Disposition of Digital and Electronic Records: What You Need to Know
When it comes to records management, organization, storage and retrieval are often the first things businesses think about. However, disposition of records should be a critical element of every organization's records management program.
Destroying paper-based records through incineration or shredding may seem like a logical way to get rid of files that are identified as no longer necessary. In today's world, that just might not be enough to remove all traces of data from digital and electronic records. Increasing concerns about privacy and security means electronic data disposal must be carefully and systematically handled to minimize the risk of illegal and/or unauthorized access to information.
What is Disposition?
Disposition is the last stage of a record's life cycle, which encompasses the active, semi-active and inactive stages. Active and semi-active records are altered and accessed, but once a record becomes inactive, it is unlikely it will need to be accessed again. However, whether paper-based or digital, a record isn't ready for disposal until confirmation can be given that the information it contains will no longer be required for operational, legal, federal, state or professional association compliance reasons.
Prior to destroying or disposing of any electronic records, it is the business's responsibility to ensure compliance with any and all electronic records disposal regulations governing operations.
Proper Disposal of Electronic Data Is a Critical Component of Records Management
More and more businesses and organizations have moved to storing information in the cloud as well as on hardware, such as onsite or offsite services, and portable devices, such as laptops, tablets and smartphones. This means the proper organization, security and disposal of electronic data is becoming increasingly necessary. Sensitive and private information falling into the wrong hands could lead to criminal activity, loss of business and even legal action.
Electronic Data Exists in a Variety of Forms
Email correspondence, text or voice mail messages, patient or customer files and financial records are examples of electronic records that may contain sensitive data requiring special consideration during the disposal process.
Electronic data refers to information stored via a medium other than paper. Some examples include:
- Hard drives on laptops and desktops
- USB jump or flash drives
- Zip disks
- SCSI drives
- Magnetic tapes
- Audio/visual media such as CDs/DVDs
Deleting files and sending messages to a trash bin in an email program does not erase the data. Electronic files must be properly sanitized and purged before they can be considered satisfactorily disposed.
Digital Sanitization Methods
In records management, disposition doesn't necessarily mean destruction. There are other acceptable ways to remove records that have passed their required retention period. In most cases, sanitization is recommended to "clean" sensitive information from records and may include one of the following:
- Destruction is used when the storage device is no longer required at all and can be completely destroyed. Examples include shredding, pulverizing and incinerating.
- Purging can be accomplished via degaussing or secure erasing on a hard drive. Degaussing magnetically erases electronic information from tape devices and hard drives, but it isn't effective in clearing data from DVDs and CDs.
- Clearing electronic data is commonly achieved by overwriting existing data using software that incorporates a fixed sequence or patterns of letters, numbers or symbols.
- Disposal refers to dumping data without sanitizing it and is usually reserved for non confidential information. If it falls into the wrong hands, data that has been disposed of without being sanitized can be a privacy and security breach for both the responsible organization and the individuals or entities named in the records. In addition, the responsible organization or business could face legal action and litigation.
Choosing a Disposal Method
When choosing a disposal method for electronic records, businesses should take a variety of factors into consideration. How many records are being disposed of? What will it cost? What are the environmental consequences of destroying data through incineration, pulverization or shredding tapes? Does the technique chosen meet all the necessary legal and compliance standards? Has each activity been documented to ensure all internal policies and guidelines are being met?
Confirmation of Disposal Certificate
Records that have been disposed of through overwriting, sanitization or destruction often require a written disposition certificate as proof that disposal has taken place. This certificate asserts that the records have been destructed or disposed of, and the activity has been verified to ensure all identified electronic data has been removed.
The National Institute of Standards and Technology's Computer Security Resource Center includes a variety of publications to assist organizations in creating and implementing policies, standards and guidelines to manage technological security, including the proper disposal of electronic and digital records. Their Special Publication 800-88 Revision 1, Guidelines for Media Sanitization, updated in September 2012, provides detailed instructions and advice for organizations interested in disposing of their own records in a responsible and compliant fashion.
Using a Secure Data Disposition Service
Organizations may use the expertise and experience of a professional records management service as a simpler and more cost-effective means of secure electronic data disposition. Experts familiar with the federal, state and professional compliance requirements of your industry can complete the steps required to safely sanitize and dispose of old records, leaving organization staff free to carry on day-to-day business operations. Records management professionals receive ongoing training in the latest techniques for dealing with security and privacy breaches that may occur during the final phase of digital records management.
Do you have questions about information management? Read additional Knowledge Center Small Business resources, or contact Iron Mountain’s Small Business team. You’ll be connected with a knowledgeable product and services Small Business specialist who can address your specific challenges.