Retention is defined as the maintenance of information in a production or live environment which can be accessed by an authorized user in the ordinary course of business.
Information used in the development, staging, and testing of systems shall not be retained beyond their active use period nor copied into production or live environments.
By default, the retention period of information shall be an active use period of exactly two years from its creation unless an exception is obtained permitting a longer or shorter retention period. The business unit responsible for the information must request the exception.
After the active use period of information is over in accordance with this policy and approved exceptions, information must be archived for a defined period. Once the defined archive period is over, the information must be destroyed.
Each business unit is responsible for the information it creates, uses, stores, processes and destroys, according to the requirements of this policy. The responsible business unit is considered to be the information owner.
The organization’s legal counsel may issue a litigation hold to request that information relating to potential or actual litigation, arbitration or other claims, demands, disputes or regulatory action be retained in accordance with instructions from the legal counsel.
Each employee and contractor affiliated with the company must return information in their possession or control to the organization upon separation and/or retirement.
Information owners must enforce the retention, archiving and destruction of information, and communicate these periods to relevant parties.