Purpose

To provide a practical set of resources that will assist members of the higher education community in addressing related issues of electronic records management (ERM), e-discovery, and data retention on their own campuses.

Introduction

We all create and use information every day. Taking care of that information (in all its many forms) is an effort requiring shared responsibility by each member of a specific community. Just figuring out where to start and what needs to be done can be a time-consuming task.

Some institutions have done a lot of work in this area, while others have just gotten started, and still others have done little or nothing. We all have an opportunity to learn from and share with each other. This set of resources is intended to be a collaborative and evolving effort. Please use this forum to share what you have done! It might be just what someone else is looking for. If you have questions or comments regarding this toolkit, or if you'd like to contribute your own material, please contact the Higher Education Information Security Council.

This toolkit will provide valuable information on the following areas:

• ERM Background and Context
• Getting Started with ERM
• What Others Are Doing with ERM
• Additional ERM Resources

ERM Background and Context

Interest in records and information management (RIM) continues to increase among university & college leadership due to new compliance regulations and statutes. The growing number of corporate scandals and government incidents involving questionable or deficient records management practices have raised general awareness of and created a critical interest in records compliance, retention period requirements, litigation preparedness, data security & privacy, and many other records and information management issues.

Records management is often seen as an unnecessary or low priority administrative task that can be performed at the lowest levels within an organization. However, this perception is changing as these publicized events have demonstrated that records management is in fact the responsibility of all individuals within an organization.

Electronic Records Management

The general principles of records and information management apply to records in any media, form and format. However, the complex attributes of electronic records (also called digital records) present specific issues that records stored in paper and microfilm do not typically share. For example, it is more difficult to ensure that the content, context and structure of electronic records is preserved and protected.

Several concepts are critical when addressing Electronic Records Management. A simple way to think about it is to imagine all information existing within a lifecycle. From the moment of creation until the time it is no longer needed, information should be managed with care according to a variety of factors, including sensitivity, confidentiality, and desired longevity.

Within the information lifecycle, information may take different forms over time. Records are one type of information. Electronic records are those records that have been created or stored using electronic systems.

Records may be grouped into classes according to a variety of factors. Common factors include, but are not limited to, record type, sensitivity, confidentiality, and desired longevity.

Based on those classifications, records can then be scheduled according to their required or desired retention periods, and their recommended method of disposition. In addition, certain classes of records may only be appropriate for access by certain members of a community. Almost all records are subject to discovery.

The entire process by which an organization creates, classifies, controls, and authorizes access to electronic records is known as Electronic Records Management.

Related Topics

• E-Discovery Toolkit
• Records Retention and Disposition Toolkit
• Access Control
• Logging and Monitoring
• Data Classification Toolkit
• Guidelines for Information Media Sanitization
• Legal Requirements

#Top of page

Practical Guide to Getting Started

So what's the best way to get started? The answer to that question will largely depend on the particular culture of your campus and your knowledge of the players involved.

No matter where you start, though, you likely won't get far unless you have the support of top-level administration, and can build a critical mass of people within the community who understand (and can help others understand) what's at stake.

• Who to Involve?
• What to Do?
• Raising Campus Awareness
• Building and Providing Tools
• Information Management Policies

Who to Involve?

Potential partners include legal counsel, internal auditors, chief information officers, information security officers, privacy officers, records managers, archivists, comptroller, head of student affairs, and head of academic affairs.

What to Do?

• Know what records you have & where they are (data or records inventory).
• Decide how sensitive or valuable those records are (data classification & records retention/disposition scheduling).
• Prioritize (start with the most sensitive or valuable stuff first).
• Understand the alphabet-soup-of-regulations (e.g., HIPAA, FERPA, FOIA, GLBA, PCI-DSS, ISO, COBIT).
• Find out what others in your region are doing (collaborate, don't reinvent).
• Form partnerships with state & national organizations addressing this issue.

Raising Campus Awareness

Need help making the case? Here's a presentation you can tailor to suit your needs and institutional culture. Good luck!

Building and Providing Tools

• Access Control is any mechanism by which a system grants or revokes the right to access some data, or perform some action.
• Data Classification is the act of placing data into categories that will dictate the level of internal controls to protect that data against theft, compromise, and inappropriate use.
• Records Inventory is a detailed listing of the volume, scope, and complexity of an organization's records, usually compiled for the purpose of creating a records schedule. The results of the inventory can be used to analyze the records for various purposes including retention and protection.
• Records Retention and Disposition Schedule: Records retention is the act of the keeping records for as long as they have administrative, business, legislative and/or cultural value. Retention specifically refers to the period of time a document is required to be kept. At the end of the retention period, the document becomes eligible for disposition. Records disposition refers to actions taken with regard to records that are no longer needed for current business as determined by their appraisal pursuant to legislation, regulation, or administrative procedure. The term "disposition" includes both actions of destruction and the transfer of records to an appointed archive for permanent preservation.

Information Management Policies

These policies describe expectations for handling certain types of content.

• Incident Handling & Response – An incident response plan outlines actions to be taken in the event that information or systems have been compromised.
• Privacy – Privacy policies set forth the expectation for safeguarding and sharing of information entrusted to an institution.
• Security – Security policies describe the legal, privacy, and security-related responsibilities that members of the institution have.
• Responding to Law Enforcement Requests – Policies in this area assist faculty and staff in responding to investigative contact by law enforcement officials.
• Responding to Open Records Requests – Policies in this area assist faculty and staff in responding to open records requests.

#Top of page

What Are Others Doing?

Brigham Young University

• Records Management Handbook (refer to Section 6 - Managing Electronic Records, p. 24-32)

Indiana University

• Strategies for Managing Electronic Records: Lessons Learned from IU's Electronic Records Project

The Ohio State University

• Records Management Overview
• Electronic Records Overview
• What is a Record?
• Records and Information Management Resources
• Retention Schedules
• OSU Institutional Data Policy
• Ohio Electronic Records Committee
• Ohio Historical Records Advisory Board

The Ohio State University Libraries

• Digital Preservation Policy Framework: A Case Study

Pennsylvania State University

• Records Management
• University Archives and Records Management Policy

University of California

• University Records Management Program

The University of Kansas

• Information Management Program
• Information Management: University Information/Records
• Records Management and Record Retention Schedule

University of Missouri System

• Electronic Record Management
• Records Management FAQ

University of Virginia

• Electronic Records FAQ
• Electronic Records Guidelines (Library of Virginia)

#Top of page

Additional Resources

• Definitions
• List of Records Management Laws for State Agencies
• Other Toolkit Components Still Under Development
  • List of Records Management Standards
  • Non-Comprehensive List of Statutory Regulations & Requirements
• Other Relevant Agencies

Definitions

Unless otherwise noted*, all definitions are from the Glossary of Records and Information Management Terms, 3rd ed., ARMA International (2007).

• Archives — 1) The documents created or received and accumulated by a person or organization in the course of the conduct of affairs and preserved because of their continuing value; 2) The building or part of a building in which archives are preserved and made available for consultation; or 3) The agency or program responsible for selecting, acquiring, preserving, and making available archives
• Data — Symbols or characters that represent raw facts or figures and form the basis of information
• Discovery — Required disclosure of relevant items in the possession of one party to the opposing party during the course of legal action
• Disposition — A final administrative action taken with regard to records, including destruction, transfer to another entity, or permanent preservation
• Electronic Records Management — 1) The application of records management principles to electronic records; or 2) The management of records using electronic systems to apply records management principles
• Information — Data that has been given value through analysis, interpretation, or compilation in a meaningful form
• Lifecycle (of a record) — Distinct phases of a record's existence, from creation to final disposition
• Record — Recorded information, regardless of medium or characteristics, made or received by an organization in the pursuance of legal obligations or in the transaction of business.
• Records and Information Management — Field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records
• Records Manager* — The person responsible for the oversight and administration of the records management program in an organization. Records Managers are found in all types of organizations, including business, government, and non-profit sectors. This role has evolved over time in response to the ever-increasing need for and importance of records management. On the whole, the role can take many forms with a variety of titles and can have various reporting structures. The role might be held by an attorney or legal counsel member, a senior administrative associate, a manager in the IT department, the Compliance Officer or Auditor, or even the Chief Information Officer of an organization. Records Managers may focus on operational responsibilities, design strategies and policies for maintaining and utilizing information, or combine elements of those jobs. What is most important is that the Records Manager's position be established and given appropriate authority by organizational policy, be supported by upper management, and be placed high in the organizational structure. In addition to the more traditional expertise of records appraisal, retention, disposition, and the like, today's Records Manager also commonly has subject matter expertise in law (as it affects records management), privacy and data protection, and electronic storage systems. Records Managers may have degrees in a wide variety of subjects in all disciplines and may have professional certifications awarded by organizations such as the Institute of Certified Records Managers, AIIM, the Society of American Archivists (SAA) and others.
• Retention Period — Length of time a record must be kept to meet administrative, fiscal, legal, or historical requirements
• Retention Program — A system established and maintained to define retention periods for records in an organization
• Retention Schedule — A comprehensive list of records series, indicating for each the length of time it is to be maintained and its disposition

List of Records Management Laws for State Agencies

Alabama

• State Records Retention Law
• Local Government Records Retention Law
• Open Meetings Act
• Alabama Open Records Law

Alaska

• General Administrative Records Retention Schedule
• Records Management Program
• Public Records Statute
• AS 40.17.010. Place of Recording and Access to Records

Arizona

• Accessing Arizona Public Records
• Arizona Public Records Law
• Uniform Real Property Electronic Recording Act

Arkansas

• Electronic Record Management Guidelines for Arkansas State Government
• Arkansas Freedom of Information Act

California

• State Records Management Act
• California Public Records Act

Colorado

• Colorado State Archives
• Colorado Open Records Act
• Open Records FAQ

Connecticut

• Public Act 97-89: "An Act Concerning the Recording, Copying and Maintenance of Certain Public Records"
• Required Minimum Microfilming Standards for Public Records; Disposition of Original Records (Policy Statement, General Letter 96-2c)
• Connecticut Freedom of Information Act

Delaware

• Delaware Freedom of Information Act
• Delaware Public Records Law

Florida

• Statutes and Administrative Code Rules Relating to Archives and Records Management
  • Chapter 119, 2008 Florida Statutes--Public Records Law
  • Chapter 257, 2008 Florida Statutes--Public Libraries and State Archives
  • Chapter 1B-11, Florida Administrative Code--Use of Archives and Archives Facilities
  • Chapter 1B-24, Florida Administrative Code--Public Records Scheduling and Dispositioning
  • Chapter 1B-26.003, Florida Administrative Code--Electronic Recordkeeping
  • Chapter 1B-26.0021, Florida Administrative Code--Microfilm Standards
  • Chapter 1B-31, Florida Administrative Code--Real Property Electronic Recording
  • Chapter 2.430-2.440 and Retention Schedule, Florida Rules of Judicial Administration -- Judicial Branch/Court records retention (PDF)

Georgia

• Open Records Act
• Georgia Microforms Act

Hawaii

• Hawaii Laws that Apply to Retention & Disposition of Government Records
• Law Regarding Government Electronic Records

Idaho

• Idaho Code
• Idaho Statute 9-338, Right to Examine
• Idaho Statute on Public Writings
• Idaho Public Records Law Manual

Illinois

• The State Records Act (5 ILCS 160)
• The Local Records Act (50 ILCS ACT 205)
• Illinois School Student Records Act (105 ILCS 10)
• Filmed Records Reproduction Act (5 ILCS 170)
• Filmed Records Certification Act (50 ILCS 210)
• Filmed Records Destruction Act (50 ILCS 215)
• Freedom of Information Act (5 ILCS ACT 140)

Indiana

• Indiana Commission on Public Records: The Legal Framework of Records and Information Management in State Government
• State Government Records
• Access to Public Records

Iowa

• Open Records, Open Government
• Public Records Law, Chapter 22

Kansas

• Kansas Open Records Act

Kentucky

• Kentucky Open Records Act
• Kentucky Open Meetings and Open Records Laws
• Managing Government Records: An Introduction to Kentucky's Public Records Management Law

Louisiana

• Records Management Policies and Practices (LAC 4:XVII.Chapters 1-15)
• Louisiana State Archives Records Management Handbook

Maine

• Maine State Government Records Management Education and Training
• Maine Freedom of Access Act

Maryland

• Records management laws, rules, and regulations
• What is a public record?

Massachusetts

• Public Records Law
• A Guide to the Massachusetts Public Records Law

Michigan

• Michigan Freedom of Information Act (FOIA)
• Freedom of Information Act, Act 442 of 1976

Minnesota

• "Managing Your Government Records: Guidelines for Archives and Agencies" (What do you need to know about government records? Section 1 presents the definition of government records and summarizes the laws that govern them.)
• 2013 Statutes on Official Records
• 13.03 Access to Government Data
• Electronic Records Management Guidelines

Mississippi

• General Records Management FAQ
• Mississippi Public Records Act of 1983

Missouri

• Laws and Codes Pertaining to State Records
• "What Is a Record?," a Guide to Missouri's State Records Management Program

Montana

• What is a Public Record?
• Montana Administrative Rules: Records and Information Management

Nebraska

• Records Management Act
• Uniform Photographic Copies of Business and Public Records As Evidence Act

Nevada

• Chapter 239, Public Records

New Hampshire

• Right-to-Know Law

New Jersey

• New Jersey Open Public Records Act
• New Jersey Administrative Code Title 15 Department of State Chapter 3 Records Management Complete text of N.J.A.C. 15:3

New Mexico

• Governing statutes
• New Mexico Commission of Public Records
• Inspection of Public Records Act Compliance Guide
• Compliance Checklist

New York

• Laws and Regulations Relating to Local Government Records
• What are records?

North Carolina

• N.C.G.S § 121 The Archives and History Act 
• N.C.G.S § 132 The Public Records Act
• Laws and Guidelines for Public Records
• Uniform Real Property Electronic Recording Act

North Dakota

• North Dakota Electronic Records Management Guidelines

Ohio

• Ohio Public Records Laws and Legislation
• Sections of the Ohio Revised Code (respecting the creation, maintenance, preservation, transfer, and disposal of records)

Oklahoma

• Rules of the Oklahoma Archives and Records Commission
• Oklahoma Open Records Act

Oregon

• Oregon Administrative Rules
• Chapter 192 --- Records; Public Reports and Meetings

Pennsylvania

• Right to Know Law

Rhode Island

• Open Government, Access to Public Records
• Rhode Island "Access to Public Records" Act (Chapter 38-2)

South Carolina

• South Carolina Public Records Act
• Freedom of Information Act

South Dakota

• South Dakota Public Records and Files

Texas

• Texas StateGovernment Code, Chapter 441, Subchapter L - Preservation and Management of State Records and Other Historical Resources
• Texas Administrative Code, Title 13, Chapter 6, Records Retention Scheduling Rules
• Microfilming Standards and Procedures
• Electronic Records Standards and Procedures
• Texas State Records Retention Schedule (4th edition)
• Records Management Services for Government Agencies

Tennessee

• Rules of the Public Records Commission Includes definitions of records (permanent, temporary, confidential, archival, essential), citations of relevant statutes.

Utah

• Government Records Access and Management Act (GRAMA)
• Utah System of Higher Education R993, Records Access & Management

Vermont

• Vermont Public Records and the Right to Know: What is a Public Record?
• Vermont's Public Records Law

Virginia

• Virginia Public Records Management Manual
• Library of Virginia Records Management (includes a guide to the Virginia Public Records Act)

Washington

• Uniform Real Property Electronic Recording Act
• Washington Public Records Act

West Virginia

• Public Records Management and Preservation Act
• Regulations of the West Virginia State Records Administrator

Wisconsin

• Wisconsin Public Records Law, Compliance Outline
• Public Records Law

Wyoming

• Wyoming Statutes (Article 4: State Archives, Museums, and Historical Department)
• Wyoming Public Records Act

List of Records Management Standards (in progress)

• ISO 15489-1 Information and Documentation – Records Management – Part 1: General
• ISO 15489-2 Information and Documentation – Records Management – Part 2: Guidelines
• ISO 23081-1:2006 Metadata for Records - Part 1: Principles
• Department of Defense (DoD) 5015.2-STD: Electronic Records Management Software Applications Design Criteria Standard
• National Archives (United Kingdom)
• European Commission Archival Policy
  • Model Requirements for the Management of Electronic Records (MoReq)
  • MoReq2: Update and Extension of the Model Requirements for the Management of Electronic Records

Non-Comprehensive List of Statutory Regulations & Requirements (in progress)

• Sarbanes-Oxley Act (2002) — This legislation pushes accountability for proper records management to the executive level. The law requires:
  • CEOs & CFOs to certify personally financial records & reports periodically,
  • Guidelines for audit committees to be established,
  • All documents relevant to possible government investigation be retained appropriately, and
  • Audit work papers to be retained for seven years.

Note: Similar laws exist in other countries. Some examples are included on the Sarbanes-Oxley Act Wikipedia page.

Other Relevant Agencies

• ARMA International (The Authority on Managing Records and Information)
• National Archives
  • Records Management Publications
  • Electronic Records Management Initiative Guidance Products
  • NARA Transfer Guidance
  • Toolkit for Managing Electronic Records
  • Records Management Guidance for Agencies Implementing Electronic Signature Technologies
• National Association of College and University Attorneys (NACUA)
  • ABC University Information Security Plan
• Society of American Archivists

#Top of page

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).