ITS Online»Antivirus & Data Security»Digital Cleanup Program

Digital Files: Annual Security Review & Cleanup Program

This program is an annual effort to identify and remove sensitive data or data that is no longer necessary.

On this page:

Cleanup Goals: Things to Do


Step 1: Identify Sensitive or Confidential Data

Be mindful of the data you are responsible for, its sensitivity, where the data is stored, and if it is shared with others. In particular, be aware of regulated data such as student records, personal info or financial data. Applications like OneDrive and Penn+Box make it easy to share out files with others.

It is important to review your sharing periodically, especially for sensitive files. Unsure of what is considered “sensitive” data?

View Penn’s data sensitivity guide.


Step 2: Delete/Redact Sensitive Data

Sensitive data should be reviewed to determine whether the file is still needed or if it can be deleted or redacted. In OneDrive/Penn+Box, remove sharing that is no longer necessary.

Not sure what you need to keep?

View our retention and deletion guidelines below


Step 3: Delete Unnecessary Old/Large Files

Many emails and files are saved and forgotten. Data that is no longer needed takes up valuable storage space and may pose a security risk.

Review OneDrive, Penn+Box, SharePoint, Outlook, and other applications that store data. Delete files that are no longer needed.

Helpful Tips

  • Sort files by size and date to identify large or old files.
  • Empty your Deleted Items folder in Outlook on a regular basis by right clicking on your Deleted Items folder and select ‘empty folder’: View detailed steps

Not sure what you need to keep?

View our retention and deletion guidelines below


ITS Partners: Review Aliases

If you are an ITS Partner, please review the aliases that you manage annually to confirm that the membership is accurate and that the alias is still necessary. Partners can edit aliases or contact if an alias is no longer needed.

View alias guide for ITS Partners


Why is this Cleanup Important?

One prominent area of risk is threats to confidential, personal or proprietary data that could cause significant harm to individuals or to Penn if compromised. Federal and state laws, industry practices, and principles of data stewardship have all driven home the fact that individuals who create, use, or maintain Confidential University Data are responsible for adequate protection of that data.


What to Retain vs. Delete?

The Best Way To Protect Data Is To Not Have It

While much data at Penn is necessary to our every day operations and to serving our mission, there is a lot of data in offices and computer systems that is no longer needed nor required to be kept. This unnecessary data should be destroyed to protect the individuals whose data is in these files and to protect Penn.

Generally, you should not store:

  • Passwords (Use LastPass instead!)
  • Social Security Numbers
  • Credit Card Numbers
  • Any sensitive or confidential data that you do not need to use

If you still need to keep social security numbers, this University policy recommends either converting them to Penn IDs or truncating them to the last 4 digits.

How Do I Know What Needs To Be Retained?

If you are unsure whether to keep certain types of records, please refer to the University Records Retention Schedule.

  • You must not destroy information that is an original and still within the records retention requirement. 

  • Nor should you destroy any information if there is an actual or likely claim, lawsuit, government investigation, subpoena, or other ongoing matter involving the records. 
  • When in doubt about what to keep and what to delete, please consult your supervisor or retain the information in a secure location. If you need to keep sensitive data for work, please consult with ITS for storage locations.


Penn Policies

Below are Penn policies relevant to data security and privacy.