General Records Retention and Protection of Records Containing Personal and Confidential Information
Provides general guidelines to be followed by departments regarding the retention and destruction of records and specific procedures for the protection of records containing personal and confidential information.
May 13, 1958 Board Order, Synopsis 46
February 28, 2006 Board Order No. 23-A
May 2, 2006 Board Order No. 3
October 3, 2006 Board Order No. 16
Policy No. 6.100: Information Technology and Security
Policy No. 6.101: Use of County Information Technology and Security
Policy No. 6.106: Information Technology Physical Security
Policy No. 6.107: Information Technology Risk Assessment
May 8, 2007, Board Order No. 26
Policy No. 6.109: Security Incident Reporting
Policy No. 6.110: Protection of Information on Portable Computing Devises
Policy No. 6.111: Information Security Awareness Training
Policy No. 6.112: Secure Disposition for Computing Devices
County departments are to comply with the following general guidelines on records retention and specific procedures pertaining to protection of records containing personal or confidential information pending 1) Board of Supervisors' approval of the General Retention Schedules for common administrative records, which will be applicable to all County departments; and (2) Board of Supervisors' approval of the Retention Schedule specific to the records maintained by a particular department. Thereafter, each department must follow the General Retention Schedules; its specific Retention Schedule; and any policies and procedures approved by the Board of Supervisors regarding records management practices.
Records Retention – Generally
County departments shall retain records that are useful and/or are required by law (including State or Federal law) to be filed and/or preserved. However, County departments may destroy any record, paper or document that:
1. Is more than two years old unless it is required to be held longer pursuant to State
or Federal law, County Charter or Ordinance, or Department policy;
2. Is of no further use to the department; and
3. Is not expressly required by any law (including State or Federal law) to be filed
Protection of Records Containing Personal or Confidential Information
County departments shall secure and appropriately dispose of all records, papers or documents with personal or confidential information.
Confidential information is information that is sensitive, proprietary or personal to which access must be restricted and whose unauthorized disclosure could be harmful to a person, process or to an organization.
Personal information is any information maintained by a department that identifies or describes an individual including, but not limited to, his or her name, social security number, physical description, home address, telephone number, education, financial matters, and medical or employment history.
Paper documents that contain personal or confidential information such as social security numbers, health-related information, or financial information must be properly stored and secured from view by unauthorized persons.
Secure measures must also be employed by all departments to safeguard personal or confidential data contained on all County information technology resources.
Departments must ensure that only authorized personnel may hold and have access to such information.
(See also Board of Supervisors Policies 6.100 Information Technology and Security, 6.101 Use of County Information Technology Resources, 6.106 Information Technology Physical Security, 6.107 Information Technology Risk Assessment, and 6.110 Protection of Information on Portable Computing Devices.)
Destruction of Records Containing Personal or Confidential Information:
When records containing personal or confidential information are ready for destruction, departments shall destroy the information completely to ensure that the information cannot be recognized or reconstructed. In addition, any personal or confidential data contained on computer media must be obliterated and/or made indecipherable before disposing of the tape, diskette, CD-ROM, zip disk, or other type of medium.
Each department must provide appropriate methods and equipment to routinely destroy personal or confidential information. The safeguards listed are in priority order with the most highly recommended safeguard listed first. At the minimum, one of the following safeguards must be implemented:
• Conduct due diligence and hire a document destruction contractor to dispose of material either offsite or onsite.
o Require that the disposal company be certified by a recognized trade association.
o Require and validate that the disposal company disk sanitizing software and/or equipment is approved by the United States Department of Defense.
o Review and evaluate the disposal company's information security policies and procedures.
o Review an independent audit of a disposal company's operations and/or its compliance with operations.
• Secure and utilize shredding equipment that performs cross-cut or confetti patterns.
• Secure and utilize disk sanitizing (i.e., erasing) software program approved by the United States Department of Defense.
• Secure and utilize disk erasing equipment (e.g., degausser) approved by the Department of Defense or the National Security Agency.
• Modify the information to make it unreadable, unusable or indecipherable through any means.
(See also Board of Supervisors Policy 6.112 Secure Disposition of Computing Devices.)
Confidential Information Incident Reporting
Each department must disclose to the department's management including the Departmental Information Security Officer any actual or suspected incident in which confidential information is disclosed to, or obtained by, an unauthorized person. Notification of the security incident must be made in the most prompt and expedient manner after the incident has been discovered. In addition, any such incident must be reported to the Fraud Hotline at 800.544.6861 or the Auditor-Controller's Office of County Investigations website at www.lacountyfraud.org where protocols are in place to respond to the incident.
Within ten days, a letter notifying affected individuals of actual or suspected loss or disclosure of personal or confidential information must be sent by the impacted County department describing the types of information lost and recommended actions to be taken to mitigate the potential misuse of their information.
The Chief Information Security Officer must also be promptly informed of the security breach associated with electronic data in order to communicate with other County departments and identify appropriate measures and safeguards.
(See also Board of Supervisors Policy 6.109 Security Incident Reporting, and 6.111 Information Security Awareness Training.)
There are no exceptions to this policy.
Chief Executive Office
Chief Information Office
DATE ISSUED/SUNSET DATE
Issue Date: May 13, 1958
Sunset Review Date: May 13, 2003
Review Date: July 22, 2004
Sunset Review Date: May 13, 2006
Review Date: October 3, 2006
Sunset Review Date: October 3, 2010
Review Date: July 23, 2010
Sunset Review Date: October 3, 2014