LIS

Administrative Code

Virginia Administrative Code
12/5/2024

Chapter 120. Regulations Governing the Destruction of Public Records Containing Social Security Numbers

17VAC15-120-10. Definitions.

The following words and terms when used in this chapter shall have the following meanings unless the context clearly indicates otherwise:

"Backup tapes" means a copy of all or portions of software or data files on a system kept on storage media, such as tape or disk, or on a separate system so that the files can be restored if the original data is deleted or damaged and that are overwritten on a regular basis.

"Custodian" means the individual or organization having possession of and responsibility for the care and control of records.

"Electronic record" means records created , stored or accessed by electronic means, including but not limited to computer files and optically scanned files on tapes, disks, CD-ROMs or internal memory.

"Overwritten" means replacing previously stored data on a drive or disk with a predetermined pattern of meaningless information that renders the data unrecoverable.

"Pulped" means a technique of macerating paper documents by soaking them in water and grinding them into pulp.

"Retention period" means the required time period and disposition action indicated in a Library of Virginia-approved records retention and disposition schedule.

"Shredding" means destroying paper records by mechanical cutting. Cross-cut shredders cut in two directions, 90 degrees from the other.

Statutory Authority

§§ 42.1-8 and 42.1-82 of the Code of Virginia.

Historical Notes

Derived from Virginia Register Volume 25, Issue 6, eff. December 24, 2008.

17VAC15-120-20. Purpose; applicability.

The regulation establishes requirements that public records, regardless of media, that contain social security numbers must be shredded, pulped, incinerated, made electronically inaccessible or erased so as to make the social security numbers unreadable or undecipherable by any means. These regulations apply only to those records whose retention periods have expired.

Statutory Authority

§§ 42.1-8 and 42.1-82 of the Code of Virginia.

Historical Notes

Derived from Virginia Register Volume 25, Issue 6, eff. December 24, 2008.

17VAC15-120-30. Procedures.

A. Paper records. Paper records shall be shredded, pulped or incinerated. If paper records are destroyed within an office or agency, records shall be shredded by a mechanical cross-cut shredder that reduces paper to a size no wider than 3/8 inches. The custodian of the records must prepare a certificate of destruction that lists what records have been destroyed, who destroyed the documents, and the date of destruction.

If the shredding is done off site, by another agency or department, or by a contractor, locked bins are required to protect the records prior to shredding. Contractors doing the shredding must be bonded. The agency contracting for the shredding retains responsibility for protecting the social security numbers on the records until destruction. A representative of the contracting agency shall witness the destruction.

B. Electronic records. Agencies must establish procedures and processes to destroy social security numbers in public records that have reached the end of their retention period in electronic format and stored on information or recordkeeping systems. Agencies may maintain or destroy the physical media.

1. Files stored on a computer must not only be deleted but also overwritten using software that overwrites the files with meaningless data to totally obliterate the original data and to prevent the information from being reconstructed.

2. Back-up tapes must be overwritten to totally obliterate the original data.

3. If an agency plans to maintain the floppy disks, tapes or other magnetic storage devices, other than hard drives, with data containing social security numbers, the media must be:

a. Overwritten using software that overwrites the files with meaningless data to totally obliterate the original data; or

b. Exposed to a powerful magnetic field to disrupt the information. If a magnetic field is used, the data must be reviewed to ensure that the social security numbers are not retrievable.

4. CD-ROMs must be incinerated or physically broken, into several pieces, to be rendered unusable.

5. When disposing of computers that contain social security numbers, hard drives must be overwritten and inspected to insure no social security numbers remain. If data remains, the hard drive must be removed and disposed of separately by drilling to prevent it from being used again.

Statutory Authority

§§ 42.1-8 and 42.1-82 of the Code of Virginia.

Historical Notes

Derived from Virginia Register Volume 25, Issue 6, eff. December 24, 2008.

Website addresses provided in the Virginia Administrative Code to documents incorporated by reference are for the reader's convenience only, may not necessarily be active or current, and should not be relied upon. To ensure the information incorporated by reference is accurate, the reader is encouraged to use the source document described in the regulation.

As a service to the public, the Virginia Administrative Code is provided online by the Virginia General Assembly. We are unable to answer legal questions or respond to requests for legal advice, including application of law to specific fact. To understand and protect your legal rights, you should consult an attorney.