Forum Guide to Protecting the Privacy of Student Information: State and Local Education Agencies

4.F. Data Disposal

Retaining data beyond its useful life exposes an agency to unnecessary privacy risks. The written policies of records maintenance should include detailed procedures for records retention and disposal, as determined by an agency’s needs and legal requirements. Inappropriate disposal methods also threaten the privacy of the records. For example, records should not simply be erased or media reformatted. They should be overwritten with random binary codes. In addition, when an agency upgrades its networks and systems, data contained in the original systems could be exposed if the tapes, disks, and hard drives are not cleaned properly. Even if a vendor replaces a hard drive, the old one must be returned so it can be checked to ensure that it was properly cleaned.