Ex Libris Data Retention Policy
Version 1.4
Purpose and Scope
Ex Libris, a Pro Quest Company, is committed to protecting our systems, information, and our customers’ information. The purpose of this Policy is to ensure that necessary records and documents are adequately protected and maintained and to ensure that records that are no longer needed by Ex Libris or are of no value are discarded at the proper time. This policy defines the retention requirements for customer data in the Ex Libris SaaS service and Ex Libris business systems and data. This policy applies to all Ex Libris employees or contractors working on behalf of Ex Libris.
Ex Libris business systems include:
- Instant Messaging
- Business server logs
- Storage
- IT authentication
- Helpdesk ticketing
- CRM, Sales, Marketing
- HR
- Learning and Certification
- ITSM
- Internal ticketing
- Finance
- Ex Libris websites
- Knowledge Center
Reference Documents
Policy
Ex Libris will define a retention schedule for all systems and data in use within the organization and will document them in the Data Retention Schedule.
Data retention for customer data – SaaS Services
The customer is in full control of the customer data stored through the Ex Libris SaaS service and has responsibility to determine the retention scheme for the customer data.
The Ex Libris contract specifies that customer data will be available in industry-standard format for download upon termination or completion of the service (free of charge). Except as otherwise agreed or required by applicable law, the customer will have 30 days to download such data before it is deleted and, thereafter, all such customer data (including backups) will be cycled out of the SaaS service systems and deleted within 120 days.
Responsibilities
Employees and Contractors
All employees who create and use records and information are responsible for maintaining Ex Libris Records according to this Policy.
Management and Business Units
All levels of management within Ex Libris are responsible for ensuring compliance with this Policy within their respective group, region, or function.
They are responsible for ensuring that their employees know where to locate the current Data Retention Schedule and that hard copy and electronic files are kept, stored, or destroyed in compliance with this Policy.
Retention Requirements
- Ex Libris will retain or destroy data files in compliance with the retention periods stated in the Data Retention Schedule.
- The retention periods provided in the Data Retention Schedule are intended to be as short as possible to minimize the volume of Ex Libris Records while still complying with legal, contractual, and/or operational requirements. Records will be kept only for the period stated in the Schedule and will be destroyed or discarded at the stated retention period expiration.
Safeguarding of Data
Measures will be taken to ensure that the information can be accessed by authorized users during the retention period (both with respect to the information carrier and the readability of formats) and will also be stored according to its classification level. For Ex Libris internal systems, the responsibility for the storage belongs to IT/MIS team.
Disposal of Data
As data expires according to the Retention Schedule, the data will be deleted, shredded or otherwise destroyed in accordance to its classification and destruction requirements.
Overall responsibility for the disposal of data belongs to the IT/MIS team for business systems and Cloud team for Cloud systems.
Policy Enforcement
The Ex Libris Chief Information Security Officer (CISO) is responsible for ensuring compliance with this policy and will assist with the protection of Ex Libris data.
Any employee found to willfully or intentionally violate this policy may be subject to disciplinary action, up to and including termination of employment.
| Type of Information | Document Data |
|---|---|
|
Document Title: |
Ex Libris Data Retention Policy |
|
Document Owner: |
Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO) |
|
Approved by: |
Barak Rozenblat - VP Cloud Services |
|
Issued: |
Jul 05, 2017 |
|
Reviewed & Revised: |
Oct 29, 2020 |
| Version Number | Nature of Change | Date Approved |
|---|---|---|
|
1.0 |
Initial version |
Jul 05, 2017 |
|
Review and update – Tomer S |
May 14, 2018 |
|
|
Review and update – Tomer S |
Jun 3, 2018 |
|
|
Review and update – Tomer S |
Jun 5, 2019 |
|
|
1.4 |
Review and update – Tomer S |
Oct 29, 2020 |
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver