Records Management: Guidelines for Managing Institutional Records*
The purpose of these guidelines is to provide departments and offices with guidance for managing University records. The guidelines support the Institutional Records Policy and outline basic steps to help departments and offices comply with the Policy.
Typically, university records fall into a range of categories including, but not limited to: administrative records, advancement records, alumni records, corporation records, environmental health and safety records, faculty records, financial/budget records, legal and regulatory compliance records, personnel records, operations records (facilities management), student academic records, student life records, university research data and compliance, and university statistics.
For the purpose of complying with the Institutional Records Policy, the following records are exceptions to the policy:
- Extra copies of publications kept for distribution.
- Personal documents neither created nor received in the conduct of university business.
* Adapted from "Guidelines for Managing University Records" (http://dca.tufts.edu/?pid=48), Tufts University Digital Collections and Archive.
SUMMARY OF BEST PRACTICES FOR MANAGING RECORDS
Departments and offices should manage their university records in a trustworthy manner that ensures their authenticity. To do this, departments and offices should:
- Create records that accurately document their core activities.
- Manage and store records in a manner that facilitates timely and accurate retrieval.
- Ensure that records are stored in secure locations with stable physical or electronic environments.
- Allow only those with the proper authority to have access to records.
- Access should be allowed to the minimum amount of information necessary for business purposes.
- Comply with Brown policies and the external laws and regulations that affect the management and disposition of their records.
All departments and offices should create university records that accurately document their core activities. To do this, departments and offices should:
- Determine which of their department or office members has the responsibility and authority to create records.
- Incorporate their records creation activities and responsibilities into their own policies and procedures.
- Periodically review their records creation procedures.
All departments and offices should store their university records in a safe, stable, and secure manner that supports their timely and accurate retrieval and establishes appropriate controls on their accessibility. To do this, departments and offices should:
- Develop filing, classification, and/or indexing systems for their records that all of their department or office members understand and follow. These systems need not be complex—they only need to enable people to find the appropriate records quickly.
- Know the location of all of their records.
- Store their records in stable physical and electronic environments. For the physical storage of records this means storing records in dry and clean areas that are protected from the elements and have appropriate temperature and humidity levels. For the electronic storage of records this means ensuring that records are stored on stable media and in readable software formats. For further instruction or guidance on electronic records, contact the Chief Information Security Officer in Computing and Information Services.
- Periodically check the stability of their physical and electronic storage environments.
- Ensure that their physical and electronic records storage areas are secure. Know who has access to their physical storage areas. Make sure these areas are locked when unattended. For their electronic records storage areas, ensure that they comply with the University's Guidelines for Safeguarding Information (http://brown.edu/cis/policy/safeinfo.php).
- Periodically review their physical and electronic records storage security measures.
- Determine the confidentiality and privacy status of all of their records. A variety of internal policies, and external laws and regulations, such as FERPA, GLBA, FACTA, and state/federal health care confidentiality acts may help departments and offices determine the confidentiality and privacy status of their records.
- Know who has a business need and the proper authority to view their records. If uncertain, please refer to Appendix B, Quick References, to determine appropriate follow up.
- Ensure that their records storage security measures meet the confidentiality and privacy needs of their records.
- Document their records organization system, storage locations, and security procedures in their own policies and procedures.
Records Retention and Disposition
The Institutional Records Policy assigns the owner of the record the authority and responsibility to determine the appropriate disposition of university records in consultation with the necessary faculty, staff, and administrators. The record owner has the authority and responsibility to articulate these disposition decisions in records retention schedules. In order to determine and properly undertake the disposition of their records and comply with the Institutional Records Policy, departments and offices should:
- Consult the University's records retention schedules to determine the disposition of their records (Note: schedules to be added at later date).
- Contact the Office of the Vice-President and General Counsel for assistance in interpreting the records schedules or creating new schedules if needed.
- Ensure that they do not destroy university records that are currently part of, or are likely to be part of, any legal action or proceeding, litigation, audit, investigation, or review, even if the records retention schedules or other policies or procedures indicate that the records are eligible for destruction. Procedures for responding to subpoenas that require the timely production of records or information pertaining to specific individuals or entities involved in potential or ongoing litigation are governed by the General Counsel.
Confidential Records Destruction
All departments and offices should destroy in a confidential manner their university records that require destruction. Departments and offices can only use the general trash or recycling to destroy records and documents that have a wide and open distribution at the time of their creation, such as publications. All other records should be destroyed in a confidential manner. To confidentially destroy records, departments and offices should:
- Shred confidential paper documents that are no longer needed and secure such documents until shredding occurs. If a shredding service is employed, ensure that the service provider has clearly defined procedures in the contractual agreement that protects discarded information and that the provider is legally accountable for those procedures, with penalties in place for breach of contract.
- Take extra measures to wipe clean the hard drive of any machine that may contain sensitive or confidential information before discarding, sending to surplus, or transferring the machine to another individual or department.
Personally Identifiable Information (PII)
All departments and offices should conduct the collection, processing, maintenance, disclosure, storage, retention and disposal of Personally Identifiable Information (PII) in accordance with applicable laws, regulations and University policy.
- PII is information which when linked can be used to distinguish or trace an individual's identity. The University is obligated to keep PII elements (whether in electronic or hard copy format) confidential and secure during collection, processing, maintenance, disclosure, storage, retention and disposal.
- PII elements include but are not limited to: name, address, SSN, driver's license, account/financial information, date of birth, phone numbers, email addresses and personal health information. For more examples of PII please refer to Appendix C.
- PII collection and retention should be limited to the minimum amount necessary to conduct University business. The categories of PII should be reviewed periodically. If the PII serves no current business purpose, the PII should not be collected.
- PII should only be collected by authorized individuals based upon their job responsibilities. Authorized individuals with access to PII are responsible for the proper handling, disclosure, storage, retention and the proper disposal of the information they collect.
Micrographics and/or digital imaging are increasingly popular methods for dealing with records reformatting. Micrographics is the process of storing records that have been reduced in size onto a photographic medium. Digital imaging, also referred to as scanning, is the conversion of materials in print form to a computer-readable format. When undertaking a reformatting project, departments and offices should:
- Adhere to university policy and acceptable industry standards when microfilming or creating digital scans of university records.
- Properly store and migrate digital images to ensure their long-term preservation and accessibility.
- Consult with the Brown University Library's Center for Digital Scholarship (http://dl.lib.brown.edu/) for more information.
Managing and Preserving Records in Digital Form
All departments and offices should ensure that their recordkeeping practices are in compliance with applicable Brown policies and external laws, regulations, standards, and professional ethics. To be compliant in their recordkeeping activities, departments and offices should:
- Identify and track changes to the applicable Brown polices and external laws, regulations, standards, and professional ethics.
- Ensure that their staff are informed about the applicable Brown policies and external laws, regulations, standards, and professional ethics and uses the information with consideration and ethical regard for others.
- Not undertake any recordkeeping activity that does not comply with applicable Brown policies and external laws, regulations, standards, and professional ethics.
- Be able to demonstrate their recordkeeping compliance with applicable Brown policies and external laws, regulations, standards, and professional ethics.
- Institutional Records Policy
- Guidelines for Managing Electronic Records
- Institutional Records Glossary