You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Related Resources

Purpose

To provide a practical set of resources that will assist members of the higher education community in addressing related issues of electronic records management (ERM), e-discovery, and data retention on their own campuses.

Introduction

We all create and use information every day. Taking care of that information (in all its many forms) is an effort requiring shared responsibility by each member of a specific community. Just figuring out where to start and what needs to be done can be a time-consuming task.

Some institutions have done a lot of work in this area, while others have just gotten started, and still others have done little or nothing. We all have an opportunity to learn from and share with each other. This set of resources is intended to be a collaborative and evolving effort. Please use this forum to share what you have done! It might be just what someone else is looking for. If you have questions or comments regarding this toolkit, or if you'd like to contribute your own material, please contact the Higher Education Information Security Council.

This toolkit will provide valuable information on the following areas:

ERM Background and Context

Interest in records and information management (RIM) continues to increase among university & college leadership due to new compliance regulations and statutes. The growing number of corporate scandals and government incidents involving questionable or deficient records management practices have raised general awareness of and created a critical interest in records compliance, retention period requirements, litigation preparedness, data security & privacy, and many other records and information management issues.

Records management is often seen as an unnecessary or low priority administrative task that can be performed at the lowest levels within an organization. However, this perception is changing as these publicized events have demonstrated that records management is in fact the responsibility of all individuals within an organization.

Electronic Records Management

The general principles of records and information management apply to records in any media, form and format. However, the complex attributes of electronic records (also called digital records) present specific issues that records stored in paper and microfilm do not typically share. For example, it is more difficult to ensure that the content, context and structure of electronic records is preserved and protected.

Several concepts are critical when addressing Electronic Records Management. A simple way to think about it is to imagine all information existing within a lifecycle. From the moment of creation until the time it is no longer needed, information should be managed with care according to a variety of factors, including sensitivity, confidentiality, and desired longevity.

Within the information lifecycle, information may take different forms over time. Records are one type of information. Electronic records are those records that have been created or stored using electronic systems.

Records may be grouped into classes according to a variety of factors. Common factors include, but are not limited to, record type, sensitivity, confidentiality, and desired longevity.

Based on those classifications, records can then be scheduled according to their required or desired retention periods, and their recommended method of disposition. In addition, certain classes of records may only be appropriate for access by certain members of a community. Almost all records are subject to discovery.

The entire process by which an organization creates, classifies, controls, and authorizes access to electronic records is known as Electronic Records Management.

Related Topics

#Top of page

Practical Guide to Getting Started

So what's the best way to get started? The answer to that question will largely depend on the particular culture of your campus and your knowledge of the players involved.

No matter where you start, though, you likely won't get far unless you have the support of top-level administration, and can build a critical mass of people within the community who understand (and can help others understand) what's at stake.

Who to Involve?

Potential partners include legal counsel, internal auditors, chief information officers, information security officers, privacy officers, records managers, archivists, comptroller, head of student affairs, and head of academic affairs.

What to Do?
  • Know what records you have & where they are (data or records inventory).
  • Decide how sensitive or valuable those records are (data classification & records retention/disposition scheduling).
  • Prioritize (start with the most sensitive or valuable stuff first).
  • Understand the alphabet-soup-of-regulations (e.g., HIPAA, FERPA, FOIA, GLBA, PCI-DSS, ISO, COBIT).
  • Find out what others in your region are doing (collaborate, don't reinvent).
  • Form partnerships with state & national organizations addressing this issue.

Raising Campus Awareness

Need help making the case? Here's a presentation you can tailor to suit your needs and institutional culture. Good luck!

Building and Providing Tools
  • Access Control is any mechanism by which a system grants or revokes the right to access some data, or perform some action.
  • Data Classification is the act of placing data into categories that will dictate the level of internal controls to protect that data against theft, compromise, and inappropriate use.
  • Records Inventory is a detailed listing of the volume, scope, and complexity of an organization's records, usually compiled for the purpose of creating a records schedule. The results of the inventory can be used to analyze the records for various purposes including retention and protection.
  • Records Retention and Disposition Schedule: Records retention is the act of the keeping records for as long as they have administrative, business, legislative and/or cultural value. Retention specifically refers to the period of time a document is required to be kept. At the end of the retention period, the document becomes eligible for disposition. Records disposition refers to actions taken with regard to records that are no longer needed for current business as determined by their appraisal pursuant to legislation, regulation, or administrative procedure. The term "disposition" includes both actions of destruction and the transfer of records to an appointed archive for permanent preservation.

Information Management Policies

These policies describe expectations for handling certain types of content.

  • Incident Handling & Response – An incident response plan outlines actions to be taken in the event that information or systems have been compromised.
  • PrivacyPrivacy policies set forth the expectation for safeguarding and sharing of information entrusted to an institution.
  • SecuritySecurity policies describe the legal, privacy, and security-related responsibilities that members of the institution have.
  • Responding to Law Enforcement Requests – Policies in this area assist faculty and staff in responding to investigative contact by law enforcement officials.
  • Responding to Open Records Requests – Policies in this area assist faculty and staff in responding to open records requests.

#Top of page

What Are Others Doing?

Brigham Young University
Indiana University
The Ohio State University
Pennsylvania State University
University of California
The University of Kansas
University of Missouri System
University of Virginia

#Top of page

  • Definitions
  • List of Records Management Laws for State Agencies
  • Other Toolkit Components Still Under Development
    • List of Records Management Standards
    • Non-Comprehensive List of Statutory Regulations & Requirements
  • Other Relevant Agencies
Definitions

Unless otherwise noted*, all definitions are from the Glossary of Records and Information Management Terms, 3rd ed., ARMA International (2007).

Archives — 1) The documents created or received and accumulated by a person or organization in the course of the conduct of affairs and preserved because of their continuing value; 2) The building or part of a building in which archives are preserved and made available for consultation; or 3) The agency or program responsible for selecting, acquiring, preserving, and making available archives
Data — Symbols or characters that represent raw facts or figures and form the basis of information
Discovery — Required disclosure of relevant items in the possession of one party to the opposing party during the course of legal action
Disposition — A final administrative action taken with regard to records, including destruction, transfer to another entity, or permanent preservation
Electronic Records Management — 1) The application of records management principles to electronic records; or 2) The management of records using electronic systems to apply records management principles
Information — Data that has been given value through analysis, interpretation, or compilation in a meaningful form
Lifecycle (of a record) — Distinct phases of a record's existence, from creation to final disposition
Record — Recorded information, regardless of medium or characteristics, made or received by an organization in the pursuance of legal obligations or in the transaction of business.
Records and Information Management — Field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records
Records Manager* — The person responsible for the oversight and administration of the records management program in an organization. Records Managers are found in all types of organizations, including business, government, and non-profit sectors. This role has evolved over time in response to the ever-increasing need for and importance of records management. On the whole, the role can take many forms with a variety of titles and can have various reporting structures. The role might be held by an attorney or legal counsel member, a senior administrative associate, a manager in the IT department, the Compliance Officer or Auditor, or even the Chief Information Officer of an organization. Records Managers may focus on operational responsibilities, design strategies and policies for maintaining and utilizing information, or combine elements of those jobs. What is most important is that the Records Manager's position be established and given appropriate authority by organizational policy, be supported by upper management, and be placed high in the organizational structure. In addition to the more traditional expertise of records appraisal, retention, disposition, and the like, today's Records Manager also commonly has subject matter expertise in law (as it affects records management), privacy and data protection, and electronic storage systems. Records Managers may have degrees in a wide variety of subjects in all disciplines and may have professional certifications awarded by organizations such as the Institute of Certified Records Managers, AIIM, the Society of American Archivists (SAA) and others.
Retention Period — Length of time a record must be kept to meet administrative, fiscal, legal, or historical requirements
Retention Program — A system established and maintained to define retention periods for records in an organization
Retention Schedule — A comprehensive list of records series, indicating for each the length of time it is to be maintained and its disposition

List of Records Management Laws for State Agencies

Alabama

State Records Retention Law
Local Government Records Retention Law
Open Meetings Act
Alabama Open Records Law
Alaska

General Administrative Records Retention Schedule
Records Management Program
Public Records Statute
AS 40.17.010. Place of Recording and Access to Records
Arizona

Public Records Standards and Laws
Arizona Public Records Law
What Constitutes a Public Record?
What is a record? (tip sheet)
Uniform Real Property Electronic Recording Act
Arkansas

Electronic Record Management Guidelines for Arkansas State Government
Arkansas Freedom of Information Act
California

State Records Management Act
What is a record?
California Public Records Act
Colorado

Colorado Laws Concerning Public Records
Open Records
Open Records FAQ
Connecticut

GL M 97-1 PA 97-89: "An Act Concerning the Recording, Copying and Maintenance of Certain Public Records"
Required Minimum Microfilming Standards for Public Records; Disposition of Original Records (Policy Statement, General Letter 96-2c)
Connecticut Freedom of Information Act
Delaware

Delaware Freedom of Information Act
Delaware Public Records Law
Florida

Statutes and Administrative Code Rules Relating to Archives and Records Management
Chapter 119, 2008 Florida Statutes--Public Records Law
Chapter 257, 2008 Florida Statutes--Public Libraries and State Archives
Chapter 1B-11, Florida Administrative Code--Use of Archives and Archives Facilities
Chapter 1B-24, Florida Administrative Code--Public Records Scheduling and Dispositioning
Chapter 1B-26.003, Florida Administrative Code--Electronic Recordkeeping
Chapter 1B-26.0021, Florida Administrative Code--Microfilm Standards
Chapter 1B-31, Florida Administrative Code--Real Property Electronic Recording
Chapter 2.430-2.440 and Retention Schedule, Florida Rules of Judicial Administration – Judicial Branch/Court records retention (PDF)
Georgia

Summary of Georgia Record Keeping Laws
Georgia Records Act
Open Records Act
Georgia Microforms Act
Hawaii

Hawaii Laws that Apply to Retention & Disposition of Government Records
Law regarding government electronic record
Idaho

Idaho Code
Idaho Statute 9-338, Right to Examine
Idaho Statute on Public Writings
Idaho Public Records Law Manual
Illinois

The State Records Act (5 ILCS 160)
The Local Records Act (50 ILCS ACT 205)
Illinois School Student Records Act (105 ILCS 10)
Filmed Records Reproduction Act (5 ILCS 170)
Filmed Records Certification Act (50 ILCS 210)
Filmed Records Destruction Act (50 ILCS 215)
Freedom of Information Act (5 ILCS ACT 140)
Indiana

Indiana's Public Records: The Legal Framework of Records and Information Management in State Government
State Government Records
Access to Public Records
Iowa

Open Records, Open Government
Iowa Open Records Law, Iowa Code 1999: Chapter 22
Public Records Law, Chapter 22
Kansas

Kansas Open Records Act
Kentucky

Kentucky Open Records Act
Open Records Law
Managing Government Records: An Introduction to Kentucky's Public Records Management Law
Louisiana

Records Management Policies and Practices (LAC 4:XVII.Chapters 1-15)
Louisiana State Archives Records management Handbook
Maine

Guidelines for Your Records Management Program (The Records Management Program for the State of Maine is authorized by MRSA Title V, Chapter 6, Section 95, Subsection 7. See p. 3 of the manual.)
Maine Freedom of Access Act
Maryland

Records management laws, rules, and regulations
What is a public record?
Massachusetts

Public Records Law
A Guide to the Massachusetts Public Records Law
What is a record?
Michigan

Michigan Freedom of Information Act (FOIA)
Freedom of Information Act, Act 442 of 1976
Minnesota

"Managing Your Government Records: Guidelines for Archives and Agencies" (What do you need to know about government records? Section 1 presents the definition of government records and summarizes the laws that govern them.)
2008 Statute on Official Records
13.03 Access to Government Data
Electronic Records Management Guidelines
Mississippi

General Records Management FAQ
Mississippi Public Records Act of 1983
Missouri

Laws and Codes Pertaining to State Records
"What Is a Record?," a Guide to Missouri's State Records Management Program
Montana

What is a Public Record?
Montana Codes Annotated
Montana Administrative Rules
Nebraska

Records Management Act
Uniform Photographic Copies of Business and Public Records As Evidence Act
Nevada

Nevada Administrative Code - Records of State Agencies
Chapter 239, Public Records
New Hampshire

Right-to-Know Law
New Jersey

New Jersey Public Records Related Legislation
New Jersey Right to Know Law/Open Public Records Act
New Jersey Administrative Code Title 15 Department of State Chapter 3 Records Management Complete text of N.J.A.C. 15:3
Summary history of N.J.A.C. 15:3
N.J.A.C. 15:3 Subchapter 1: General Provisions
N.J.A.C. 15:3 Subchapter 2: Records Retention
N.J.A.C. 15:3 Subchapter 3: Standards for Microfilming of Public Records
N.J.A.C. 15:3 Subchapter 4: Image Processing of Public Records
N.J.A.C. 15:3 Subchapter 5: Certification of Imaging Processing Systems
N.J.A.C. 15:3 Subchapter 6: Records Storage
New Mexico

Governing statutes
New Mexico Commission of Public Records
Inspection of Public Records Act, Compliance Guide
Compliance Checklist
New York

Laws and Regulations Relating to Local Government Records
What are records?
North Carolina

N.C.G.S § 121 The Archives and History Act
N.C.G.S § 132 The Public Records Act
Guidelines for Public Records
Uniform Real Property Electronic Recording Act
North Dakota

North Dakota Records Management Program Manual (Appendix A includes laws related to records and Appendix B includes definitions of records terminology.)
Ohio

Ohio Public Records Laws and Legislation
Sections of the Ohio Revised Code (respecting the creation, maintenance, preservation, transfer, and disposal of records)
Oklahoma

Rules of the Oklahoma Archives and Records Commission
Oklahoma Open Records Act
Oregon

Oregon Administrative Rules
Chapter 192 — Records; Public Reports and Meetings
Pennsylvania

Right-to-Know Law
Rhode Island

Records Laws: State records
Records Laws: Local government records
Study of Access to Public Records in Cities and Towns of Rhode Island
Rhode Island "Access to Public Records" Act
South Carolina

South Carolina Public Records Act
Freedom of Information Act
South Dakota

South Dakota Open Records Statute
Texas

Texas StateGovernment Code, Chapter 441, Subchapter L - Preservation and Management of State Records and Other Historical Resources
Texas Administrative Code, Title 13, Chapter 6, Records Retention Scheduling Rules
Microfilming Standards and Procedures
Electronic Records Standards and Procedures
Texas StateRecords Retention Schedule (4th edition)
More information can be found at: http://www.tsl.state.tx.us/slrm/
Tennessee

Rules of the Public Records Commission Includes definitions of records (permanent, temporary, confidential, archival, essential), citations of relevant statutes.
Utah

Government Records Access and Management Act (GRAMA)
Utah System of Higher Education R993, Records Access & Management
Vermont

Vermont Public Records and the Right to Know: What is a Public Record?
Vermont's Public Record Law
Virginia

Virginia Public Records Act
Washington

Uniform Real Property Electronic Recording Act
Washington Public Records Act
West Virginia

Records Management and Preservation of Essential Records Act
Regulations of the West Virginia State Records Administrator

Wisconsin

Wisconsin Public Records Law, Compliance Outline
Public Records Law

Wyoming
  • Is It a Record?
  • Wyoming Statutes (Article 4: State Archives, Museums, and Historical Department)
  • Wyoming Public Records Act
List of Records Management Standards (in progress)
  • ISO 15489-1 Information and Documentation – Records Management – Part 1: General
  • ISO 15489-2 Information and Documentation – Records Management – Part 2: Guidelines
  • ISO 23081-1:2006 Metadata for Records - Part 1: Principles
  • Department of Defense (DoD) 5015.2-STD: Electronic Records Management Software Applications Design Criteria Standard
  • National Archives (United Kingdom)
  • European Commission Archival Policy
    • Model Requirements for the Management of Electronic Records (MoReq)
    • MoReq2: Update and Extension of the Model Requirements for the Management of Electronic Records
Non-Comprehensive List of Statutory Regulations & Requirements (in progress)
  • Sarbanes-Oxley Act (2002) — This legislation pushes accountability for proper records management to the executive level. The law requires:
    • CEOs & CFOs to certify personally financial records & reports periodically,
    • Guidelines for audit committees to be established,
    • All documents relevant to possible government investigation be retained appropriately, and
    • Audit work papers to be retained for seven years.
  • Similar laws in other countries:
    • Bill 198 — Ontario, Canada, equivalent of Sarbanes-Oxley Act
    • J-SOX — Japanese equivalent of Sarbanes-Oxley Act
    • German Corporate Governance Code (at the German Wikipedia)
    • CLERP9--- Australian corporate reporting and disclosure law
    • Financial Security Law of France ("Loi sur la Sécurité Financière") — French equivalent of Sarbanes-Oxley Act
    • L262/2005("Disposizioni per la tutela del risparmio e la disciplina dei mercati finanziari") — Italian equivalent of Sarbanes-Oxley Act for financial services institutions
    • King Report — South African corporate governance code
Other Relevant Agencies
  • National Association of College and University Attorneys (NACUA)
    • ABC University Information Security Plan
  • National Archives
    • Records Management Publications
    • Electronic Records Management Initiative Guidance Products
    • Electronic Records Management Guidance on the Web
    • Toolkit for Managing Electronic Records
    • Records Management Guidance for Agencies Implementing Electronic Signature Technologies
  • Society of American Archivists
  • ARMA International (The Authority on Managing Records and Information)
    • Electronic Records & E-Discovery
    • RIM (Records and Information Management) Fundamentals

#Top of page

(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

  • No labels