How long data is retained and available is identified and recorded and adheres to the minimum legal or business requirements. After this period, data is deleted and unrecoverable.
This includes sensitive data stored on hardcopy which needs to be properly shredded and destroyed.
Specification
In the education sector, there are a few products that specify minimum requirements, such as:
For universities/universiteiten, there is the 'Selectielijst Universiteiten en Universitair Medische Centra'. For universities of applied sciences/hogescholen, there is the 'Selectielijst hogescholen'. Within the MBO, a selection list: Documentair Structuur Plan MBO Raad.
ISO 27001 & 27002:2022
A5.33,
A5.34,
A7.10,
A8.13
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
DM.04 Inrichting van opslag en retentie