Publication Summary

Title	Information Deletion Policy
Author(s)	Alessandro Cardinali
Issued by	CEO
Version doc. Review freq.	0.1 Yearly
Date of issue	December 11, 2023
Owner	CEO/Founder
Document status	Draft – Final Draft - Final
Approval Date	n/a
Classification	Internal

Change Log

Version	Date	Author	Comments
0.1	December 11, 2023	Olaf Jacobson	First draft document

Table of Contents

Publication Summary 2

1 Introduction 4

1.1 Purpose of this document 4

1.2 Areas of the standard addressed 4

2 Information deletion policy 5

Introduction

Soon collects and processes a large amount of information during the course of its business activities and has a responsibility to protect that information at all times. However due attention must be paid to the end of the lifecycle of that information, specifically where it is no longer required for operational, legislative or other reasons, and so may be safely deleted. The alternative to deletion is to retain the information which, as well as using valuable storage, increases the potential impact of a breach and, in the case of personally identifiable information (PII), brings the organization into conflict with applicable privacy legislation.

Deletion activities must often be carried out in particular ways if the information is not to be vulnerable to later retrieval and this policy defines the overall framework within which deletion procedures must operate.

The benefits to Soon of effective information deletion on a regular and managed basis are significant, and include:

• More demonstrable compliance with privacy legislation

• Reduction in data storage requirements

• Reducing the impact of a data breach to both the organization and in many cases to the PII principal

• Evidence of compliance with the basic principle of data minimisation

• Simplification of datasets due to the removal of data that is no longer required

Information that is subject to this policy may be held in a variety of formats, including electronically and on paper.

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Soon systems.

The following policies and procedures are relevant to this document:

• Privacy and Personal Data Protection Policy

• Records Retention and Protection Policy

• Procedure for the Disposal of Media

• Data Masking Policy

Purpose of this document

This document sets out the organization’s policy for the deletion of information stored in information systems, devices or in any other storage media, when no longer required.

Areas of the standard addressed

The following areas of the ISO/IEC 27001 standard are addressed by this document:

• A.5 Organizational controls

• A.5.1 Policies for information security

• A.8 Technological controls

• 8.10 Information deletion

Information deletion policy

It is Soon policy to delete information that is no longer required for operational, legislative or other, justifiable reasons.

Information deletion must be carried out in compliance with Soon retention policies which define how long various types of records must be kept for.

Consideration must also be given as to whether information may be useful to the organization in anonymized form, as defined in the Data Masking Policy.

Methods of information deletion may vary according to the way in which the information is stored and may include:

• Automated deletion after a specified period of time (for example for email)

• Using secure deletion software to ensure that information may not be retrieved

• For information held on paper, shredding using a cross-cut shredder

• Physical destruction of storage devices such as hard drives

• Manual deletion of information once no longer required (for example, temporary files at the end of a project)

• Restoration of factory settings (for example in the case of a mobile device)

Care must be taken to ensure that the most appropriate method of information deletion is used according to the circumstances, including consideration of the sensitivity of the information involved.

Where possible, evidence of the deletion of information (for example audit logs) must be recorded and retained for a specified period of time.

In cases where deletion is carried out by a third party, a relevant certificate or similar attestation of completion must be obtained.

The use of information deletion techniques must at all times take account of Soon’s compliance obligations under relevant privacy legislation.

Where information is to be deleted as a result of a legal request by a PII principal under relevant privacy law, care must be taken to ensure that the information involved is deleted from all locations in which it is held, including those of processors and sub-processors.

For information held in third party cloud services, due diligence must be carried out prior to contract signing to confirm that information deletion methods meet Soon requirements.

For information that is classified as very sensitive, periodic audits must be carried out to confirm that procedures have been followed correctly and that deleted information cannot be recovered. It may be appropriate to use a third-party supplier which has specific expertise in this field for this purpose.