To provide a practical set of resources that will assist members of the higher education community in addressing related issues of electronic records management (ERM), e-discovery, and data retention on their own campuses.
We all create and use information every day. Taking care of that information (in all its many forms) is an effort requiring shared responsibility by each member of a specific community. Just figuring out where to start and what needs to be done can be a time-consuming task.
Some institutions have done a lot of work in this area, while others have just gotten started, and still others have done little or nothing. We all have an opportunity to learn from and share with each other. This set of resources is intended to be a collaborative and evolving effort. Please use this forum to share what you have done! It might be just what someone else is looking for. If you have questions or comments regarding this toolkit, or if you'd like to contribute your own material, please contact the Higher Education Information Security Council.
This toolkit will provide valuable information on the following areas:
- ERM Background and Context
- Getting Started with ERM
- What Others Are Doing with ERM
- Additional ERM Resources
ERM Background and Context
Interest in records and information management (RIM) continues to increase among university & college leadership due to new compliance regulations and statutes. The growing number of corporate scandals and government incidents involving questionable or deficient records management practices have raised general awareness of and created a critical interest in records compliance, retention period requirements, litigation preparedness, data security & privacy, and many other records and information management issues.
Records management is often seen as an unnecessary or low priority administrative task that can be performed at the lowest levels within an organization. However, this perception is changing as these publicized events have demonstrated that records management is in fact the responsibility of all individuals within an organization.
Electronic Records Management
The general principles of records and information management apply to records in any media, form and format. However, the complex attributes of electronic records (also called digital records) present specific issues that records stored in paper and microfilm do not typically share. For example, it is more difficult to ensure that the content, context and structure of electronic records is preserved and protected.
Several concepts are critical when addressing Electronic Records Management. A simple way to think about it is to imagine all information existing within a lifecycle. From the moment of creation until the time it is no longer needed, information should be managed with care according to a variety of factors, including sensitivity, confidentiality, and desired longevity.
Within the information lifecycle, information may take different forms over time. Records are one type of information. Electronic records are those records that have been created or stored using electronic systems.
Records may be grouped into classes according to a variety of factors. Common factors include, but are not limited to, record type, sensitivity, confidentiality, and desired longevity.
Based on those classifications, records can then be scheduled according to their required or desired retention periods, and their recommended method of disposition. In addition, certain classes of records may only be appropriate for access by certain members of a community. Almost all records are subject to discovery.
The entire process by which an organization creates, classifies, controls, and authorizes access to electronic records is known as Electronic Records Management.
- E-Discovery Toolkit
- Records Retention and Disposition Toolkit
- Access Control
- Logging and Monitoring
- Data Classification Toolkit
- Guidelines for Information Media Sanitization
- Legal Requirements
#Top of page
Practical Guide to Getting Started
So what's the best way to get started? The answer to that question will largely depend on the particular culture of your campus and your knowledge of the players involved.
No matter where you start, though, you likely won't get far unless you have the support of top-level administration, and can build a critical mass of people within the community who understand (and can help others understand) what's at stake.
- Who to Involve?
- What to Do?
- Raising Campus Awareness
- Building and Providing Tools
- Information Management Policies
Who to Involve?
Potential partners include legal counsel, internal auditors, chief information officers, information security officers, privacy officers, records managers, archivists, comptroller, head of student affairs, and head of academic affairs.
What to Do?
- Know what records you have & where they are (data or records inventory).
- Decide how sensitive or valuable those records are (data classification & records retention/disposition scheduling).
- Prioritize (start with the most sensitive or valuable stuff first).
- Understand the alphabet-soup-of-regulations (e.g., HIPAA, FERPA, FOIA, GLBA, PCI-DSS, ISO, COBIT).
- Find out what others in your region are doing (collaborate, don't reinvent).
- Form partnerships with state & national organizations addressing this issue.
Raising Campus Awareness
Need help making the case? Here's a presentation you can tailor to suit your needs and institutional culture. Good luck!
Building and Providing Tools
- Access Control is any mechanism by which a system grants or revokes the right to access some data, or perform some action.
- Data Classification is the act of placing data into categories that will dictate the level of internal controls to protect that data against theft, compromise, and inappropriate use.
- Records Inventory is a detailed listing of the volume, scope, and complexity of an organization's records, usually compiled for the purpose of creating a records schedule. The results of the inventory can be used to analyze the records for various purposes including retention and protection.
- Records Retention and Disposition Schedule: Records retention is the act of the keeping records for as long as they have administrative, business, legislative and/or cultural value. Retention specifically refers to the period of time a document is required to be kept. At the end of the retention period, the document becomes eligible for disposition. Records disposition refers to actions taken with regard to records that are no longer needed for current business as determined by their appraisal pursuant to legislation, regulation, or administrative procedure. The term "disposition" includes both actions of destruction and the transfer of records to an appointed archive for permanent preservation.
Information Management Policies
These policies describe expectations for handling certain types of content.
- Incident Handling & Response – An incident response plan outlines actions to be taken in the event that information or systems have been compromised.
- Privacy – Privacy policies set forth the expectation for safeguarding and sharing of information entrusted to an institution.
- Security – Security policies describe the legal, privacy, and security-related responsibilities that members of the institution have.
- Responding to Law Enforcement Requests – Policies in this area assist faculty and staff in responding to investigative contact by law enforcement officials.
- Responding to Open Records Requests – Policies in this area assist faculty and staff in responding to open records requests.
#Top of page
What Are Others Doing?
Brigham Young University
- Records Management Handbook (refer to Section 6 - Managing Electronic Records, p. 24-32)
The Ohio State University
- Records Management Overview
- Electronic Records Overview
- What is a Record?
- Records and Information Management Resources
- Retention Schedules
- OSU Institutional Data Policy
- Ohio Electronic Records Committee
- Ohio Historical Records Advisory Board
The Ohio State University Libraries
Pennsylvania State University
University of California
The University of Kansas
- Information Management Program
- Information Management: University Information/Records
- Records Management and Record Retention Schedule
University of Missouri System
University of Virginia
#Top of page
- List of Records Management Laws for State Agencies
- Other Toolkit Components Still Under Development
- Other Relevant Agencies
Unless otherwise noted*, all definitions are from the Glossary of Records and Information Management Terms, 3rd ed., ARMA International (2007).
- Archives — 1) The documents created or received and accumulated by a person or organization in the course of the conduct of affairs and preserved because of their continuing value; 2) The building or part of a building in which archives are preserved and made available for consultation; or 3) The agency or program responsible for selecting, acquiring, preserving, and making available archives
- Data — Symbols or characters that represent raw facts or figures and form the basis of information
- Discovery — Required disclosure of relevant items in the possession of one party to the opposing party during the course of legal action
- Disposition — A final administrative action taken with regard to records, including destruction, transfer to another entity, or permanent preservation
- Electronic Records Management — 1) The application of records management principles to electronic records; or 2) The management of records using electronic systems to apply records management principles
- Information — Data that has been given value through analysis, interpretation, or compilation in a meaningful form
- Lifecycle (of a record) — Distinct phases of a record's existence, from creation to final disposition
- Record — Recorded information, regardless of medium or characteristics, made or received by an organization in the pursuance of legal obligations or in the transaction of business.
- Records and Information Management — Field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records
- Records Manager* — The person responsible for the oversight and administration of the records management program in an organization. Records Managers are found in all types of organizations, including business, government, and non-profit sectors. This role has evolved over time in response to the ever-increasing need for and importance of records management. On the whole, the role can take many forms with a variety of titles and can have various reporting structures. The role might be held by an attorney or legal counsel member, a senior administrative associate, a manager in the IT department, the Compliance Officer or Auditor, or even the Chief Information Officer of an organization. Records Managers may focus on operational responsibilities, design strategies and policies for maintaining and utilizing information, or combine elements of those jobs. What is most important is that the Records Manager's position be established and given appropriate authority by organizational policy, be supported by upper management, and be placed high in the organizational structure. In addition to the more traditional expertise of records appraisal, retention, disposition, and the like, today's Records Manager also commonly has subject matter expertise in law (as it affects records management), privacy and data protection, and electronic storage systems. Records Managers may have degrees in a wide variety of subjects in all disciplines and may have professional certifications awarded by organizations such as the Institute of Certified Records Managers, AIIM, the Society of American Archivists (SAA) and others.
- Retention Period — Length of time a record must be kept to meet administrative, fiscal, legal, or historical requirements
- Retention Program — A system established and maintained to define retention periods for records in an organization
- Retention Schedule — A comprehensive list of records series, indicating for each the length of time it is to be maintained and its disposition
List of Records Management Laws for State Agencies
- State Records Retention Law
- Local Government Records Retention Law
- Open Meetings Act
- Alabama Open Records Law
- General Administrative Records Retention Schedule
- Records Management Program
- Public Records Statute
- AS 40.17.010. Place of Recording and Access to Records
- Accessing Arizona Public Records
- Arizona Public Records Law
- Uniform Real Property Electronic Recording Act
- Electronic Record Management Guidelines for Arkansas State Government
- Arkansas Freedom of Information Act
- Public Act 97-89: "An Act Concerning the Recording, Copying and Maintenance of Certain Public Records"
- Required Minimum Microfilming Standards for Public Records; Disposition of Original Records (Policy Statement, General Letter 96-2c)
- Connecticut Freedom of Information Act
- Statutes and Administrative Code Rules Relating to Archives and Records Management
- Chapter 119, 2008 Florida Statutes--Public Records Law
- Chapter 257, 2008 Florida Statutes--Public Libraries and State Archives
- Chapter 1B-11, Florida Administrative Code--Use of Archives and Archives Facilities
- Chapter 1B-24, Florida Administrative Code--Public Records Scheduling and Dispositioning
- Chapter 1B-26.003, Florida Administrative Code--Electronic Recordkeeping
- Chapter 1B-26.0021, Florida Administrative Code--Microfilm Standards
- Chapter 1B-31, Florida Administrative Code--Real Property Electronic Recording
- Chapter 2.430-2.440 and Retention Schedule, Florida Rules of Judicial Administration -- Judicial Branch/Court records retention (PDF)
- Hawaii Laws that Apply to Retention & Disposition of Government Records
- Law Regarding Government Electronic Records
- Idaho Code
- Idaho Statute 9-338, Right to Examine
- Idaho Statute on Public Writings
- Idaho Public Records Law Manual
- The State Records Act (5 ILCS 160)
- The Local Records Act (50 ILCS ACT 205)
- Illinois School Student Records Act (105 ILCS 10)
- Filmed Records Reproduction Act (5 ILCS 170)
- Filmed Records Certification Act (50 ILCS 210)
- Filmed Records Destruction Act (50 ILCS 215)
- Freedom of Information Act (5 ILCS ACT 140)
- Indiana Commission on Public Records: The Legal Framework of Records and Information Management in State Government
- State Government Records
- Access to Public Records
- Kentucky Open Records Act
- Kentucky Open Meetings and Open Records Laws
- Managing Government Records: An Introduction to Kentucky's Public Records Management Law
- Records Management Policies and Practices (LAC 4:XVII.Chapters 1-15)
- Louisiana State Archives Records Management Handbook
- "Managing Your Government Records: Guidelines for Archives and Agencies" (What do you need to know about government records? Section 1 presents the definition of government records and summarizes the laws that govern them.)
- 2013 Statutes on Official Records
- 13.03 Access to Government Data
- Electronic Records Management Guidelines
- Laws and Codes Pertaining to State Records
- "What Is a Record?," a Guide to Missouri's State Records Management Program
- Chapter 239, Public Records
- New Jersey Open Public Records Act
- New Jersey Administrative Code Title 15 Department of State Chapter 3 Records Management Complete text of N.J.A.C. 15:3
- Governing statutes
- New Mexico Commission of Public Records
- Inspection of Public Records Act Compliance Guide
- Compliance Checklist
- N.C.G.S § 121 The Archives and History Act
- N.C.G.S § 132 The Public Records Act
- Laws and Guidelines for Public Records
- Uniform Real Property Electronic Recording Act
- Ohio Public Records Laws and Legislation
- Sections of the Ohio Revised Code (respecting the creation, maintenance, preservation, transfer, and disposal of records)
- Open Government, Access to Public Records
- Rhode Island "Access to Public Records" Act (Chapter 38-2)
- Texas StateGovernment Code, Chapter 441, Subchapter L - Preservation and Management of State Records and Other Historical Resources
- Texas Administrative Code, Title 13, Chapter 6, Records Retention Scheduling Rules
- Microfilming Standards and Procedures
- Electronic Records Standards and Procedures
- Texas State Records Retention Schedule (4th edition)
- Records Management Services for Government Agencies
- Rules of the Public Records Commission Includes definitions of records (permanent, temporary, confidential, archival, essential), citations of relevant statutes.
- Government Records Access and Management Act (GRAMA)
- Utah System of Higher Education R993, Records Access & Management
- Virginia Public Records Management Manual
- Library of Virginia Records Management (includes a guide to the Virginia Public Records Act)
- Public Records Management and Preservation Act
- Regulations of the West Virginia State Records Administrator
- Wyoming Statutes (Article 4: State Archives, Museums, and Historical Department)
- Wyoming Public Records Act
List of Records Management Standards (in progress)
- ISO 15489-1 Information and Documentation – Records Management – Part 1: General
- ISO 15489-2 Information and Documentation – Records Management – Part 2: Guidelines
- ISO 23081-1:2006 Metadata for Records - Part 1: Principles
- Department of Defense (DoD) 5015.2-STD: Electronic Records Management Software Applications Design Criteria Standard
- National Archives (United Kingdom)
- European Commission Archival Policy
Non-Comprehensive List of Statutory Regulations & Requirements (in progress)
- Sarbanes-Oxley Act (2002) — This legislation pushes accountability for proper records management to the executive level. The law requires:
- CEOs & CFOs to certify personally financial records & reports periodically,
- Guidelines for audit committees to be established,
- All documents relevant to possible government investigation be retained appropriately, and
- Audit work papers to be retained for seven years.
Note: Similar laws exist in other countries. Some examples are included on the Sarbanes-Oxley Act Wikipedia page.
Other Relevant Agencies
- ARMA International (The Authority on Managing Records and Information)
- National Archives
- National Association of College and University Attorneys (NACUA)
- Society of American Archivists
#Top of page
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).