|| Information Technology
|| Information Technology
|| President's Cabinet
|Date of Approval:
|| November 11, 2011
|Date of Last Revision:
|Next Review Date:
The Records Management Policy provides a framework for securing records and the data they contain from risks including, but not limited to, unauthorized destruction, modification, disclosure, access, use, and removal. This policy outlines measures and responsibilities required for retaining, securing, and destroying University records. It shall be carried out in conformity with state and federal law.
Reason for Policy/Purpose
This policy covers all records which must be maintained to meet the fiscal, legal, historical or administrative needs of the Heritage University. Included also are any records that for any other reason contain confidential or restricted data. All other records should be retained or destroyed at the discretion of the responsible department, but are not eligible for storage in the University-provided storage facility.
Who Needs to Know This Policy
This policy applies to all University academic and administrative offices and departments that collect, maintain, and/or develop records as defined by this policy, and to all user-developed data sets and systems that may access these records, regardless of the environment where they reside (including systems, servers, personal computers, laptops, and portable devices). The policy applies regardless of the media on which data reside (including electronic, microfiche, printouts, email, voicemail, and CDs) or the form they may take (including text, graphics, video, and voice).
Heritage University expects all partners, consultants and vendors to abide by this policy. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Heritage University’s policies.
Website Address for this Policy
For more information about this policy please contact the Information Technology Department at HUIR@heritage.edu.
Records Management: A process that identifies what information is of value (legally, to HU, to its stakeholders), where and how it is kept, and for how long.
Records: All documentation or evidence, regardless of physical form, generated in the course of conducting business, and which must be maintained to meet the fiscal, legal, historical or administrative needs of the organization.
Custodial Office: The office or department that originated and/or has been charged with maintaining and managing the record.
Active/Inactive Records: Active records are those kept on hand for regular use in conducting business. They should be arranged according to the needs and convenience of those who use them, but must be secured if they contain confidential or restricted data. The inactive phase of a record begins at the conclusion of an ongoing matter, such as completion of a contract or the departure of an employee.
Record Retention Schedule:
A Schedule details the current record retention practices of each Custodial Office that manages records covered by this policy. In many cases, schedules reflect the current legal requirement for retention of those records. The schedule takes effect as soon a record becomes Inactive. Offices that have copies of documents that are the responsibility of another office need to adhere to the retention and destruction schedule of the Custodial Office. Retention schedules are appended to the end of this policy.
Email and voicemail records shall have their own retention/destruction schedule.
Data Classifications: To ensure the security of and appropriate access to sensitive data, records are managed according to the classification of the data they contain -- Confidential, Restricted or Public.
Regulated/Confidential - Data which is legally regulated; and data that would provide access to regulated/restricted information. Records containing this data MUST be stored in a secure location with limited access. These records MUST be destroyed according to their retention/destruction schedule by cross-cut shredding or other University sanctioned means to ensure that all sensitive information can no longer be read or interpreted.
Restricted/Limited - Data which while not legally protected could be misused to the detriment of the University, its students, faculty, staff, partners, alumni or other third parties; and data protected by contractual obligations.
- Public - Data for which there is no expectation of privacy or confidentiality.
Record Organization: Each Custodial Office responsible for records as defined by this policy shall review all existing and new records and organize them according to the following criteria.
- Media type – paper, digital, microfiche, CD.
- Level of importance
- Legal or financial value necessary for external requirements or internal planning
- Administrative value necessary for on-going operations
- Historic value containing information useful as resource
- No value: those records that have no administrative, legal, fiscal or archival requirements for their retention should be destroyed once used.
- Sensitivity of record/data
- Confidential—legally regulated; contains confidential or restricted information
- Restricted—Moderately sensitive or protected by contract
- Public, historical/archival—no expectation for privacy
Storage of Active Records
All active records must be maintained in a secure and reliable manner and be readily available for authorized use. Data security measures will be implemented commensurate with data value, sensitivity, and risk.
- Regulated/Confidential data
- If on electronic media, records containing confidential data must be stored on IT-qualified secure equipment in a locked office or room, preferably on University servers. These records shall not be stored on mobile computing devices unless encrypted.
- Paper documents and records on other forms of media must be stored in a locked, limited-access file cabinet or drawer. They shall not be left unattended while in use.
- Restricted/Limited data will require varying security measures appropriate to the degree to which the loss or corruption of the data would impair the business functions of the University, result in financial loss, or violate policy or University contracts. As a general guideline, records with restricted data should be stored according to the rules for confidential data, above.
- Public data should be handled with care to maintain the best interests of the University.
The Custodial Office shall ensure that any copies of records are handled in accordance with the procedures outlined above.
Retention Schedules take effect as soon as a record becomes inactive. Each office (Custodial Office) is responsible for determining the retention period for covered records for which it is the primary producer or holder of that information. The retention schedule shall include:
- Name of custodial office
- Description or title of the record
- How and where it is stored
- Retention Period
- Who has access
- Destruction procedure
Storage of Inactive Records
As soon as records become inactive all additional copies shall be collected and destroyed if possible. Backup media of electronic records may be retained until the original is destroyed.
Inactive records shall be stored either:
- According to the procedures outlined above, OR
- Boxed and placed in a University-provided secure storage facility.
In either case, they shall be stored separately from active records and secured according to the sensitivity of the data they contain. Records should be stored together by type. In addition, the container (box, file drawer, secure electronic repository) shall be labeled with the following information:
- Custodial Office and Contact
- Description of records
- Date range of records
- Organization of records (e.g., alphabetic, chronologic, numeric)
- Date of storage
- Who has access
- Destruction Date
Some records can or must be retained permanently. These would include a limited number with a legally mandated permanent retention period and should follow the storage procedures above.
Permanent Storage – Archives
Records that have historical value should be protected from mishandling and should be accessible as a resource to researchers many years from now. Any record determined to have historical value by the President’s Office may be stored permanently in the University Archives.
Destruction of Records:
Each Custodial Office is responsible for the appropriate and timely destruction of records per their retention/destruction schedule. Destruction must be thorough and irreversible. The method depends on the storage medium, as outlined below.
- Paper: Burn, cross-cut shred, pulp or pulverize
- Electronic: reformat, overwrite, or magnetically destroy. Reports on back-up disks or tapes must also be destroyed.
! IMPORTANT NOTE: Document destruction will be suspended immediately upon any indication of an official investigation or when a lawsuit is filed or appears imminent. Destruction will be reinstated upon conclusion of the investigation.
Department Data Retention Schedules - Appended
Related Policies and Resources
Records Management Policy
Approved on 11/1/2011