Virginia Regulatory Town Hall

Final Text

highlight

Action:
Regulations Governing the Destruction of Public Records ...
Stage: Final
 
17VAC15-120

CHAPTER 120
REGULATIONS GOVERNING THE DESTRUCTION OF PUBLIC RECORDS CONTAINING SOCIAL SECURITY NUMBERS

17VAC15-120-10

17VAC15-120-10. Definitions.

The following words and terms when used in this chapter shall have the following meanings unless the context clearly indicates otherwise:

"Backup tapes" means a copy of all or portions of software or data files on a system kept on storage media, such as tape or disk, or on a separate system so that the files can be restored if the original data is deleted or damaged and that are overwritten on a regular basis.

"Custodian" means the individual or organization having possession of and responsibility for the care and control of records. ]

"Electronic record" means records createdor, ] storedor accessed ] by electronic means, including but not limited to computer files and optically scanned files on tapes, disks, CD-ROMs or internal memory.

"Overwritten" means replacing previously stored data on a drive or disk with a predetermined pattern of meaningless information that renders the data unrecoverable.

[ "Pulped" means a technique of macerating paper documents by soaking them in water and grinding them into pulp. ]

"Retention period" means the required time period and disposition action indicated in a Library of Virginia-approved records retention and disposition schedule.

"Shredding" means destroying paper records by mechanical cutting. Cross-cut shredders cut in two directions, 90 degrees from the other.

Statutory Authority

§§ 42.1-8 and 42.1-82 of the Code of Virginia.

Historical Notes

Derived from Virginia Register Volume 25, Issue 6, eff. December 24, 2008.

17VAC15-120-20

17VAC15-120-20. Purpose; applicability ] .

Public The regulation establishes requirements that public ] records, regardless of media, that contain social security numbers must be shredded, pulped,burned incinerated ], made electronically inaccessible or erased so as to make the social security numbers unreadable or undecipherable by any means. These regulations apply only to those records whose retention periods have expired.

Statutory Authority

§§ 42.1-8 and 42.1-82 of the Code of Virginia.

Historical Notes

Derived from Virginia Register Volume 25, Issue 6, eff. December 24, 2008.

17VAC15-120-30

17VAC15-120-30. Procedures.

A. Paper records. Paper records shall be shredded, pulped or incinerated. If paper records are destroyed within an office or agency, records shall be shredded ] by a mechanical cross-cut shredder that reduces paper tostrips a size ] no wider than 3/8 inches. The custodian of the records must prepare a certificate of destruction that lists what records have been destroyed, who destroyed the documents, and the date of destruction.

If the shredding is done off site,by another agency or department, or by a contractor, ] locked bins are required to protect the records prior to shredding. Contractors doing the shredding must be bonded. The agency contracting for the shredding retains responsibility for protecting the social security numbers on the records until destruction.A representative of the contracting agency shall witness the destruction. ]

B. Electronic records. Agencies must establish procedures and processes to destroy social security numbers in public records that have reached the end of their retention period in electronic format and stored on information or recordkeeping systems.Agencies may maintain or destroy the physical media. ]

1. Files stored on a computer must not only be deleted but also overwrittento prevent the information from being reconstructed. Software programs that overwrite the data with meaningless data multiple times to totally obliterate the original data must be utilized for overwriting using software that overwrites the files with meaningless data to totally obliterate the original data and to prevent the information from being reconstructed ].

2. Back-up tapes must be overwrittenat the same time as all other copies are destroyed Tapes shall be held no longer than the conclusion of the retention period for the information contained in the tape to totally obliterate the original data ].

3. Data containing social security numbers on floppy disks, tapes and other magnetic storage devices must be overwritten.

a. Disks, tapes and other magnetic media must be shredded in a shredder to insure that the information is totally destroyed or the materials must be exposed to a powerful magnetic field to disrupt the information.

b. If magnetic media are used, the data must be reviewed to insure that the social security numbers are not retrievable.

3. If an agency plans to maintain the floppy disks, tapes or other magnetic storage devices, other than hard drives, with data containing social security numbers, the media must be:

a. Overwritten using software that overwrites the files with meaningless data to totally obliterate the original data; or

b. Exposed to a powerful magnetic field to disrupt the information. If a magnetic field is used, the data must be reviewed to ensure that the social security numbers are not retrievable. ]

4. CD-ROMs must beincinerated or ] physically broken, into several pieces, to be rendered unusable.

5. When disposing of computers that contain social security numbersor other privacy-protected information ], hard drives must be overwritten and inspected to insure noprivacy-protected data remains social security numbers remain ]. If data remains, the hard drive must be removed and disposed of separately by drilling to prevent it from being used again.

Statutory Authority

§§ 42.1-8 and 42.1-82 of the Code of Virginia.

Historical Notes

Derived from Virginia Register Volume 25, Issue 6, eff. December 24, 2008.