A. Paper records. Paper records shall be shredded, pulped or incinerated. If paper records are destroyed within an office or agency, records shall be shredded by a mechanical cross-cut shredder that reduces paper to a size no wider than 3/8 inches. The custodian of the records must prepare a certificate of destruction that lists what records have been destroyed, who destroyed the documents, and the date of destruction.
If the shredding is done off site, by another agency or department, or by a contractor, locked bins are required to protect the records prior to shredding. Contractors doing the shredding must be bonded. The agency contracting for the shredding retains responsibility for protecting the social security numbers on the records until destruction. A representative of the contracting agency shall witness the destruction.
B. Electronic records. Agencies must establish procedures and processes to destroy social security numbers in public records that have reached the end of their retention period in electronic format and stored on information or recordkeeping systems. Agencies may maintain or destroy the physical media.
1. Files stored on a computer must not only be deleted but also overwritten using software that overwrites the files with meaningless data to totally obliterate the original data and to prevent the information from being reconstructed.
2. Back-up tapes must be overwritten to totally obliterate the original data.
3. If an agency plans to maintain the floppy disks, tapes or other magnetic storage devices, other than hard drives, with data containing social security numbers, the media must be:
a. Overwritten using software that overwrites the files with meaningless data to totally obliterate the original data; or
b. Exposed to a powerful magnetic field to disrupt the information. If a magnetic field is used, the data must be reviewed to ensure that the social security numbers are not retrievable.
4. CD-ROMs must be incinerated or physically broken, into several pieces, to be rendered unusable.
5. When disposing of computers that contain social security numbers, hard drives must be overwritten and inspected to insure no social security numbers remain. If data remains, the hard drive must be removed and disposed of separately by drilling to prevent it from being used again.
Derived from Virginia Register Volume 25, Issue 6, eff. December 24, 2008.