Electronic Records Management: What Management Needs to Know May 2009.
-
Upload
shauna-rodgers -
Category
Documents
-
view
215 -
download
0
Transcript of Electronic Records Management: What Management Needs to Know May 2009.
Electronic Records Management:
What Management Needs to Know
May 2009
Who would handle this scenario at your institution (and how)?
A request for copies of e-mails between two individuals is requested for the past five years.
Who would handle this scenario at your institution (and how)?
A class action lawsuit is filed against the institution for sexual harassment that goes back a number of years and impacts several departments.
Add this to the scenario:During e-discovery you find that two departments involved
in the lawsuit set their own differing retention policies for the records. One department destroyed the records, the other retained them but it does not provide the whole story.
Who would handle this scenario at your institution (and how)?
A celebration of the institution’s history is being planned and a timeline is needed of…
Who would handle this scenario at your institution (and how)?
A federal investigator requests copies of student records as part of a student financial aid investigation.
Be Proactive!
Thinking about these scenarios before they happen is much easier than
addressing them on the fly…
What are the issues?
Information is important and must be properly cared for.
Faculty and staff are responsible for protecting the information that have been entrusted to them in the course of performing their jobs.
What are the issues?(continued…)
Some information is sensitive or confidential and requires special care when handling. Some types of data require adherence with state/federal laws. Protocols for releasing information to
others, including law enforcement agencies.
Protocols when a breach occurs.
What are the issues? (continued…)
Retaining records for longer than required or necessary can create unnecessary risk.
Destroying records or information inappropriately may cause legal issues and may put the history and/or reputation of an institution at risk.
Getting Started
Get support
Identify a champion
Build a team
Research what others are doing.
Determine legal and contractual requirements.
Develop written policies and procedures.
Start with the most sensitive or valuable.
Train Employees
Initial Desired Outcomes or Goals
A set of written policies that set expectation for behavior
A retention/disposition schedule for your institution and/or departments
Training and/or informational materials that clarify expectations & behavior
Many Ways to Get Started – Pick one that works for your institution
Raise awareness, then build and provide tools
Build and provide tools, then raise awareness
Focus on the records first
ADDITIONAL SUPPORTING INFORMATION
Why is this Important? (Management Drivers)
Documents management decisions
Provides historical references of transactions and events
Enhances our organization’s operational efficiencies
Demonstrates regulatory compliance
Provides litigation support
Reduction in cost for storage
Why is this Important? (Legal, Statutory, Regulatory, and Contractual Requirements)
Sector covered
Concerns
Privacy ActPrivacy Act 19741974 U.S. GovernmentU.S. Government PrivacyPrivacy
Family Educational Rights and Family Educational Rights and Privacy Act (FERPA )Privacy Act (FERPA )
19741974 Education recordsEducation records PrivacyPrivacy
Health Insurance Portability and Health Insurance Portability and Accountability Act (HIPAA)Accountability Act (HIPAA)
19961996 Protected health Protected health informationinformation
Privacy and Privacy and security rulessecurity rules
Financial Modernization Act Financial Modernization Act (Gramm-Leach-Bliley or GLB)(Gramm-Leach-Bliley or GLB)
19991999 Certain financial Certain financial datadata
Security safeguardsSecurity safeguards
Fair and Accurate Credit Fair and Accurate Credit Transactions Act (FACTA)Transactions Act (FACTA)
20032003 Credit recordsCredit records Secure disposalSecure disposal
State LawsState Laws 2002 2002 ++
Personal data Personal data (primarily SSN)(primarily SSN)
Privacy, Privacy, notification, secure notification, secure disposaldisposal
Payment Card Industry Data Payment Card Industry Data Security Standards (PCI-DSS)Security Standards (PCI-DSS)
20052005 Credit card dataCredit card data Security standardsSecurity standards
Federal Rules of Civil Procedure – Electronically stored information rules
20062006
Red Flag RegulationsRed Flag Regulations 20072007 Credit recordsCredit records Identity theftIdentity theft
16
The AICPA listed Electronic Data Retention Strategy as one of the top Technology initiatives for 2009.
Current Issues Committee found that data administration is one of the top 10 areas of most expenditure in human or financial resources.
16
Watch for the new study on Data Management in the Fall of 2009
Timely Topic
Building a Team
Provide leadership and commitment
Establish cross functional representation Legal Counsel Internal Audit Information Security Chief Financial Officer Student Affairs Chief Academic Officer Archivist or Librarian Chief Information Officer Human Resources
Identify other stakeholders
Information Lifecycle…
Created (or received)
Managed
Used Actively In-Active (stored) Transformed Permanently Archived Disposed
Components of an EffectiveRecords and InformationManagement Program
PreservationPreservation
DispositionDisposition
Disaster Preventionand Recovery
Disaster Preventionand Recovery
Vital RecordVital Record ConversionConversion
Retention SchedulingRetention Scheduling
Records Classification
Records Classification
Files & Forms Management
Files & Forms Management
Records InventoryRecords Inventory
Records &Information
Management
Records &Information
Management
Policy & ProceduresPolicy & Procedures
Data/Records Classification(how sensitive or valuable is it?)
There are laws, regulations, rules, or policies (federal, state, and institutional) that require classification of data. Public Non-public
Factors for grouping may include: Record type Sensitivity Confidentiality Desired longevity Desired availability
Records Retention & Disposition
(keeping track of it & for how long!)
How long should records be maintained? Federal and State Laws –
• In Minnesota “official records” cannot be disposed of unless on an approved record retention schedule.
– Minnesota Official Records Act – “all officers and agencies” at all levels of government “shall make and preserve all records necessary to a full and accurate knowledge of their activities.”
How should records be disposed?
Record Retention Compliance
How long vs. How Many?
Retention Time Quantity
Key Definitions
Information - Data that has been given value through analysis, interpretation, or compilation in a meaningful form
Record - recorded information, regardless of physical form or characteristics, which serves to document the institution, functions, policies, decisions, or other activities of the institution and its faculty, staff, and students.
Electronically Stored Information (ESI)-- All electronically stored information and data subject to possession, control, or custody of an institution regardless of its format and the media on which it is stored.
Data Classification - The process of assigning a level of sensitivity to data as it is being created, amended, enhanced, stored, or transmitted.
Records Retention and Disposition Schedules - An approved listing of records held by an organization. It includes retention and destruction requirements.
Electronic Records Management – The process by which an organization creates, classifies, controls, and authorizes access to electronic records.