Policy Regarding Data Retention for ITS-Owned Systems

Rev: July 1, 2021

Purpose

This policy establishes the retention period of data within systems owned by ITS and for which ITS is responsible for the disposition of deleted data.  This includes system and log files that are a routine record of events on systems.

Scope

This policy addresses user data that has been deleted by the user from the system as well as system and log files that provide hardware or operating system event data used to diagnose problems.  This policy does NOT include retention of data records not owned by ITS such as financial records, Human Resource documents, student records, and health data which are governed by specific legal requirements and under the purview of those departments. In case of conflict with the Wesleyan University Record Retention Policy, the Wesleyan University Record Retention Policy should be followed.

Roles

The retention of data and determination of useful retention of system logs is determined by system administrators under the direction of the  the Chief Information Security Officer, Deputy CIO and the Senior Director of Administrative Systems.  System administrators and database administrators are responsible for the execution of retention and adherence to the schedule.

Record Types

This policy addresses electronic data generated by systems in various formats (.txt, .tar, .zip, etc), data stored on Dragon, and all on-premise systems provided to the community for the storage of data. For user generated data, retention refers to the length of time a document is available for recovery once deleted by the user from the system.

This retention policy does not include data and email stored in Wesleyan’s Google Workspace and Office365 tenants. Office365 email is retained in Deleted Items until removed.  Once removed from Deleted Items, email is available for recovery for 14 days. Mail in the Google Trash folder (non-faculty and staff email is delivered to Google) is retained for 30 days and is not recoverable beyond that.

Litigation Hold

When ITS receives a litigation hold for electronic data from the General Counsel and Secretary of the University, the data and email as well as any associated backups as of the day of the hold are placed in litigation hold in systems designed for that purpose using Microsoft, Google , and Code42 litigation hold tools.  Any backup retention policies that would delete files older than 30 days are removed so that files are retained.  ITS will provide access to electronic records under a litigation hold as directed by the General Counsel and Secretary of the University.

Records Retention

ITS has document outlining the retention of system logs, responsible party and location.

User data, for the purpose of this document, data or email that has already been deleted by the user is retained via backup copies in the Code42 cloud.  Data that resides on user desktops/laptops is retained for 90 days beyond deletion. Once 90 days has passed, this data is permanently removed and no longer able to be recovered.  Data that resides on ITS provisioned on-premise storage (shared network drives and file locations) is retained for 120 days beyond deletion.