Ex Libris Data Retention Policy
Version 1.6
Purpose and Scope
Ex Libris, part of Clarivate, is committed to protecting our systems, information, and our customers’ information. The purpose of this Policy is to ensure that necessary records and documents are adequately protected and maintained and to ensure that records that are no longer needed by Ex Libris or are of no value are discarded at the proper time. This policy defines the retention requirements for customer data in the Ex Libris SaaS service and Ex Libris business systems and data. This policy applies to all Ex Libris employees or contractors working on behalf of Ex Libris as well as Ex Libris customers using Ex Libris products.
Reference Documents
Policy
Ex Libris will define a retention schedule for all systems and data in use within the organization and will document them in the Data Retention Schedule.
Data retention for customer data – SaaS Services
The customer is in full control of the customer data stored through the Ex Libris SaaS service and has responsibility to determine the retention scheme for the customer data.
The Ex Libris contract specifies that customer data will be available in industry-standard format for download upon termination or completion of the service (free of charge). Except as otherwise agreed or required by applicable law, the customer will have 30 days to download such data before it is deleted and, thereafter, all such customer data (including backups) will be cycled out of the SaaS service systems and deleted within 120 days.
Responsibilities
Employees and Contractors
All employees who create and use records and information are responsible for maintaining Ex Libris records according to this policy.
Management and Business Units
All levels of management within Ex Libris are responsible for ensuring compliance with this policy within their respective group, region, or function.
They are responsible for ensuring that their employees know where to locate the current Data Retention Schedule and that hard copy and electronic files are kept, stored, or destroyed in compliance with this Policy.
Customers
All customers using Ex Libris products.
Business Systems
Ex Libris business systems include:
- Instant Messaging
- Business server logs
- Storage
- IT authentication
- Helpdesk ticketing
- CRM, Sales, Marketing
- HR
- Learning and Certification
- ITSM
- Internal ticketing
- Finance
- Ex Libris websites
- Knowledge Center
Retention Requirements
- Ex Libris will retain or destroy data files in compliance with the retention periods stated in the Data Retention Schedule.
- The retention periods provided in the Data Retention Schedule are intended to be as short as possible to minimize the volume of Ex Libris Records while still complying with legal, contractual, and/or operational requirements. Records will be kept only for the period stated in the Schedule and will be destroyed or discarded at the stated retention period expiration.
- For the business systems listed above, the retention policy will follow Clarivate Retention Policy and Clarivate will manage retention.
Safeguarding of Data
Measures will be taken to ensure that the information can be accessed by authorized users during the retention period (both with respect to the information carrier and the readability of formats) and will also be stored according to its classification level. For Ex Libris internal systems, the responsibility for the storage belongs to IT/MIS team.
Disposal of Data
As data expires according to the Retention Schedule, the data will be deleted, shredded or otherwise destroyed in accordance with its classification and destruction requirements.
Policy Enforcement
The Ex Libris Chief Information Security Officer (CISO) is responsible for ensuring compliance with this policy and will assist with the protection of Ex Libris data.
Any employee found to willfully or intentionally violate this policy may be subject to disciplinary action, up to and including termination of employment.
| Type of Information | Document Data |
|---|---|
|
Document Title: |
|
|
Document Owner: |
Eddie Lavian - Security Specialist |
|
Approved by: |
Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO) |
|
Issued: |
Jul 05, 2017 |
|
Reviewed & Revised: |
Aug 29, 2022 |
| Version Number | Nature of Change | Date Approved |
|---|---|---|
|
1.0 |
Initial version |
Jul 05, 2017 |
|
Review and update – Tomer S |
May 14, 2018 |
|
|
Review and update – Tomer S |
Jun 3, 2018 |
|
|
Review and update – Tomer S |
Jun 5, 2019 |
|
|
Review and update – Tomer S |
Oct 29, 2020 |
|
|
Review and update – Tomer S |
Sep 01, 2021 |
|
|
1.6 |
Review and update – Shai B |
Aug 29, 2022 |
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver