and acknowledge their individual responsibilities.

    • The CIO or Designee is responsible for ensuring that this policy is reviewed annually and updated accordingly.

    • The CIO or Designee is required to audit and assess compliance with this policy at least once every two (2) years.

  • Department Information Security Officer (ISOInformation Security Officer)

    • The ISOInformation Security Officer shall ensure processes exist for the secure destruction of paper and electronic records when no longer needed.

    • The ISOInformation Security Officer shall ensure specific retention requirements for sensitive or confidential data as defined by the Owners of Information Assets are adhered to.

    • The ISOInformation Security Officer shall ensure the safe and secure disposal of confidential data and information assets.

    • The ISOInformation Security Officer shall assist Owners of Information Assets and Information Asset Custodians in the identification of data security controls and processes.

  • Department Owners of Information Assets and Program Management

    • Owners of Information Assets shall ensure that no document is retained for longer than is legally or contractually allowed.

    • Owners of Information Assets shall implement data retention and disposal guidelines limiting data storage and retention times in accordance with legal, regulatory, and business requirements.

    • Owners of Information Assets shall define and enforce data retention requirements.

  • Department Information Asset Custodians

    • Information Asset Custodians shall assist Owners of Information Assets in identifying data retention security controls commensurate with the classification of the data.

    • Information Asset Custodians shall document, implement, monitor, and maintain data retention security protection controls as defined by Owners of Information Assets.

    • Information Asset Custodians shall develop and implement tools, technologies, processes, and procedures to support, monitor and maintain data retention security controls.

  • Department Records Management Coordinator (RMC) and Records Management Assistant Coordinator (RMAC)

    • The RMC, pursuant to Gov. Code 12274, shall assist the RMACs, Owners and Custodians of Information Assets in establishing proper data retention periods.

    • The RMC shall assist in training identified RMACs and entity staff in records retention.

    • The RMACs shall ensure that required data retention periods are maintained and data beyond the lifecycle of established policy is properly disposed.