Restricted Data: Retention and Destruction

Restricted data is subject to retention and destruction standards imposed
by federal and state laws, regulatory mandates, and campus policies.
The UF data retention schedule is available on the Smathers Library site.

As important as it is for faculty and staff to know data retention standards, it’s equally important to know how to properly discard restricted data. Different media requires different destruction methods. For example, just throwing away paper records or deleting restricted data from a PC or other device does not meet university requirements. Paper records, CDs, and DVDs with restricted data cannot be reused and should be cross-cut shredded or incinerated. The sanitization and destruction standards policy should be mandatory reading for anyone in the UF community prior to working with or handling restricted data.

UF Property Surplus provides campus with secure media disposal services. They have two drop-off locations, at Building 811 off of Elmore Drive and at the UFIT Help Desk in the Hub. Faculty and staff who have questions about working with or properly disposing of restricted data are welcome to email UF’s Information Security Office.

Work Safely with Restricted Data

Restricted data refers to data collected, maintained, or managed by the university or through any university activities that are restricted by special protections from federal or state laws, regulatory mandates, or contractual obligations. Improperly working with, storing of, or transmitting restricted data could result in the revocation of research certifications, university business partnerships, and federal and state grants. In addition to the legal liabilities and financial obligations placed on individual employees and the university, a breach or misuse of restricted data would negatively impact UF’s reputation.

Types of restricted data are listed here. They include, but are not limited to, student records (FERPA), protected health information (HIPAA), Social Security numbers and credit card information, and export controlled data (ITAR).

All faculty and staff are required to annually complete the Information Security Awareness training, which includes a section on working with restricted data. UF’s Mobile Computing and Storage Devices Policy explains security and encryption standards required for devices operating with restricted data. UFIT’s Integrated Risk Management team is available to help clarify data classifications and the technologies and tools cleared for use with restricted data. Anyone in the UF community with questions is welcome to email irm-uf@ufl.edu.