Data Retention and Deletion Policy

Policy Version: 1.0

Effective Date: May 16, 2025

Last Reviewed: May 16, 2025

1. Purpose

This Data Retention and Deletion Policy (“Policy”) is established by Barrier Breakers Inc. (the “Company”) to define the systematic procedures for retaining, reviewing, and destroying documents and electronic information. The purpose of this Policy is to: ensure compliance with applicable legal and regulatory requirements (including considerations under Maryland law such as the Personal Information Protection Act - PIPA); manage information effectively and efficiently; minimize risks associated with retaining data beyond its necessary lifespan; protect the privacy and confidentiality of personal and sensitive information entrusted to the Company, particularly that of its clients; preserve valuable information needed for operational, legal, fiscal, or historical purposes; and respect the intellectual property rights associated with client-authored materials.

2. Scope

This Policy applies to all physical documents and electronically stored information (ESI) created, received, or maintained by the Company and its employees, volunteers, and authorized subcontractors in the course of their duties. This includes, but is not limited to: client records and communications; client-authored materials (e.g., personal statements, essays); administrative and operational records; financial records; email and other electronic communications; and data stored on Company-administered systems, including cloud services (e.g., Google Drive), local servers, and individual workstations. This Policy does not apply to non-archival, transitory information that has no business, legal, or historical value, such as drafts that have been superseded by final versions, or informal notes not intended for official record-keeping.

3. Definitions

  • Client: An individual who has engaged with the Company for advisory or other services.

  • Personal Information (PI): Any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual. This includes names, addresses, email addresses, phone numbers, and any sensitive disclosures made by clients.

  • Client-Authored Materials: Original written works submitted by clients for review and feedback, such as personal statements, diversity statements, addenda, and narrative drafts.

  • Data Retention: The practice of keeping records for a specific period based on legal requirements, business needs, or historical significance.

  • Data Deletion/Destruction: The process of securely and permanently removing or destroying data so that it cannot be recovered or reconstructed.

  • Active Data: Information currently in use or regularly accessed for ongoing business operations.

  • Archival Data: Information that is no longer actively used but is maintained for long-term storage due to legal, regulatory, or historical reasons.

  • Legal Hold: A directive to preserve specific information that may be relevant to pending or anticipated litigation, audits, or investigations, overriding any scheduled deletion.

4. Roles and Responsibilities

The Executive Director is responsible for overseeing the implementation and enforcement of this Policy, ensuring its periodic review and updates, and addressing any questions or concerns related to data retention and deletion.

Employees, Volunteers, and Subcontractors are responsible for understanding and complying with this Policy in their daily activities, managing data according to the retention schedules, and seeking guidance when unsure.

IT Support is responsible for implementing technical measures for secure data storage, deletion, and backup management in accordance with this Policy.

5. Data Retention Principles

The Company will adhere to the following principles for data retention:

  • Purpose Limitation: Data will only be retained for as long as necessary to fulfill the legitimate business, legal, or advisory purposes for which it was collected or created.

  • Data Minimization: The Company will strive to collect and retain only the minimum amount of data necessary for its specified purposes.

  • Accuracy: Reasonable steps will be taken to ensure that retained data is accurate and kept up to date where necessary.

  • Storage Limitation: Data will not be kept indefinitely. Retention schedules will be established and followed.

  • Security and Confidentiality: Retained data, especially Personal Information and Client-Authored Materials, will be stored securely to protect against unauthorized access, disclosure, alteration, or destruction, in line with requirements such as Maryland PIPA.

  • Respect for Client Rights: The Company will respect clients’ rights concerning their data, including copyright in their authored materials and requests for deletion where appropriate and feasible.

6. Data Categories and Retention Schedules

The following retention periods are guidelines. Specific circumstances or legal requirements may necessitate adjustments. “End of Engagement” refers to the date the advisory services for a specific application cycle are formally concluded with the client.

Client-Authored Materials such as personal statements, essays, addenda, drafts submitted by clients will be retained for 1 year after the End of Engagement, unless explicit, revocable consent for longer retention (e.g., for anonymized examples) is obtained, or if a client requests earlier deletion.

Client Communications such as emails, meeting notes, feedback records directly related to advisory services will be retained for at least 3 years after the End of Engagement. 

Client Administrative Data such as contact information, service agreements, consent forms, basic engagement details will be retained for at least 5 years after the End of Engagement. 

Anonymized Client Work (if consent is obtained) such as excerpts or full works where all identifying information has been removed, used for training/examples will be retained as per the terms of consent, but reviewed every 3 years for continued relevance, and is revocable upon client request. 

Financial Records such as invoices, payment records, expense reports, grant documentation, donor records will be retained for at least 7 years or as required by accounting best practices and IRS regulations. 

Operational Records (Internal policies, meeting minutes (non-client specific), general administrative files) will be retained for 3-5 years, or longer if of historical significance to the Company. This is for business continuity and operational reference.

Website Analytics & Logs (Non-personally identifiable aggregate website usage data, server logs) will be retained for 1-2 years. This is for system administration, security, and trend analysis.

Employee/Volunteer Records such as personnel files, contracts, performance reviews will be retained for 7 years after termination of employment/volunteering, or as required by employment law. This is for legal and HR requirements.

Grant Applications/Reports such as records of grants applied for and received by the Company) will be retained for the Duration of grant + 7 years, or as specified by the grantor. This is for compliance with grantor requirements.

Note on Backups: Backup systems may retain data for a longer period according to their standard rotation cycle. However, data deleted from active systems in accordance with this Policy will not be restored from backups for operational use and will eventually be overwritten.

7. Data Deletion and Destruction Procedures

Upon a valid and approved deletion request, data will be securely deleted or destroyed.

For Electronic Data, this includes deletion from active systems, applications, and databases. For sensitive data, methods that prevent recovery (e.g., secure wipe, cryptographic erasure) should be used where feasible. For standard deletions, overwriting or logical deletion that renders data non-retrievable through normal means is acceptable for a small organization. Data in cloud storage (e.g., Google Drive) will be deleted according to the platform’s procedures for permanent deletion (e.g., emptying trash/recycle bin).

For Physical Documents, destruction methods include cross-cut shredding, incineration (if available and appropriate), or the use of a professional confidential document destruction service.

For Hardware, storage media (hard drives, USB drives) from decommissioned equipment will be physically destroyed or securely wiped before disposal or reuse.

A log or record of significant data destruction activities (e.g., bulk deletion of client records post-retention period) may be maintained where appropriate.

8. Exceptions and Legal Holds

Legal Holds: If the Company is notified of or anticipates litigation, an audit, a government investigation, or other legal proceedings, any data potentially relevant to such matters will be placed under a “Legal Hold.” Data subject to a Legal Hold will be preserved and will not be deleted or modified until the Legal Hold is lifted by the Executive Director, in consultation with legal counsel if necessary.

Other Exceptions: Exceptions to the retention schedules may be granted by the Executive Director for legitimate business or legal reasons. Any such exceptions must be documented.

9. Policy Review and Updates

This Policy will be reviewed at least annually by the Executive Director, or more frequently if there are significant changes in legal requirements, business operations, or technology. Updates will be communicated to all relevant personnel.

10. Compliance and Training

All employees, volunteers, and relevant subcontractors are required to comply with this Policy. The Company will provide training or awareness materials as needed to ensure the understanding of this Policy and its importance. Violations of this Policy may result in disciplinary action, up to and including termination of employment or contract. Concerns or questions regarding this Policy should be directed to the Executive Director.