Page tree
Skip to end of metadata
Go to start of metadata


To provide a practical set of resources that will assist members of the higher education community in addressing related issues of electronic records management (ERM), e-discovery, and data retention on their own campuses.


We all create and use information every day. Taking care of that information (in all its many forms) is an effort requiring shared responsibility by each member of a specific community. Just figuring out where to start and what needs to be done can be a time-consuming task.

Some institutions have done a lot of work in this area, while others have just gotten started, and still others have done little or nothing. We all have an opportunity to learn from and share with each other. This set of resources is intended to be a collaborative and evolving effort. Please use this forum to share what you have done! It might be just what someone else is looking for. If you have questions or comments regarding this toolkit, or if you'd like to contribute your own material, please contact the Higher Education Information Security Council.

This toolkit will provide valuable information on the following areas:

ERM Background and Context

Interest in records and information management (RIM) continues to increase among university & college leadership due to new compliance regulations and statutes. The growing number of corporate scandals and government incidents involving questionable or deficient records management practices have raised general awareness of and created a critical interest in records compliance, retention period requirements, litigation preparedness, data security & privacy, and many other records and information management issues.

Records management is often seen as an unnecessary or low priority administrative task that can be performed at the lowest levels within an organization. However, this perception is changing as these publicized events have demonstrated that records management is in fact the responsibility of all individuals within an organization.

Electronic Records Management

The general principles of records and information management apply to records in any media, form and format. However, the complex attributes of electronic records (also called digital records) present specific issues that records stored in paper and microfilm do not typically share. For example, it is more difficult to ensure that the content, context and structure of electronic records is preserved and protected.

Several concepts are critical when addressing Electronic Records Management. A simple way to think about it is to imagine all information existing within a lifecycle. From the moment of creation until the time it is no longer needed, information should be managed with care according to a variety of factors, including sensitivity, confidentiality, and desired longevity.

Within the information lifecycle, information may take different forms over time. Records are one type of information. Electronic records are those records that have been created or stored using electronic systems.

Records may be grouped into classes according to a variety of factors. Common factors include, but are not limited to, record type, sensitivity, confidentiality, and desired longevity.

Based on those classifications, records can then be scheduled according to their required or desired retention periods, and their recommended method of disposition. In addition, certain classes of records may only be appropriate for access by certain members of a community. Almost all records are subject to discovery.

The entire process by which an organization creates, classifies, controls, and authorizes access to electronic records is known as Electronic Records Management.

Related Topics

#Top of page

Practical Guide to Getting Started

So what's the best way to get started? The answer to that question will largely depend on the particular culture of your campus and your knowledge of the players involved.

No matter where you start, though, you likely won't get far unless you have the support of top-level administration, and can build a critical mass of people within the community who understand (and can help others understand) what's at stake.

Who to Involve?

Potential partners include legal counsel, internal auditors, chief information officers, information security officers, privacy officers, records managers, archivists, comptroller, head of student affairs, and head of academic affairs.

What to Do?
  • Know what records you have & where they are (data or records inventory).
  • Decide how sensitive or valuable those records are (data classification & records retention/disposition scheduling).
  • Prioritize (start with the most sensitive or valuable stuff first).
  • Understand the alphabet-soup-of-regulations (e.g., HIPAA, FERPA, FOIA, GLBA, PCI-DSS, ISO, COBIT).
  • Find out what others in your region are doing (collaborate, don't reinvent).
  • Form partnerships with state & national organizations addressing this issue.

Raising Campus Awareness

Need help making the case? Here's a presentation you can tailor to suit your needs and institutional culture. Good luck!

Building and Providing Tools
  • Access Control is any mechanism by which a system grants or revokes the right to access some data, or perform some action.
  • Data Classification is the act of placing data into categories that will dictate the level of internal controls to protect that data against theft, compromise, and inappropriate use.
  • Records Inventory is a detailed listing of the volume, scope, and complexity of an organization's records, usually compiled for the purpose of creating a records schedule. The results of the inventory can be used to analyze the records for various purposes including retention and protection.
  • Records Retention and Disposition Schedule: Records retention is the act of the keeping records for as long as they have administrative, business, legislative and/or cultural value. Retention specifically refers to the period of time a document is required to be kept. At the end of the retention period, the document becomes eligible for disposition. Records disposition refers to actions taken with regard to records that are no longer needed for current business as determined by their appraisal pursuant to legislation, regulation, or administrative procedure. The term "disposition" includes both actions of destruction and the transfer of records to an appointed archive for permanent preservation.

Information Management Policies

These policies describe expectations for handling certain types of content.

#Top of page

What Are Others Doing?

Brigham Young University
Indiana University
The Ohio State University
The Ohio State University Libraries
Pennsylvania State University
University of California
The University of Kansas
University of Missouri System
University of Virginia

#Top of page

Additional Resources


Unless otherwise noted*, all definitions are from the Glossary of Records and Information Management Terms, 3rd ed., ARMA International (2007).

  • Archives — 1) The documents created or received and accumulated by a person or organization in the course of the conduct of affairs and preserved because of their continuing value; 2) The building or part of a building in which archives are preserved and made available for consultation; or 3) The agency or program responsible for selecting, acquiring, preserving, and making available archives
  • Data — Symbols or characters that represent raw facts or figures and form the basis of information
  • Discovery — Required disclosure of relevant items in the possession of one party to the opposing party during the course of legal action
  • Disposition — A final administrative action taken with regard to records, including destruction, transfer to another entity, or permanent preservation
  • Electronic Records Management — 1) The application of records management principles to electronic records; or 2) The management of records using electronic systems to apply records management principles
  • Information — Data that has been given value through analysis, interpretation, or compilation in a meaningful form
  • Lifecycle (of a record) — Distinct phases of a record's existence, from creation to final disposition
  • Record — Recorded information, regardless of medium or characteristics, made or received by an organization in the pursuance of legal obligations or in the transaction of business.
  • Records and Information Management — Field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records
  • Records Manager* — The person responsible for the oversight and administration of the records management program in an organization. Records Managers are found in all types of organizations, including business, government, and non-profit sectors. This role has evolved over time in response to the ever-increasing need for and importance of records management. On the whole, the role can take many forms with a variety of titles and can have various reporting structures. The role might be held by an attorney or legal counsel member, a senior administrative associate, a manager in the IT department, the Compliance Officer or Auditor, or even the Chief Information Officer of an organization. Records Managers may focus on operational responsibilities, design strategies and policies for maintaining and utilizing information, or combine elements of those jobs. What is most important is that the Records Manager's position be established and given appropriate authority by organizational policy, be supported by upper management, and be placed high in the organizational structure. In addition to the more traditional expertise of records appraisal, retention, disposition, and the like, today's Records Manager also commonly has subject matter expertise in law (as it affects records management), privacy and data protection, and electronic storage systems. Records Managers may have degrees in a wide variety of subjects in all disciplines and may have professional certifications awarded by organizations such as the Institute of Certified Records Managers, AIIM, the Society of American Archivists (SAA) and others.
  • Retention Period — Length of time a record must be kept to meet administrative, fiscal, legal, or historical requirements
  • Retention Program — A system established and maintained to define retention periods for records in an organization
  • Retention Schedule — A comprehensive list of records series, indicating for each the length of time it is to be maintained and its disposition

List of Records Management Laws for State Agencies










  • Statutes and Administrative Code Rules Relating to Archives and Records Management
    • Chapter 119, 2008 Florida Statutes--Public Records Law
    • Chapter 257, 2008 Florida Statutes--Public Libraries and State Archives
    • Chapter 1B-11, Florida Administrative Code--Use of Archives and Archives Facilities
    • Chapter 1B-24, Florida Administrative Code--Public Records Scheduling and Dispositioning
    • Chapter 1B-26.003, Florida Administrative Code--Electronic Recordkeeping
    • Chapter 1B-26.0021, Florida Administrative Code--Microfilm Standards
    • Chapter 1B-31, Florida Administrative Code--Real Property Electronic Recording
    • Chapter 2.430-2.440 and Retention Schedule, Florida Rules of Judicial Administration -- Judicial Branch/Court records retention (PDF)




















New Hampshire

New Jersey

New Mexico

New York

North Carolina

North Dakota





Rhode Island

South Carolina

South Dakota







West Virginia



List of Records Management Standards (in progress)

Non-Comprehensive List of Statutory Regulations & Requirements (in progress)
  • Sarbanes-Oxley Act (2002) — This legislation pushes accountability for proper records management to the executive level. The law requires:
    • CEOs & CFOs to certify personally financial records & reports periodically,
    • Guidelines for audit committees to be established,
    • All documents relevant to possible government investigation be retained appropriately, and
    • Audit work papers to be retained for seven years.

Note: Similar laws exist in other countries. Some examples are included on the Sarbanes-Oxley Act Wikipedia page.

Other Relevant Agencies

#Top of page

(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).