Discussion

Most records at Harvard are not kept permanently. The Harvard General Record Schedule (GRS), issued under the authority of a vote of the President and Fellows of Harvard College (the Corporation), defines the normal retention periods for various types of records. The Corporation has also voted policies that define what are University Records, their ownership, preservation and access rules. (Find out more about Records Management)

The retention periods specified in the GRS are the minimum for which records must be retained, you are urged to transfer records to the archives or destroy them as soon as possible after the expiration of the retention period.

Under Massachusetts state law, records containing some types of confidential information must be properly disposed of when it comes time to dispose of them. The law does not dictate when, or if, records must be destroyed (see the GRS for Harvard's rules) but does establish requirements for any destruction when it is done. The types of personal information the law deals with are included in what Harvard calls "High-Risk Confidential Information." (See Section 1: High-Risk Confidential Information.)

The State is in the process of developing specific regulations to guide the understanding of the requirements of the law. The following guidelines can be used until those regulations are published.

The Massachusetts law states:

"a) paper documents containing personal information shall be either redacted, burned, pulverized or shredded so that personal data cannot practicably be read or reconstructed;

(b) electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed."

Harvard has contracted with a paper shredding company to provide locked disposal bins as well as pick-up and destruction services in a way that meets the requirements of section (a) of this rule. (See Data Shredder information on the Harvard Procurement website.) Some personal paper shredders will likely also meet the requirements of section (a), for example, the newer crosscut shredders that produce very small shreds.

Merely removing a file in a computer will not meet the requirements section (b) of this rule since the data in the file itself is not actually removed from the disk. Applications that provide for secure erasure and do meet the requirements are available for Windows computers and a secure file erasure function is built into Mac OSX.

Whenever a computer is decommissioned all disks should be fully erased using secure disk erasure application or physically destroyed.

In general it is preferable to implement a written document destruction process and, when possible, to automate the process. But, any such process (automated or manual) needs to be able to be stopped if the Harvard Office of General Counsel (OGC) requests that data be preserved due to some legal proceeding.