A Business/Organization/Institution is responsible for the Private Information they collect. Only collect sensitive personal identifying information that has a legitimate business need. Then only keep it for as long as you need it.
Social Security Numbers should only be used for required and lawful purposes – like taxes. Never use all or part of a SSN as an employee or customer ID number. Losing your employees’ SSN to identity thieves will destroy morale and productivity.
Credit Card and Debit Card numbers need to be truncated to no more than the last 5 digits on electronically printed receipts. The expiration date cannot be printed on the receipt. If you must use impression paper receipts, those old slide over the card machines with 3 part carbons, destroy the carbons and mark-out all but the last 5 digits of the CC number and expiration date on the customer’s receipt.
Do not keep customer credit card information unless you have a very good reason – monthly billing for example. Keeping the number, expiration date and CVV code increases your risk being the source of credit card fraud. You could end up liable for 5, 6 or 7 figure fees and judgments. Yes I said over a million dollars.
Make sure you are PCI-DSS compliant. The Payment Card Industry Data Security Standard was created to increase controls around cardholder data to reduce credit card fraud. Your Card Processing company is charging you a monthly fee, if you are not compliant.
A written policy needs to be created identifying what information is kept, how it is secured, how long it is kept and the method of disposal.
Don’t collect it if you don’t need it. If you need it protect it.