ITS Online»Antivirus & Data Security

What to Retain vs. Delete?

With sensitive or confidential data, it is much safer to not store it. But what if you need to use this data for your work? What can you delete and what can you keep?

The Best Way To Protect Data Is To Not Have It

Keeping unnecessary data creates unnecessary risks.  Unnecessary data should be destroyed to protect the individuals whose data is in these files and to protect Penn.  To determine whether data is necessary, ask yourself:

Is it necessary to keep this information for business purposes?

If you are unsure whether to keep certain types of records, please refer to this University Records Retention Schedule.

Generally, you should not store:

  • Passwords
  • Social Security Numbers
  • Credit Card Numbers
  • Any sensitive or confidential data that you do not need to use

If you still need to keep social security numbers, this University policy recommends either converting them to Penn IDs or truncating them to the last 4 digits.

How Do I Know What Needs To Be Retained?

You must not destroy information that is an original and still within the records retention requirement.

Nor should you destroy any information if there is an actual or likely claim, lawsuit, government investigation, subpoena, or other ongoing matter involving the records.

When in doubt about what to keep and what to delete, please consult your supervisor or retain the information in a secure location.

Review Penn Policies

We have gathered together an Overview of Penn’s Security & Privacy Policies. Please take a look and keep up to date on these resources, but here are some policies relevant to the cleanup program:



Latest Tips