Digital Files: Annual Security Review & Cleanup Program
This program is an annual effort to identify and remove sensitive data or data that is no longer necessary.
On this page:
Cleanup Goals: Things to Do
Step 1: Identify Sensitive or Confidential Data
Be mindful of the data you are responsible for, its sensitivity, where the data is stored, and if it is shared with others. In particular, be aware of regulated data such as student records, personal info or financial data. Applications like OneDrive and Penn+Box make it easy to share out files with others.
- Review OneDrive, Penn+Box, SharePoint, Outlook, and other applications that store data.
- Review data sharing in OneDrive: How to see files/folders you Shared in OneDrive.
- Review data sharing in Penn+Box: How to identify shared files/folders in Box.
It is important to review your sharing periodically, especially for sensitive files. Unsure of what is considered “sensitive” data?
Step 2: Delete/Redact Sensitive Data
Sensitive data should be reviewed to determine whether the file is still needed or if it can be deleted or redacted. In OneDrive/Penn+Box, remove sharing that is no longer necessary.
Not sure what you need to keep?
Step 3: Delete Unnecessary Old/Large Files
Many emails and files are saved and forgotten. Data that is no longer needed takes up valuable storage space and may pose a security risk.
Review OneDrive, Penn+Box, SharePoint, Outlook, and other applications that store data. Delete files that are no longer needed.
- Sort files by size and date to identify large or old files.
- Empty your Deleted Items folder in Outlook on a regular basis by right clicking on your Deleted Items folder and select ‘empty folder’: View detailed steps
Not sure what you need to keep?
ITS Partners: Review Aliases
If you are an ITS Partner, please review the aliases that you manage annually to confirm that the membership is accurate and that the alias is still necessary. Partners can edit aliases or contact email@example.com if an alias is no longer needed.
Why is this Cleanup Important?
One prominent area of risk is threats to confidential, personal or proprietary data that could cause significant harm to individuals or to Penn if compromised. Federal and state laws, industry practices, and principles of data stewardship have all driven home the fact that individuals who create, use, or maintain Confidential University Data are responsible for adequate protection of that data.
What to Retain vs. Delete?
The Best Way To Protect Data Is To Not Have It
While much data at Penn is necessary to our every day operations and to serving our mission, there is a lot of data in offices and computer systems that is no longer needed nor required to be kept. This unnecessary data should be destroyed to protect the individuals whose data is in these files and to protect Penn.
Generally, you should not store:
- Passwords (Use LastPass instead!)
- Social Security Numbers
- Credit Card Numbers
- Any sensitive or confidential data that you do not need to use
If you still need to keep social security numbers, this University policy recommends either converting them to Penn IDs or truncating them to the last 4 digits.
How Do I Know What Needs To Be Retained?
If you are unsure whether to keep certain types of records, please refer to the University Records Retention Schedule.
You must not destroy information that is an original and still within the records retention requirement.
- Nor should you destroy any information if there is an actual or likely claim, lawsuit, government investigation, subpoena, or other ongoing matter involving the records.
- When in doubt about what to keep and what to delete, please consult your supervisor or retain the information in a secure location. If you need to keep sensitive data for work, please consult with ITS for storage locations.
Below are Penn policies relevant to data security and privacy.