Account Data Retention Policy
Applicability
The purpose of this policy is to empower the Chief Information Security Officer (CISO) to define the controls and data retention rules related to user accounts. The policy subsequently serves to support the security, operational cost, and efficiency of Northern Michigan University.
Scope
This policy applies to all individuals formerly affiliated with Northern Michigan University. This includes, but is not limited to, former faculty, staff, and students. Data belonging to current faculty, staff, students, and/or affiliates will not be affected by this policy. Also, this policy does not apply to Extended Google Workspace accounts; data associated with Extended Google Workspace, as well as the definition of the Extended Google Workspace accounts, is governed by Information Technology Extended Google Workspace Policy.
Policy
The Chief Information Security Officer (CISO) will develop and implement appropriate controls over the deactivation of user accounts and the destruction of data associated with the accounts. The timing and criteria for deactivation and destruction will be published in a procedure attached to this policy so as to be available to the university stakeholders. The procedure will specifically address the type of account, as well as the length of time user account data will be kept after the user/account-holder ends their affiliation with the university.
It is the responsibility of each account holder to remove any data they require prior to deactivation and/or destruction. Instructions for removing the data will be published in the procedure.
Definitions:
Affiliation: For this policy and related procedure, a person’s affiliation with the university has ended when they cease to be an enrolled student; employed by the university; or a professional affiliate.
Extended access: continued access to the NMU Google Workspace.
Google Workspace: Google's productivity applications. This procedure will not be updated to reflect every change to Google product names. At the time the policy was initially approved, the Google Workspace application names included Gmail, Google docs, Google Meet, Google Sheets, etc. Going forward, the policy and procedure applies to the suite of Google’s connected productivity applications commonly offered to NMU email users, regardless of the proprietary names in place. Typically, this includes email, calendaring, documents, and spreadsheets and may also include more functions.
Retiree: An individual who meets the qualifications of retirement as defined by the Office of Human Resources at Northern Michigan University.
Related Policies:
Acceptable Use Policy
Information Technology Extended Google Workspace Policy
Establishing a Professional Affiliate Policy
Account Data Retention, Procedure
Procedure
This procedure does not apply to extended access to Google Workspace applications. See the Extended Google Workspace Policy.
For all other accounts, the CISO will direct a designate:
- To delete all data associated with a retiree user account when it has been inactive for four years. Data will not be deleted when retirees access the account at least once every 4 years; and
- To delete data belonging to all other individual user accounts two years after the individual’s affiliation with the university has ended. This includes shared drives accessed solely by user accounts that meet this criteria; and
- To impose drive space restrictions, remove admin rights, and/or impose read-only status on shared and personal drives accessed solely by non-active accounts or by non-active and external accounts; and
- To limit the ability to create shared drives to only active accounts; and
- To purge shared drives accessed solely by external accounts; and
- To restrict new admit accounts, meaning accounts belonging to students admitted but not yet attending NMU, solely to gmail (no Google Drive or other Google Apps) and restrict other access as deemed necessary.
In the event that an account and its associated data must be removed prior to the two year mark, the request must be reviewed and approved by the CISO or appointed delegate.
The CISO or a designate will update this procedure as necessary and communicate the relevant content to graduating students at least annually. In this way, students will be informed of the current retention expectations before they leave the university. Similar communication will be relayed to retirees.
Account types specifically identified to be deleted:
As of 12/30/22: Google Drive, NMU Drive, Myweb
Prior to the data being deleted, account holders will be notified by email, informing them that their data will be deleted and general instructions for removing the data. Prior to deletion, users may transfer all the data from their My Drive account by using Google’s “transfer ownership” function. Note that before data is deleted, the account will have been inactive for at least two years, and over four years for retirees.
Date Approved: | 3-21-2023 |
Last Revision: | 12-20-2024 |
Last Reviewed: | 12-20-2024 |
Approved By: | President |
Oversight Unit: | NETWORK OPERATIONS CENTER |