Data Retention, Retrieval and Secure Disposal Policy Page 1
Data Retention, Retrieval and Secure Disposal Policy
Document Summary
Information Dynamics
Document Name
Data Retention, Retrieval and Secure Disposal Policy
Compliance Reference
ISO 27001:2013, PCI DSS
Document Revision History
Prepared By
November 2018
Information Dynamics
29th Aug, 2019
Added ISO 27001 Controls reference
Aug 2020
Annual review
Aug 2021
Annual review
Document Review History
Reviewed By
Data Retention, Retrieval and Secure Disposal Policy Page 2
1. Purpose
The purpose of the policy is to set a clear path for data retention in ID and securely disposing
the same.
ISO 27001:2013 Reference
7.5.3 (f)
Retention and Disposition
Disposal of Media
Secure disposal or reuse of equipment
2. Scope
The scope of the policy will be applicable to all activities under the scope statement of
Information Dynamics.
3. Policy
The entire Information Dynamics records, either physical or digital, are subject to the retention
requirements based on business, legal and regulatory requirements. The Information Dynamics
requires that all removable storage media (CDs, tapes, memory sticks, hard drives, etc) are clean
(which means: it is not possible to read or re-constitute the information that was stored on the
device or document) prior to disposal specifically:
3.1 No storage of Magnetic stripe data, CVV, CID, CAV2, CVV2, CVC2 and PIN to be
stored under any circumstances.
3.2 Each data item that is stored should be marked with the name of the record, the record
type, the original owner of the data, the information classification, the required
retention period, and any special information (eg in relation to cryptographic keys).
3.3 The required retention periods, by record type, should be in compliance with business,
legal and regulatory requirements. The records both physical and electronic should
have secure remote offsite backups.
3.4 The offsite records both physical and digital should be retrieved and reviewed at least
annually or based on the criticality of the information of the records.
3.5 All records (physical and digital) moving to and fro the facility to offsite locations has
to be logged and inventory managed both at the primary and offsite locations. A
periodic inventory check must be done at offsite to find if there exist any irregularities
in the logging mechanism.
Data Retention, Retrieval and Secure Disposal Policy Page 3
3.6 Data should be disposed as soon as the specified retention period completes it retention
3.7 If sensitive authentication data (CVV, PIN, magnetic stripe data, track data etc.) is
being received, then the data should not be stored and be deleted in a secure manner
which makes the data unrecoverable.
3.8 Cryptographic keys, which are required for sensitive transaction data should be retained
as set out as in Credit Card Data Encryption & Key Management Policy
3.9 Devices containing confidential information are dependent on a risk assessment
physically destroyed prior to disposal and are never to be re-used.
3.10Devices containing confidential information that are damaged are subject to a risk
assessment prior to sending for repair, to establish whether they should be repaired or
3.11 Documents, CDs, etc containing confidential and restricted information which are to be
destroyed are shredded by their owners, using a cross cut shredder. These shredders are
located in the secure area and the containers are under lock and key.
3.12 Portable or removable storage media of any description are physically destroyed prior
to disposal.
3.13 The data owner along with support from the custodian is responsible for destroying data
once it has reached the end of the retention period. Destruction must be completed
within 30 days of the planned retention period. Destruction is handled as follows:
Papers to be shredded.
CDs to be shredded.
Backup tapes to be burnt.
Sensitive data to be deleted through a program.
3.14 The TSG Team is responsible for the retention and secure disposal of storage media
and the disposal of all information processing equipment is routed through his office.
4. Associated Documentation:
Asset Management procedure
Data Disposal Form_v1