What should I do if I find an old spreadsheet full of customer Social Security numbers we no longer need?
Finding a forgotten spreadsheet full of Social Security numbers (SSNs) is a common and serious moment in records work. SSNs are among the most sensitive personally identifiable information (PII), and an old, unmanaged file like this is exactly the kind of liability that good records governance is meant to prevent. The instinct to delete it right away is understandable, but resist it for a moment: a few deliberate steps protect both the individuals involved and your organization.
Don’t delete it yet — confirm its status first
Before disposing of anything, verify that the data truly is no longer needed.
- Check the retention schedule. A record’s appearance of being “obsolete” is not the same as having reached the end of its required retention period. Confirm the applicable schedule or legal requirement.
- Check for legal holds. If the file could be relevant to litigation, an audit, or an investigation, it must be preserved regardless of its age.
- Confirm there is no system of record obligation. Make sure the data isn’t the only copy of something the organization is required to keep.
If a retention requirement or hold applies, secure the file (restrict access, encrypt) rather than destroying it.
If it has met retention, dispose of it securely
Once you confirm the file is eligible for disposal, eliminate it in a documented, irreversible way.
- Use secure deletion appropriate to the medium — overwriting or cryptographic erasure for digital files, not just moving them to a recycle bin.
- Remember backups and copies. SSNs often linger in email attachments, shared drives, and backup snapshots. Track down and address each copy.
- Document the disposition (what, when, authority relied on) so you have a defensible record that destruction was routine and authorized.
Address the root cause
This spreadsheet is a symptom of a data-minimization gap. Ask why SSNs were collected and retained in an unmanaged file in the first place, and whether similar files exist. Reducing the PII you hold is the single most effective way to shrink risk.
Finally, if there’s any sign the file was exposed or accessed inappropriately, treat it as a potential incident and engage your privacy or legal team, as breach-notification obligations may apply.
For more on handling sensitive personal data, see the privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- General Records Schedules — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). What should I do if I find an old spreadsheet full of customer Social Security numbers we no longer need?. Records Management University. https://www.recordsmgmt.org/questions/what-to-do-with-old-spreadsheet-of-social-security-numbers/
MLA
RM University Editorial. "What should I do if I find an old spreadsheet full of customer Social Security numbers we no longer need?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/what-to-do-with-old-spreadsheet-of-social-security-numbers/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?