Compliance Requirements

Protect Your Data

stack of paper records

Records Management: Institutional Records Policy

INTRODUCTION

The following policy establishes institutional-wide principles for the responsible management of University records.

This policy, in accordance with other established University policies and procedures, applies to all records created or received by an office or department of the University in transaction of its proper business or in pursuance of its legal obligations. For the purposes of this policy, records shall be defined as information in any tangible format needed to conduct the affairs of the University office or department or which need to be maintained or stored for some period of time because of governmental regulation, generally accepted standards, or university mandate. The tangible formats include but are not limited to paper, photographs, film, audio and videotapes, microforms, drawings, databases, email, and other electronic records. All such records are the property of Brown University and subject to the following University-designated security classifications:

  • Public: information that can be shared with anyone without damage to the University.
  • Regulated: information that is not only confidential but subject to regulatory compliance (e.g., FERPA, GLBA, FACTA, and data collected from human subjects) and audits.
  • Brown Confidential: includes all other information.

The implementation of an institutional records policy that incorporates sound management practices and procedures provides the following benefits: guidelines for selecting and preserving critical and historically significant records, adherence to industry standards, compliance with legal mandates, reduced costs by eliminating storage of obsolete records, improved access to records, improved data security, increased accountability, and reduced risks.

While there may be instances where records or portions of records are shared by several departments or offices, there should be a primary steward who is responsible for decisions related to the maintenance, access, and retention of the records.

Establishing and operating effective recordkeeping systems and practices requires a multi-pronged approach. University departments and offices should make effective use of industry standards and the necessary range of expertise available throughout the University. This includes standards and expertise in archives and records management, information technology, data and information management, information security, business system analysis and design, auditing, risk management, and law.

PRINCIPLES

1. Appropriate measures and standards should be applied to ensure that University records remain authentic, secure, and confidential.

  • Records should be protected through appropriate physical and logical methods from accidental or intentional alteration and/or destruction.
  • Only the primary steward or his/her authorized representative should be permitted to create, capture, duplicate, or destroy University records.
  • University employees who have access to confidential information have a responsibility to maintain and safeguard that information, to access and only use that information that is minimally necessary to perform their job duties, to become informed about applicable legal mandates and industry standards for protecting that information, and to use the information with consideration and ethical regard for others.

2. The collection, processing, maintenance, disclosure, storage, retention and disposal of Personally Identifiable Information (PII) must be conducted in accordance with applicable laws, regulations, and University policy.

  • PII is information which when linked can be used to distinguish or trace an individual's identity. The University is obligated to keep PII elements (whether in electronic or hard copy format) confidential and secure during collection, processing, maintenance, disclosure, storage, retention, and disposal.
  • PII elements include but are not limited to: name, address, SSN, driver’s license, account/financial information, date of birth, phone numbers, email addresses and personal health information. For more examples of PII, please refer to Appendix C.
  • Access to, use, collection, and retention of PII should be limited to the minimum amount necessary to conduct University business. The categories of PII should be reviewed periodically. If the PII serves no current business purpose, the PII should not be collected.
  • PII should only be collected by authorized individuals based upon the minimum needs of their job responsibilities. Authorized individuals with access to PII are responsible for the proper handling, disclosure, storage, retention, and the proper disposal of the information they collect.

3. University records should be preserved in reliable recordkeeping systems for as long as required by law and University policy.

  • Records should be stored in controlled environments that preserve the record for as long as required.
  • The future usability of records should be ensured through the application of evolving reformatting or conversion strategies, copying records to a stable medium and/or updating hardware, software, and storage media as appropriate.
  • Departments and offices should have policies and practices in place that account for the reliable management of their records.
  • Recordkeeping systems should include adequate system controls as appropriate, such as guidelines for classifying and filing records, security and protection of confidential or regulated information, and practices and procedures for measuring the accuracy of data input and output audit trails.

4. Records should be accessible and retrievable in a timely manner throughout their retention period.

  • Records should be easily accessible and retrievable in the normal course of all business processes.
  • Training and user support programs should be available to ensure that authorized users can access and retrieve records.

5. Access to University records should be controlled according to well-defined criteria.

  • Recordkeeping systems should be constructed so as to ensure that records are protected from unauthorized access.
  • University departments and offices should take measures to prevent unauthorized access to regulated and confidential records by adequately identifying such records and by defining the rules governing access to these records.

6. The creation and management of University records should be an integral part of work processes and associated business procedures of University departments and offices.

  • Departments and offices should create records that accurately document their core activities.
  • Department and offices should designate a person (or persons) responsible for the department’s/office’s records management;
  • Departments and offices should know and comply with applicable Brown policies and external laws, regulations, and standards that concern the management of their records. The Office of the Vice President and General Counsel should be consulted to provide assistance to departments regarding laws and regulations that impact the management of records.
  • Recordkeeping should be built into the defined business processes and the work environment, thereby ensuring that records are captured, understandable, and usable.
  • Whenever possible, departments and offices should set up models of business processes to determine where and when records should be created and used in the course of University business.
  • Departments and offices should create and maintain local record management policies procedures that fully and accurately document their department’s or office’s needs.

7. Records should be retained and disposed of in accordance with records retention schedules and destruction procedures/plans.

  • Recordkeeping systems should include an approved disposition plan. The method of destruction of records will depend on their security classification.
  • Shred sensitive or confidential paper documents that are no longer needed, and secure such documents until shredding occurs. If a shredding service is employed, ensure that the service provider has clearly defined procedures in the contractual agreement that protects discarded information and that the provider is legally accountable for those procedures, with penalties in place for breach of contract.
  • When confidential or sensitive information is stored on the hard drive of a machine that is to be discarded, sent to surplus, or transferred to another individual or department, extra measures should be taken to wipe clean the hard drive before the computer leaves the area of responsibility.
  • Inactive records of permanent historical value should be transferred to the University Archives. Archival records preserved in the University Archives are in the official custody of the University Archivist. The University Archivist should be consulted if there is a question of whether records should be transferred to the Archives instead of being destroyed.

RESOURCES AND GUIDELINES

Departments, units, and administrative offices designing or modifying recordkeeping systems should consult with the appropriate office (such as the University Archives, Office of Sponsored Projects, the Controller’s Office, Office of General Counsel, Office of Internal Audit Services, Computing and Information Systems, or the Registrar) at the start of these projects to discuss archival and records management requirements. Please consult the Quick References list at the end of this document for information about which resources should be utilized.

APPENDIX A

Related Policies, Guidelines and Best Practices

APPENDIX B

Quick References

  • For more information about the management of the following types of records, please contact the University office indicated:
  • Administrative Records (Departments; University Archives)
  • Advancement Records (University Advancement; Medical School)
  • Alumni Records (Alumni Relations; University Archives)
  • Corporation Records (Secretary of the University; University Archives)
  • Electronic Records Security (Chief Information Security Officer)
  • Environmental Health and Safety Records (Environmental Health and Safety)
  • Facilities and Grounds Records (Facilities Management)
  • Faculty Records (Dean of Faculty)
  • Financial/Budget Records (Office of the Controller)
  • Intellectual Property Records (Office of the Vice President for Research)
  • Legal and Regulatory Compliance Records (General Counsel; Office of the Vice President for Research)
  • Personnel Records (Human Resources; Medical School; Dean of the Faculty)
  • Research Records (Office of the Vice President for Research; Office of Sponsored Projects)
  • Student Academic Records (Office of the Registrar; Dean of the College; Dean of the Graduate School; Medical School)
  • Student Life Records – including medical (Office of Student Life)
  • Student Statistics (Office of Institutional Research; Medical School; Graduate School)
  • University Archives – historical records (University Archives)
  • University Research Data and Compliance (Office of the Vice President for Research)

APPENDIX C

Examples of Personally Identifiable Information (PII) *

The following list contains examples of information that may be considered PII:

  • Name, such as full name, maiden name, mother’s maiden name, or alias.
  • Personal identification number, such as SSN, passport number, driver’s license number, taxpayer identification number, patient identification number, and financial account or credit card number.
  • Address information, such as street address or email address.
  • Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people.
  • Telephone numbers, including mobile, business, and personal numbers.
  • Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scans, voice signature, facial geometry).
  • Information identifying personally owned property, such as vehicle registration or identification number, and title numbers and related information.
  • Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, or employment, medical, education, or financial information).

* Source – NIST U.S. Department of Commerce

Related Links:

.