Approved Date – 02/22/2021
Published Date – 02/22/2021
Revised Date – 05/10/2024
1. Purpose
Ensure that data and electronic records belonging to the District of Columbia Government (District) are protected, properly maintained, and securely disposed of when they have reached their end of life.
2. Authority
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (OCTO) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.gov/us/dc/council/code/sections/1-1402.
3. Applicability
This policy applies to all data and records belonging to the District workforce members performing official functions on behalf of the District, and/or any entity who receive enterprise services from OCTO. In addition, this policy applies to any provider and third-party entity with access to District information, systems, networks, and/or applications.
4. Policy
District agencies and departments must develop or adhere to a strategy which demonstrates compliance with this policy and its related standards. The following outlines the requirements for this policy. OCTO will review, update, and disseminate this policy annually at a minimum, to ensure accuracy, clarity, and completeness. The District's agencies must develop and review or update annually and after changes to the policy, a procedure in support of this policy with the following requirements.
4.1. Data and Records Retention
District agency must create a Records Retention Schedule (Schedule) which has been approved by the District’s Office of Public Records (OPR).
4.1.1. The Records Retention Schedule must, at a minimum, contain the following details:
- Record number
- Record title
- Record description
- Approved retention period
4.1.2. All datasets of an agency should be included in the agency’s Record Retention Schedule.
4.1.3. No data or records belonging to the District or any of its agencies shall be disposed of or deleted if such agency does not maintain an approved Records Retention Schedule.
4.1.4. If an agency has an approved Records Retention Schedule but the agency owns data or records that are not included in the approved Schedule, such data or records must not be disposed of or deleted until the Schedule has been updated to include all such data or records.
4.2. Records Retention Schedules Review
Under DCMR, title 1, section 1504.1(h), each agency must review all Records Retention Schedules annually to determine if additional datasets need to be added to the Schedule.
4.3. Disposal of Data and Records
The disposal of the District’s data and records must be done per the retention periods provided in the Records Retention Schedule, as well as the sanitation requirements provided in the Media Protection Policy.
4.4. Suspension of Data and Records Retention Schedule
The retention period specified in the Records Retention Schedule shall be suspended in the event of any of the following, which may require the District to preserve the affected data or records:
4.4.1. The District or any of its agencies is served with a subpoena or request for documents.
4.4.2. There is a governmental investigation or audit concerning the District or any of its agencies.
4.4.3. There is litigation or a “legal hold” against or concerning the District or its data and/or records.
5. Exemptions
Exceptions to this policy shall be requested in writing to the Agency’s CIO, and the request will be escalated to the Chief Information Security Officer (CISO), the Chief Data Officer (CDO), and the Public Records Administrator (PRA).
6. Definitions
The definition of the terms used in this document can be found in the Policy Definitions website.