The Data Retention Policy to govern the retention and disposal of data within our Netspective Communications LLC. This policy ensures that we comply with legal, regulatory, and business requirements while safeguarding sensitive information. [FII-SCF-009-DCH-18]
Information Retention
-
Authorized users in the ordinary course of business can access information in a production or live environment. We define this as retention.
-
Information used in the development, staging, and testing of systems should not be retained beyond their active use period. Additionally, it should not be copied into production or live environments.
-
By default, the retention period of information is the active use period of exactly Two years from its creation. However, exceptions can be obtained to allow for longer or shorter retention periods. The business unit responsible for the information must request the exception.
-
Once the active use period of information is over, certain types of information may be archived for a defined period. After the defined archive period ends, the information must be destroyed.
-
Each business unit has the responsibility for creating, using, storing, processing, and destroying information in accordance with this policy. The information owner is considered to be the responsible business unit.
-
The Netspective Communications LLC’s legal counsel may issue a litigation hold to request the retention of information related to potential or actual litigation, arbitration, claims, disputes, or regulatory action. These instructions must be followed as directed by the legal counsel.
-
Upon separation and/or retirement, every employee and contractor associated with the company must return any information in their possession or control to the Netspective Communications LLC.
-
Information owners are responsible for enforcing the retention, archiving, and destruction of information. They must also communicate these periods to relevant parties.
Information Archiving
-
The company defines archiving as securely storing information in a way that makes it inaccessible to authorized users in the ordinary course of business but allows retrieval by a designated administrator appointed by company management.
-
Physical records (e.g., paper) must be archived in secured storage, either onsite or offsite, and clearly labeled in archive boxes indicating the information owner.
-
Electronic records must be archived with strict access controls set by the information owner, ensuring the confidentiality, integrity, and accessibility of the information.
-
-
The default archiving period for information is Two years, unless an approved exception permits a longer or shorter period. Information owners are responsible for requesting exceptions.
-
Information with a vital historical purpose, such as corporate records, contracts, and technical/trade secrets, may be granted an archiving period exceeding 7 years, as a guideline.
-
Information with a limited business purpose, such as email, travel itineraries, pre-trip advisories, or to comply with specific legal, contractual, and/or regulatory requirements (e.g., PCI DSS, GDPR, etc.), may be granted an archiving period less than 7 years, as a guideline.
-
-
At the end of the elapsed archiving period, information must be destroyed according to the defined process.
Information Destruction
-
The Netspective Communications LLC defines destruction as physically or technically rendering the information in the document irretrievable by ordinary commercially-available means.
-
The Netspective Communications LLC is responsible for maintaining and enforcing a detailed list of approved destruction methods suitable for each type of archived information. This applies to physical storage media such as CD-ROMs, DVDs, backup tapes, hard drives, mobile devices, portable drives, as well as database records and backup files. Physical information in paper form must be shredded using an authorized shredding device, and waste must be periodically disposed of by approved personnel.
The Netspective Communications LLC determines and enforces retention and archival periods for information that it creates, processes, stores, and uses.