Data Retention Policies
SUDS Data Retention Policy:
Preamble
The National Conference of Insurance Guaranty Funds (NCIGF) has entered into agreements with member state insurance guaranty associations and insurance receivers to assist in the transfer and distribution of UDS data between receivers and the guaranty associations by offering the Secure UDS Process (SUDS). SUDS permits the parties to transfer UDS data through a secure server thereby giving greater protection to sensitive non-public personal information
Purpose
The purpose of this policy is to further minimize the potential exposure of personal data to the risk of accidental loss, interception, or disclosure to unauthorized persons by establishing the maximum period of time the records may remain posted on the SUDS system before they are deleted.
Data is covered by this policy
This policy applies to all UDS records that are transferred utilizing SUDS, and any miscellaneous records that may have posted or transmitted utilizing SUDS.
Retention Period
All records or files posted on SUDS will be deleted after 30 days from the date of posting.
Backup process for SUDS data
All records or files that are posted on SUDS will be backed up as a normal business process. All SUDS back up records will be deleted in accordance with the standard SUDS retention period.
Automated process
SUDS will automatically delete any records or files that are still posted on the system after 30 days from the date of posting. NCIGF will be unable to recreate or resend any files after the records are deleted from the system.
Notification
SUDS users are expected to promptly retrieve their data from SUDS after it is posted. If files remain on SUDS after 10 days, SUDS will generate an email to the recipient (and sender?) reminding the recipient that the records are ready to be retrieved. A second and final email reminder will be generated after 20 days.
Responsibility for implementation of retention policy
NCIGF’s chief IT Officer shall be responsible for implementation and maintenance of this policy.
Discovery request for SUDS data
In the event NCIGF becomes aware of any third party requests to disclose SUDS data, NCIGF will immediately notify the receiver whose data was requested, and provide copies of such request and accompanying documents so that the receiver may seek a protective order or other appropriate remedy, or authorize the release of the data. Upon receipt of such request, NCIGF will suspend the SUDS destruction schedule for the affected receiver until such time as the matter is resolved.
UDS Data Mapper Data Retention Policy:
Preamble
The National Conference of Insurance Guaranty Funds (NCIGF) provides the UDS Data Mapper free of charge to liquidators to assist with the production, validation, and distribution of UDS, document images, and other insolvency related data (collectively referred to as “The Data”) to our member Guaranty Funds. The Data Mapper provides a secure and uniform way for liquidators to send “The Data” to Guaranty Funds.
Purpose
The purpose of this policy is to minimize the potential exposure of personal data to the risk of accidental loss, interception, or disclosure to unauthorized persons by establishing the maximum period of time The Data may remain on NCIGF infrastructure, servers, file systems, databases, etc.
Data covered by this policy
This policy applies to all data stored in the UDS Data Mapper database, any file system directories that contain claims images that the Data Mapper code interacts with, and any other non-SUDS file systems to which the UDS Data Mapper writes and/or interacts.
Retention Period
Barring extenuating circumstances, The Data is subject to automatic deletion 24 months after it was first loaded. At intervals of 12 and 18 months, NCIGF staff will contact the liquidator to make a determination as to whether or not The Data can be deleted. If at any time it is determined that the liquidator does not need to maintain The Data within the Data Mapper, The Data will be promptly deleted.
Extenuating Circumstances
If it is determined that the liquidator is unable and/or unwilling to maintain The Data after the 24 month period, an exception to the retention period may be granted after consulting with NCIGF senior management and the NCIGF Executive Committee. If an extension is granted, NCIGF shall consult with the liquidator in intervals of not more than six months to determine when the data can be deleted.
Backup process for The Data
The Data Mapper server is subject to a 30 day maximum backup schedule. Only up to 30 days worth of server backups are maintained, after which the backups are overwritten.
Automated process
Data greater than 24 months old will be automatically deleted with no notification provided. Data between 12-24 months old may be deleted after consultation with and granted permission by the liquidator. Any data deleted per this process must be documented in writing via an email to the liquidator or other written communication.
Notification
Data Mapper users will be notified of the retention policy in writing after having their Data Mapper accounts activated.
Responsibility for implementation of retention policy
NCIGF’s Chief Information Officer shall be responsible for implementation and maintenance of this policy.