S 2.3 Data media control
Initiation responsibility: Head of Organisation, Head of IT
Implementation responsibility: Specialists Responsible, Archive Administrator
The role of data media control, as part of resource management, is to guarantee the required range of access to the data media as well as access within an appropriate period of time. This calls for well-regulated management of the data media, including a requirement for consistent labelling and the need to maintain a list of the inventory. Furthermore, as part of data media control, the proper handling and storage of data media, their proper use and transport, and finally, the deletion and/or destruction of the data media must be ensured. Most organisations have a tried and tested procedure for the administration of analogue data media, namely the classic file folder. For this reason, this safeguard emphasises digital data media, although the general idea behind each of the recommendations also applies to all other types of data media.
Inventories provide quick and direct access to data media. Inventories provide information on, for example, the storage location, the retention period, and authorised recipients.
Placing labels on the outside of the data media make it easy to identify them quickly. However, to discourage any misuse, the labels should not provide any clues as to the contents of the data media (e.g. by labelling a magnetic tape with the keyword "telephone charges"). A predefined set of identification characteristics (e.g. the date, file structure, serial number) will facilitate integration into existing inventories.
For proper handling of data media, the manufacturer specifications usually found on the packaging must be followed. In terms of storing data media, there are safeguards to be implemented for storage (protection against magnetic fields and dust; proper air conditioning) and to prevent unauthorised access (suitable containers, cabinets, rooms).
The data media must be mailed or transported in such a manner that damage to the data media can be ruled out if possible (e.g. by using the proper envelopes for magnetic tapes or by using padded envelopes). The data media must be packaged according to the protection requirements of the data on the media (e.g. using lockable transportation containers). Specifications of the type of mail or transportation mode (e.g. transportation by courier) as well as of package tracking procedures (e.g. routing slips, shipping notes) and of the type of delivery confirmation (e.g. confirmations of receipt) for the items mailed/shipped must be made. The data medium must not contain any "residual data" other than the data that is to be sent. The residual data can be physically deleted. If the necessary tools are not available to delete the residual data, then the data medium must at least be reformatted. When reformatted, it must also be ensured that it is impossible to undo the format command on the operating system used.
It must also be ensured that backup copies of the data media are made before they are transferred. Additional information on the mailing and transportation of data media can be found in module S 5.2 Exchange of Data Media.
When data media are transferred internally, it is possible to implement specific procedures such as the introduction of a receipt system, a pick-up/collection authorisation procedure, and maintenance of an inventory containing the locations of the data media.
If data media obtained from third parties are used, rules must be made specifying how to handle the data media before use. For example, when data is transferred digitally, the data medium and the data records should generally be scanned for computer viruses. A virus scan should also be performed on all new data media before they are used for the first time. It is recommended to scan the digital data media for computer viruses not only when they are received, but also before they are sent out.
A procedure specifying how to delete or destroy data media will prevent the misuse of the data stored on the media. Before reusing a data medium, the data stored on the medium must be deleted (see also S 1.15 Deleting and destroying data).
Review questions:
- Are up-to-date lists of the inventory for all data media used available?
- Are data media handled properly according to the manufacturer specifications?
- Are there rules for the proper handling including storage, transfer, transport, and deletion for all types of data media?