IS&T records a variety of data about the operation and/or use of its services and stores this data for 90 days. The records are considered confidential. IS&T takes active measures to prevent unauthorized access during this retention period.
In setting the retention period, IS&T has weighed a variety of competing interests. Chief among them are the need to:
- Maintain robust operational reliability of MIT's network
- Respond to third parties who report issues that require investigation or resolution
- Limit log retention to reduce opportunities for inadvertent disclosure of operational data.
The following principles help guide IS&T’s retention and stewardship of retained records:
- Minimize retention periods to protect the privacy of our community.
- Maintain appropriate retention periods to ensure the support, operations, and security of the MIT IT environment.
- Distribute retention across primary and secondary storage to ensure resilient and efficient use of resources when storing records.
- Narrowly restrict record access to two-factor authentication to IT staff with appropriate operational roles.
- Leverage Office of General Counsel to determine when it is appropriate to share data beyond IS&T or preserve data in response to litigation or law enforcement requests.
There may be use cases in which resource, contractual or regulatory constraints dictate a retention period at variance with this policy:
- Logs or data in-scope of the Payment Card Industry (PCI) Data Security Standard (DSS): 1 year
Circumstances may arise in which specific data is kept for longer than 90 days and potentially disclosed to certain third parties. The use of any such retained data by authorized staff, and the release of any log information to third parties, are done under the direction and with the approval of MIT's Office of the General Counsel.
Cloud services and IT services operated by providers beyond IS&T may have record retention periods that exist beyond the scope and control of this policy.