Section 17 VAC 15-120-30, B Electronic records Procedure #2 requires that “back-up tapes must be overwritten at the same time as all other copies are destroyed.  Tapes shall be held no longer than the conclusion of the retention period for the information contained in the tape.”  Procedure B, #5 introduces “other privacy protected information”   The first two comments relate to Procedure #2 and the third comment relate to Procedure #5 of the regulation.<-xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

1. Are back-up tapes considered records or non-records-  If they are non-records, does the Library Board have the authority to issue regulations regarding the physical destruction of social security numbers on back-up tapes or does the Virginia Information Technology (VITA) establish back-up tape policies and procedures for state agencies-    

2. Assuming the answer to the first question is that the Library Board has this authority, VITA and local Information Technology departments probably have varying policies and procedures for tape back-up creation and rotation.  One typical procedure for many IT groups is to backup Microsoft Exchange and Windows Servers nightly from Monday through Thursday or Friday, retaining those tapes for 30 days.  The last tapes of the week, either those created on Friday or Saturday, are retained for 90 days.  The last tapes created during the month are typically retained for 12 months.  These procedures would result in back-up tapes containing social security numbers being retained for as long as a year after the record might have been destroyed. Would such tape back-up and rotation procedures be in violation of section 17 VAC 1-120-30, B #2 that requires that back-up tapes be “overwritten at the same time”-   I recommend changing the requirement to either “30 days” or “60 days”.

3. Section 5 is the first place that “other privacy protected information” is introduced.  While think it important to protect other private information, this regulation’s title indicates it is for the destruction of social security numbers and “other privacy protected information” appears to have been added here as an afterthought, with the user not provided any information about what constitutes other privacy protected information.  I recommend identifying the other private information that requires this stringent regulation, if such requirements are warranted, or limiting the regulation to social security numbers.