Electronic Records Management:

What Management Needs to Know

May 2009

Who would handle this scenario at your institution (and how)?

A request for copies of e-mails between two individuals is requested for the past five years.

Who would handle this scenario at your institution (and how)?

A class action lawsuit is filed against the institution for sexual harassment that goes back a number of years and impacts several departments.

Add this to the scenario:During e-discovery you find that two departments involved

in the lawsuit set their own differing retention policies for the records. One department destroyed the records, the other retained them but it does not provide the whole story.

Who would handle this scenario at your institution (and how)?

A celebration of the institution’s history is being planned and a timeline is needed of…

Who would handle this scenario at your institution (and how)?

A federal investigator requests copies of student records as part of a student financial aid investigation.

Be Proactive!

Thinking about these scenarios before they happen is much easier than

addressing them on the fly…

What are the issues?

Information is important and must be properly cared for.

Faculty and staff are responsible for protecting the information that have been entrusted to them in the course of performing their jobs.

What are the issues?(continued…)

Some information is sensitive or confidential and requires special care when handling. Some types of data require adherence with state/federal laws. Protocols for releasing information to

others, including law enforcement agencies.

Protocols when a breach occurs.

What are the issues? (continued…)

Retaining records for longer than required or necessary can create unnecessary risk.

Destroying records or information inappropriately may cause legal issues and may put the history and/or reputation of an institution at risk.

Getting Started

Get support

Identify a champion

Build a team

Research what others are doing.

Determine legal and contractual requirements.

Develop written policies and procedures.

Start with the most sensitive or valuable.

Train Employees

Initial Desired Outcomes or Goals

A set of written policies that set expectation for behavior

A retention/disposition schedule for your institution and/or departments

Training and/or informational materials that clarify expectations & behavior

Many Ways to Get Started – Pick one that works for your institution

Raise awareness, then build and provide tools

Build and provide tools, then raise awareness

Focus on the records first

ADDITIONAL SUPPORTING INFORMATION

Why is this Important? (Management Drivers)

Documents management decisions

Provides historical references of transactions and events

Enhances our organization’s operational efficiencies

Demonstrates regulatory compliance

Provides litigation support

Reduction in cost for storage

Why is this Important? (Legal, Statutory, Regulatory, and Contractual Requirements)

Sector covered

Concerns

Privacy ActPrivacy Act 19741974 U.S. GovernmentU.S. Government PrivacyPrivacy

Family Educational Rights and Family Educational Rights and Privacy Act (FERPA )Privacy Act (FERPA )

19741974 Education recordsEducation records PrivacyPrivacy

Health Insurance Portability and Health Insurance Portability and Accountability Act (HIPAA)Accountability Act (HIPAA)

19961996 Protected health Protected health informationinformation

Privacy and Privacy and security rulessecurity rules

Financial Modernization Act Financial Modernization Act (Gramm-Leach-Bliley or GLB)(Gramm-Leach-Bliley or GLB)

19991999 Certain financial Certain financial datadata

Security safeguardsSecurity safeguards

Fair and Accurate Credit Fair and Accurate Credit Transactions Act (FACTA)Transactions Act (FACTA)

20032003 Credit recordsCredit records Secure disposalSecure disposal

State LawsState Laws 2002 2002 ++

Personal data Personal data (primarily SSN)(primarily SSN)

Privacy, Privacy, notification, secure notification, secure disposaldisposal

Payment Card Industry Data Payment Card Industry Data Security Standards (PCI-DSS)Security Standards (PCI-DSS)

20052005 Credit card dataCredit card data Security standardsSecurity standards

Federal Rules of Civil Procedure – Electronically stored information rules

20062006

Red Flag RegulationsRed Flag Regulations 20072007 Credit recordsCredit records Identity theftIdentity theft

16

The AICPA listed Electronic Data Retention Strategy as one of the top Technology initiatives for 2009.

Current Issues Committee found that data administration is one of the top 10 areas of most expenditure in human or financial resources.

16

Watch for the new study on Data Management in the Fall of 2009

Timely Topic

Building a Team

Provide leadership and commitment

Establish cross functional representation Legal Counsel Internal Audit Information Security Chief Financial Officer Student Affairs Chief Academic Officer Archivist or Librarian Chief Information Officer Human Resources

Identify other stakeholders

Information Lifecycle…

Created (or received)

Managed

Used Actively In-Active (stored) Transformed Permanently Archived Disposed

Components of an EffectiveRecords and InformationManagement Program

PreservationPreservation

DispositionDisposition

Disaster Preventionand Recovery

Disaster Preventionand Recovery

Vital RecordVital Record ConversionConversion

Retention SchedulingRetention Scheduling

Records Classification

Records Classification

Files & Forms Management

Files & Forms Management

Records InventoryRecords Inventory

Records &Information

Management

Records &Information

Management

Policy & ProceduresPolicy & Procedures

Data/Records Classification(how sensitive or valuable is it?)

There are laws, regulations, rules, or policies (federal, state, and institutional) that require classification of data. Public Non-public

Factors for grouping may include: Record type Sensitivity Confidentiality Desired longevity Desired availability

Records Retention & Disposition

(keeping track of it & for how long!)

How long should records be maintained? Federal and State Laws –

• In Minnesota “official records” cannot be disposed of unless on an approved record retention schedule.

– Minnesota Official Records Act – “all officers and agencies” at all levels of government “shall make and preserve all records necessary to a full and accurate knowledge of their activities.”

How should records be disposed?

Record Retention Compliance

How long vs. How Many?

Retention Time Quantity

Key Definitions

Information - Data that has been given value through analysis, interpretation, or compilation in a meaningful form

Record - recorded information, regardless of physical form or characteristics, which serves to document the institution, functions, policies, decisions, or other activities of the institution and its faculty, staff, and students.

Electronically Stored Information (ESI)-- All electronically stored information and data subject to possession, control, or custody of an institution regardless of its format and the media on which it is stored.

Data Classification - The process of assigning a level of sensitivity to data as it is being created, amended, enhanced, stored, or transmitted.

Records Retention and Disposition Schedules - An approved listing of records held by an organization. It includes retention and destruction requirements.

Electronic Records Management – The process by which an organization creates, classifies, controls, and authorizes access to electronic records.