top of page

Records Destruction and Data Retention Policy

OVERVIEW

To comply with applicable laws and regulations and to ensure PII and confidential customer information is properly protected and destroyed at such times as appropriate or otherwise required by law, the board of directors has directed development of the following:

  • A records retention policy statement [Optional: If applicable]

  • A data security and information integrity policy statement [Optional: If applicable]

  • Detailed policy guidance on destruction of information and data retention with implementation of comprehensive procedures and documentation [Optional: If applicable]

  • Management and executive accountability for employee handling and management of records destruction and customer data retention [Optional: If applicable]

 

This policy acknowledges the importance of protecting customer information, particularly in light of recent security breaches and global hacks.

OBJECTIVE AND PURPOSE

It is the policy of this institution to destroy customer records and data, including PII and confidential customer information, according to records retention policy schedules. Executive management, staff, and personnel, must be apprised of how to manage and destroy records.

This policy is developed to ensure the clear and consistent understanding of data and records destruction requirements for customer data, information, PII, and confidential customer information. Destruction of information refers not only to the physical destruction of paper records or related media, but also to the deletion of any electronic data storage in a manner sufficient to prevent recovery by unauthorized persons. [Optional: Discussion of related or intersecting policies should be included here.]

POLICY GOALS

The goals of this policy are to:

  • Establish clear policies and procedures for data retention and records destruction

  • Promote and develop in-depth employee training

  • Implement compliance and monitoring techniques

  • Establish periodic reviews to update existing firm policies and procedures and to assess compliance with and communication of related regulatory requirements, including, among other applicable  laws and regulations, the GLBA, Federal Privacy Act, Right to Financial Privacy Act (RFPA), and the Health Insurance Portability and Accountability Act (HIPPA)

  • Establish a quarterly audit program

REQUIRED ELEMENTS

Authority

The board of directors is responsible for setting policies addressing data retention and records destruction, as well as overseeing the institution’s efforts in connection with training and self-monitoring for compliance with applicable laws and regulations. Authority to implement policy direction and related procedures is assigned to [Drafting Note: Insert appropriate executives.]. These executives shall report periodically to the board of directors, no less than annually, on data retention and records destruction initiatives, as well as institution performance.

Risk Management

The board of directors and senior executive management, including designated staff, must be aware of risks that may arise from failure to comply with any adopted policy and applicable regulations. Failure to comply with policy and regulatory requirements may result in an adverse regulatory rating, or worse. This can become public and result in a severe market reaction or a regulatory enforcement action.

 

Accordingly, in establishing the data and records destruction policy, the board of directors has evaluated various related risks that include, among others:

  • Strategic risk. Failure to maintain accurate, complete, and satisfactory data retention and records destruction may result in the appropriate regulatory agencies not processing applications and affect the institution’s ability to compete in the marketplace.

  • Compliance risk. Legal and regulatory compliance, including compliance with the institution’s data and records retention policy.

  • Reputation risk. Ensuring marketplace confidence in handling customer financial transactions, PII, and confidential information, as well as protecting relevant customer data and employees records.

Key Definitions

Definitions used in this Policy are consistent with information used in operations of similar organizations in the financial services sector. It is incumbent upon the board of directors and executive management to understand these definitions and related information to manage the institution’s operations and ensure compliance.

 

Terms and related definitions may affect the implementation of this policy include, among other terms:

  • Consumer information. Any record pertaining to an individual, in paper, electronic, or other form, as well as a consumer report, or information derived from a consumer report, pertaining to confidential, nonpublic consumer information.

  • Consumer report. Confidential credit information, PII, and other nonpublic information as defined under the federal Fair Credit Reporting Act.

  • Destruction. Physical destruction of paper or microfilm materials and permanent deletion of data from analog and digital media reduced to a form beyond recognition and without any hope of potential reassembly.

  • Records. Recorded information, in any form, including data in computer systems, created or received and maintained by the bank or its employees in the transaction of business or activities, and kept as records of such activity.

  • Shredding. Shredding means the tearing, disfigurement, or cutting of documents into strips and/or pieces.

Authorization for Destruction

Three different types of data and records destruction methods occur within the institution:​​

  • Informal destruction of information

  • Formal disposal overseen by an officer through a formal, internal approval process

  • Disposal authorized under the records retention policy adopted by the board of directors

The section below reviews each of these methods in greater detail.

Information Destruction of Information

Within the institution, on a periodic basis, different activities may result in production of materials or receipt of information that should be destroyed. This may include, among other things:​​

  • Multiple photocopies of a completed application or credit file materials

  • Printing errors resulting in incomplete or partial printouts of customer records or multiple records being printed where fewer are required

  • Targeted marketing efforts resulting in duplicate mailings

  • Discarded photocopies for independent audits or examinations after completion of internal review

Each of the above are types of information and data that are highly confidential and must be destroyed on a periodic. Each director, officer, and employee of this institution bears responsibility for assessing whether materials are confidential. Individual informal review is required to assess whether papers or materials are suitable for recycling or are confidential, thereby necessitating secure data destruction. Marked destruction containers will be placed throughout the institution for information and materials labeled “CONFIDENTIAL.”  [Optional: If applicable]

Officer Authorization

 

Executive officers and other key personnel must have authority to destroy business or legal records when there is no further business or legal need. Appropriate personnel must be aware of legal requirements mandating various documents be retained longer than similar records in other areas of institution. For example:​​

  • Records retained past the specified retention period, and not destroyed under the records retention policy and schedules, require officer authorization.

  • Records, data, or media not currently covered by the records retention schedule.

To destroy records within these categories, the officer(s) must contact the board of directors and the appropriate executive officers for guidance (as well as any appropriate regulator). If requests to destroy records are approved and such approval is signed and documented, then the appropriate persons may proceed in destroying data and records.

In no circumstance, regardless of whether approval is provided inadvertently, shall data or records pertaining to a current or pending legal action be destroyed. Moreover, no data or records shall be destroyed if they are subject to a litigation hold, required as evidence in a court case or administrative hearing, or are currently subject to investigation by any state, local or federal government authority.

Information Destruction as Directed Under the Records Retention Policy and Schedules

 

Records and data may be destroyed as provided in the institution’s records retention policy and schedules.

 

Approved records retention schedules must address the information records and data created and retained in the normal course of business and released thereafter for destruction.

Moreover, in addition to promoting sound records-management practices, any records retention policy identifying records are to be preserved and retained in the institution’s historical archives.

When using the records retention schedule, an officer (or employees, as appropriate) should determine which section of the records-retention schedule is relevant to records under review and compute the minimum length of time such records must be retained. It is also imperative that the most recent records retention policy and schedules be used for this reference.

Upon concluding which category of data retention and records destruction methods are called for, the appropriate officers (or employees) should complete the internal approval form for records destruction. Responsibility for this has been assigned to each department head, functional area manager, and/or office manager.

Data and Records Destruction

Appropriate methods for data retention and records destruction should be used. These methods should result in destruction that is irreversible and, ideally, environmentally friendly. You should be aware that any appropriate regulatory body may also responsible for designating which methods should be used for specific data and records media.

Irreversible data destruction represents approaches and methods that result in no foreseeable risk of information being recovered in the future. Failure to achieve this level of destruction may result in the subsequent unauthorized access to confidential information. There are numerous documented cases where records have been found in dumpsters or local dumps after the information has allegedly destroyed. Occasionally, information is accidentally left in cabinets or buildings sold or leased to third parties. Computers are thrown out on occasion, with hard drives containing sensitive data still recorded on disk.

Environmentally friendly refers to methods that are effective, efficient, and environmentally protective.

Secure Destruction of Sensitive, Confidential Data and Records Destruction

The institution’s data and records must be disposed of using the same level of security provided for the information when it was retained on site. Information destruction on site should occur within a secure location that prevents access by unauthorized individuals. An information log destroyed will be retained. Separately, areas will be videotaped, with tapes retained per the retention schedule time frame. The on-site data and records destruction will be supervised by the appropriate officer of the institution. Special care should always be extended for extremely sensitive information, which includes:

  • Employee records and payroll

  • Customer confidential information (e.g., wills and testaments)

  • PII (Social security numbers, nonpublic information under GLBA)

  • Confidential institution records (e.g., SAR forms)

  • Trust documents that may have been later altered

Secure bins will be used to transport extremely sensitive information for transport from the office, department, or functional area to the institution’s information destruction area. Also refer to the Special Handling of Sensitive Information section of this policy.

 

While it is critical not to destroy records before the time frame indicated on the records retention schedule, it is similarly not necessary to store records and data longer than necessary. Tardiness in following data destruction schedules results in potential security risks, as well as costs associated with storage and retrieval access. If records and data are not destroyed in accordance with records retention schedules, any decision to delay destruction should be documented to assist disposal at a later time.

Document Destruction Logs

Data and records destruction should be carefully documented as proof of destruction, as well as defense in case of any future legal proceeding. Documentation destruction logs should identify records and data destroyed, the date of destruction, authorization, and, if appropriate, comments on any special situations. For documents sent to outside vendors for destruction, a record of the disposal of information should be retained and noted in logs.

 

The document destruction logs should be up-to-date and adequately detailed. Logs serve as a legal record of the data and records destruction process.

Destruction Methods

This institution may use the different methods of destruction (as discussed below) as appropriate for media on which data and records are stored. Such methods are detailed as guidance for data destruction methods.

 

Paper

  • Shredding. Shredding is perhaps the most common methods of paper and data records destruction. Security provided by shredding is a function of shredding techniques used. Shredded paper may be pulped and recycled and/or used for insulation or other purposes.

  • Pulping. Pulped paper is reduced to basic fiber consistency through chemical or mechanical methods. This method can produce good security protection.

  • Burning. If no other methods are available, paper products may have to be burned. This is an environmentally unfriendly approach and, therefore, should be used only as a last resort. Paper records should be burned only as permitted by local laws and ordinances.

 

Burying is not an acceptable method of disposing any materials.

Electronic Media

Data and information records stored on magnetic media may be bulk erased by exposing them to a strong magnetic field. Subsequently, disks, hard drives, and tapes should be formatted to ensure no access to formatted data.

 

Employees may think that simply deleting a file will erase such information; unfortunately, this approach does not remove data from magnetic media. Staff must be aware that manual deleting is an unacceptable method for destruction of electronic records and data.

 

Alternatively, highly sensitive materials requiring extreme care may be destroyed through dissolving in acid. This method is available only through special contract arrangements with a licensed industrial disposal firms.

Optical Media

Records stored on optical media may be destroyed in various ways, including cutting, crushing, chemical bath, or other techniques. Microwaving in a commercial facility may be used; however, microwaving often produces fumes, some of which may be toxic. Therefore, microwaving would only be used for small quantities of items; if this is the only method available to destroy data or records, it should be coordinated through the appropriate persons.

Nonelectronic Media

It is permissible to destroy videos, microfiche, fiche, and other products by shredding, cutting, crushing, or chemical recycling processes. Internal officers (including any regulators) maintain a list of suggested disposal methods for types of records and data media.

Vendor Support

The institution and its employees may, from time to time, outsource its data and records destruction responsibilities. Such outsourcing arrangements will be coordinated by the appropriate officials to ensure that destruction occurs in accordance with the data and records destruction policy. Contractors approved for data and records destruction will:

  • Sign a confidentiality contract with the institution

  • Ensure all contractor employees are fully insured and security bonded

  • Destroy designated documents on site at the institution’s premises; the records retention schedule designates certain documents that may not be removed from bank premises unless destroyed

  • Witness and certify records designated as permissible off-site data and records with a notarized document of destruction provided to the institution. Contractors will be responsible for transportation from the institution’s premises to the vendor’s operations site

  • Permit on-site surprise inspections by an institution officer to examine vendor data destruction procedures, level of security for materials held on site before destruction, and the subsequent disposal of destroyed materials

Use of outside vendors for data and records destruction may often be the optimum method. Management should assess the costs of internal resources and compare the expenses vs. costs and expertise provided through an external outsourcing arrangement.

Special Handling of Sensitive Information [Optional: If applicable]

 

Specific types of information are highly sensitive and require special care in handling and destruction. Sensitive information generally falls into one of the following:

  • Personal information. The institution collects a great deal of nonpublic personal information about individual customers (e.g., financial reports, credit reports). Records relating to driver’s licenses, future property transfers, and other wealth-related data may be sensitive. In addition, personnel files for institution staff contain a great deal of sensitive personal information.

  • Financial information. Files or records that contain sensitive information, such as financial records, offers to purchase/sell to other institutions, and bids for special situations. Any information that may give an unfair financial advantage to another entity or individual if they had access to it, should be treated as sensitive information.

  • Confidential information. Information that has been provided on condition that it remain confidential should be deemed sensitive information. Foreign governments and federal, state, and/or local government agencies providing information for various financial transactions are examples of such information.

  • Investigation information. This type of information might include information submitted by a government agency (e.g., warrants, subpoenas, investigation reports, bank examination reports). Information that is submitted by the bank in confidence (e.g., suspicious activity reports (SARs), currency transaction reports (CTRs)). Furthermore, adoptive and medical records are to remain confidential.

  • Security information. Information relating to internal physical security protection devices and procedures should be deemed sensitive information. Such information may include blueprints for buildings, procedures for currency shipments, security arrangements for external guard service, etc.

The officers for the department, functional area, or office locations are responsible for accounting for sensitive information to ensure that appropriate security-handling protection and destruction procedures are followed.

Ongoing Monitoring [Optional: If applicable]

 

To ensure compliance with applicable regulations and the institution’s adopted policy, the institution will periodically monitor compliance through ongoing reviews and audits. Any exceptions will be detailed and reported for corrective action.

 

Other policies relating to data retention and records destruction will be reviewed on a periodic basis to ensure that the institution’s standards, procedures, and documentation are carefully followed.

Independent Third-Party Reviews [Optional: If applicable]

Third-party reviews are a secondary method to evaluate firm performance. Thorough reviews by independent third parties enable management to obtain insights into the institution’s operational procedures and approach to data and records destruction. The institution views this as a defensive compliance review, plus a review of the effectiveness of internal policy and procedures. In using this method of review and responding to reported criticism, the institution intends to successfully manage all record retention and data destruction matters, particularly those housed within its trust department.

Training [Optional: If applicable]

Training is valuable for all staff responsible for records retention and data destruction. Attendance at training seminars provides additional opportunities to learn by sharing different viewpoint. Moreover, training is an excellent way to bring concerns and issues to a forum for discussion and to determine ways to address various situations. This institution considers external training as a key component of its success. This institution views external and internal training as a critical component of the overall training and educating of all personnel to ensure compliance with record retention and data destruction policy and related regulations.

Audit [Optional: If applicable]

Internal audit area will review the institution’s data and records destruction practices to determine compliance with appropriate regulations and this policy. Exceptions will be noted in any report, with management’s responses and such report provided to the audit committee of the board of directors.

bottom of page