Personally Identifiable Information (PII) Retention and Destruction Policy

INTRODUCTION

PURPOSE

The Data Privacy Framework (DPF) provides guidance and standards to Netenrich to identify the process of retaining the Personally Identifiable Information (PII) for the minimum allowable time period to fulfil the identified purpose and ensure secure deletion or destruction of PII data based on Netenrich’s approved record retention schedule.

SCOPE

The DPF applies to all departments and the individuals whose records are maintained by Netenrich.

The primary focus of this DPF is to retain each collected PII for the minimal allowable time period necessary to fulfill the identified purpose(s).

OBJECTIVE

To set standards, inclusive of policies and procedures for:

  • Retention of collected PII for the minimum allowable time required to fulfill the identified purpose(s).
  • Disposing, destroying or erasing PII regardless of the storage method after it passes the retention period and in a manner that prevents loss, theft, misuse or unauthorized access.
  • Legally compliant techniques or methods to ensure secure deletion or destruction of PII.

EXEMPTION

Any exceptions to this policy will require written authorization by the Data Protection Officer (DPO). Any exceptions granted will be issued a policy waiver for a defined period of time.

PII RETENTION AND DESTRUCTION

  • Netenrich data must be retained, stored, handled, and disposed of in compliance with the applicable regulations.
  • Each employee must notify [email protected] of any record types that should be added to or removed from the schedule.
  • Unless a business, legal, or regulatory need has been identified and communicated through NetEnrich Privacy Governance, no discretion on retention period or destruction dates is permitted. Destruction dates will be automatically calculated based on retention requirements on the approved Records Retention Guideline.
  • Routine audits shall be performed to ensure that requirements of this Policy are met.
  • Netenrich has agreements with cloud service providers to purge or retain data as per contract.
  • Netenrich shall ensure that information is securely stored on its information system server/cloud.
  • Netenrich shall erase personal data without undue delay where personal data is no longer required to retain.
  • Once no longer required, employees shall safely dispose of documents or media in shredding receptacles
  • Media shall be sanitized prior to disposal or release for reuse.

REFRESH SCHEDULE

All policies and referenced documentations identified in this policy shall be subject to review and possible revision annually or upon request by Netenrich and its Management.