Retaining and Storing

The potential for unauthorized disclosures increases with the length of time information is retained. You should keep information, both electronic and paper, only as long as it is required for business needs. Federal and state law and institute practice determine retention requirements. Consult with the office or policy that determines retention requirements. Securely dispose of all sensitive information unless you absolutely cannot do business without storing your own copy.

Do You Really Need to Store It?

Before you retain sensitive data, ask yourself if it is absolutely necessary to retain a copy locally. Does the Institute store the same information elsewhere? Try accessing and viewing the information from its primary source, rather than creating another copy that will require attention to protect. Review recommendations for determining the need for collecting sensitive data


Regulations of the data protection law of Massachusetts (.pdf) state that laptops and mobile devices that store sensitive data must be protected with encryption. Password protection is not enough, as most passwords can be quickly by-passed with the right tools. MIT's Security and Resilience team recommends whole-disk encryption versus file or folder encryption because only one master passphrase is needed to decrypt an entire device. It also allows for a passphrase recovery, should a computer's user forget the password or leave MIT. Both BitLocker (for PC) and FileVault (for Mac) are encryptions tools recommended by IS&T. Learn more about data encryption.

Tips for Safe Storage

All sensitive information in electronic format must be professionally secured. To prevent it from being compromised or stolen:

  • Ask your department which server is professionally secured for sensitive information storage.
  • Never store this information on your desktop workstation or laptop, USB drive, flash drive, or any mobile device/media unless: 
    a) the information is properly encrypted on the device and
    b) the senior manager of your team has provided written approval confirming a critical business need for you to do so.
  • Never store this information on personal storage areas, such as personal flash drives/discs, home computers, external emails, or external online storage services.
  • Verify that you're using a secured file server - many unauthorized exposures happen because files are placed on Web servers instead of File Servers.

Safeguards for Data Stored Locally

If you must temporarily store information locally in a file cabinet or MIT-owned desktop or laptop:

  • Encrypt electronic sensitive information
  • Always log off or lock your workstation when you step away, even for a moment
  • Use a backup service that encrypts the data, such as CrashPlan
  • If you store paper records, keep them in locked file/storage rooms and ensure that these records are not accessible to unauthorized personnel.

Accessing Stored Sensitive Data

Use an encrypted connection such as SSH, VPN or remote desktop to connect to the main storage location if you need access to sensitive information while off-site.

Log Retention

Unless otherwise required by contract or limited by resource constraints, log data should be retained for 90 days. Please visit the IS&T log retention policy page for more information.

>> Tools to Find, Delete or Protect Information