Totally apart from the issue of whether screening is a good idea or not, I want to start a discussion of how to implement this thing.
I have a few thoughts that I want to get out there.
How are teams implementing the data retention policy?
From the document FRCFAQ.pdf:
** D. MAINTAIN FILES: **
- Store completed consent forms in a secure location.
- Print and store the web page with the “Completed” findings for each screening.
- Maintain each year’s file for 3 years for each team.
Our team is not unlike any team in that we are a pretty transient group of people. By this I mean that folks who are 1000% behind the program one year, may be an hour here and there the next (for a million reasons, work, family, burnout, or whatever).
As I understand FIRST’s policy, teams are suppose to keep the personal information from the team members they checked for 3 years. But how do we keep them secure? Where do we store them? How do we make sure that the records do not get lost or tossed when perhaps the team member designated as the keeper of the records this year goes dormant next year? How do we get rid of the data safely and securely after 3 years?
Many many questions.
My own initial thinking on this subject is that “interpret” the rules above to not mean literally “print and store” but to mean “be able to print such things if requested to do so by FIRST or other proper authority.” Once this slight of hand is accomplished, I would propose that teams get some “strong encryption” software. We could compile all the data requested into one zip file (via scanning or copying and pasting screen dumps for example). Then we could encrypt this file with a secret password that only one or perhaps 2 folks would know. Once encrypted, we could store the file in a password protected part of our website (this is just to keep most prying eyes from even getting the chance to break the encryption scheme).
The only part I don’t have is how to make the data unavailable after 3 years. Backup copies of websites, etc. make this harder to do than you might think.
Does anyone know of a foolproof way to make an encrypted file not decodeable after a fixed date?
Anyway, I would like folks to comment/share ideas on how to safely and conveniently implement the rules on data retention.