The institution shall protect (i.e., physically control and securely store) system media containing paper and digital media.
The institution shall limit access to system media to authorized users.
The institution shall sanitize or destroy system media before disposal or release for reuse.
Conduct regular audits and assessments to ensure compliance.
The public institution shall ensure identification of records and their retention period, considering legislation or regulations and community or societal expectations, if applicable.
Law Nº 058/2021 of 13/10/2021 relating to the protection of personal data and privacy in Rwanda (article 52). Information systems shall permit the appropriate destruction of records after that period if the institution does not need them.
