Records Management Policy
Policy Number: OGC-4
Effective Date: July 1, 2014
Responsible Officer: General Counsel
I. Purpose
The purpose of the Record Management Policy is to (1) establish an efficient University-wide record management system for maintaining, identifying, retrieving, preserving and destroying records, (2) ensure that records are adequately protected, (3) preserve University history, (4) ensure that records that are no longer needed or of no value are destroyed at the appropriate time, and (5) comply with all applicable local, state, and federal laws and regulations.
II. Scope
This policy applies to all records, including all University Information and University Resources, regardless of format, whether in paper, electronic, microform (e.g., microfilm, microfiche, magnetic tapes, and CD-ROM), or other medium.
III. Applicability
All employees and/or non-employee representatives who conduct business for or on behalf of the University (“Applicable Members”).
IV. Definitions
|
Active Record
|
See “University Record” below.
|
|
Historical Record
|
See “University Record” below.
|
|
Custodian of Record
|
The designated Department, as identified in the Record Retention Schedule, responsible for retaining and timely destroying University Records in compliance with this Policy.
|
|
Department
|
Any and all academic, clinical and administrative offices of the University.
|
|
Inactive Record
|
See “University Record” below.
|
|
IT Office
|
The Drexel Office of Information Resources and Technology (IRT), DUCOM-IT, and/or, as applicable, any other organizational technology group within the University (including its subsidiaries and affiliates) that maintains University Information or University Resources.
|
|
Litigation Hold Notice
|
See the Litigation Discovery Policy (OGC 7).
|
|
Record Management Administrator
|
The Department representative responsible for maintaining day-to-day records management practices and procedures.
|
|
Record Retention Period
|
The length of time for which the Custodian of Record is responsible for retaining a specified University Record in accordance with the Record Retention Schedule.
|
|
Record Retention Schedule
|
The table listing the required Record Retention Period and the designated Custodian of Record for each identified University Record.
|
|
University
|
Drexel University including its Colleges, Schools, Centers, Institutes, divisions, subsidiaries and affiliates.
|
|
University Information
|
See Use of University Information and University Resources Policy (OGC-6).
|
|
University Record
|
Any recorded information that is created or received by an Applicable Member or Department in the ordinary course of University business. All University Records regardless of their format (e.g. hardcopy or electronic) are subject to this Policy.
|
Active Record
|
A University Record that is currently being used in the ordinary course of University business.
|
|
Inactive Record
|
A University Record that is no longer being used in the ordinary course of University business that must be retained until the end of its Record Retention Period and is not required to be preserved in accordance with a Litigation Hold Notice.
|
|
Expired Record
|
A University Record
(i) that is no longer being used in the ordinary course of University business;
(ii) is not listed under the Record Retention Schedule or whose Record Retention Period has ended;
(iii) that is not subject to a Litigation Hold Notice; and
(iv) that is not an Historical Record.
|
|
V. Policy
A. University Records and Record Retention Schedule
Active, Inactive, and Historical Records must be maintained in accordance with the Record Retention Schedule and this Policy. Expired Records must be destroyed in accordance with this Policy.
The Record Retention Schedule designates the Custodian of Record for each identified University Record.
If a record is not found under the Record Retention Schedule, it must be destroyed once it is no longer needed in the ordinary course of University business. However, if an Applicable Member believes a record not listed on the Record Retention schedule should be retained or an Applicable Member believes that a University Record should be retained beyond the time period specified on the Record Retention Schedule, the Applicable Member should not destroy such record without prior approval of the University’s Office of the General Counsel (“OGC”).
The Record Retention Schedule identifies certain Historical Records. However, some Historical Records could not be listed in the Record Retention Schedule given the nature of its content and the events associated with the Historical Record (e.g. a letter or e-mail written memorializing an important event). Retaining these types of Historical Records is a responsibility shared by all University Members. If a Member believes an Expired Record should be retained for its historical value and should be permanently retained as a Historical Record, it should consult University Archives. Record transferred to the University Archives may be restricted by the office of origin for up to 25 years. Longer restrictions may apply if required by federal, state, or local statute.
If a record fits within two categories, each having a different retention period, the longer period governs. In order to facilitate compliance with this Policy, all Record Retention Periods expiring during a calendar year may be extended to the last day of such calendar year. Thus, all University Records expiring during a calendar year should be destroyed on the last day of that calendar year.
B. Non-University Records
All Non-University Records (i.e. any communications not listed in the Record Retention Schedule, informal communications) should be immediately destroyed after use.
C. Copies of University Records
Departments and Applicable Members that are not the designated Custodian of Record for an identified University Record are expected to only retain copies and drafts of such University Record to the extent necessary to conduct University business. Such University Departments and/or Applicable Members must destroy such copies/drafts once they are no longer needed to conduct University business unless subject to a Litigation Hold Notice.
The designated Custodian of Record for an identified University Record should only retain originals of Inactive Records and destroy all copies and drafts.
D. Litigation Holds Notices
All University Records are subject to the Litigation Discovery Policy (OGC-7). If there is any reason to believe that a claim may be asserted against the University for which any University Records may be relevant, such records must not be destroyed without the prior approval of the OGC.
E. Security - Confidential Information
Many University Records contain confidential information which is protected by University policies and procedures, as well as, state and federal laws and regulations including but not limited to the Family Educational Rights and Privacy Act (“FERPA”), the Health Insurance Portability and Accountability Act (“HIPAA”), the Gramm-Leach-Bliley Act, and the Fair and Accurate Credit Transactions Act of 2003. This Policy shall be implemented in a manner consistent with all such policies, procedures, laws and regulations, as those may be amended from time to time.
F. Records Management Responsibilities
Records management is the responsibility of all Applicable Members of the University.
1. University Department Head.
The head of each University Department is responsible for:
- Developing and maintaining practices and procedures that meet the specific requirements under this Section V and Section VI below;
- Ensuring Applicable Members of the Department comply with this Policy;
- Reporting any potential or actual non-compliance with this Policy to the OGC;
- Designating one or more Record Management Administrators (depending on organizational structure). Where a Department is small or has minimum records management obligations, the head of the Department may consider serving as the Records Management Administrator; where a Department is large or has complex records management obligations, the Department Head should consider designating more than one Record Management Administrator; and
- Designating an Alternate Record Management Administrator in the event the current Records Management Administrator departs from the University or is unavailable.
Where a Department serves as Custodian of Record with regard to a University Record, the Department is responsible for maintaining their designated University Record in compliance with the Record Retention Schedule.
2. Responsibilities of Records Management Administrator.
The Record Management Administrator must implement the Department’s established record management practices and procedures on a day-to-day basis. Specifically, the Records Management Administrator is responsible for: Coordinating retention, preservation, and destruction of University Records in accordance with this Policy and the Department’s records management practices and procedures; and Coordinating the Department’s efforts to comply and respond to any issued Litigation Hold Notice, internal or external investigations, court orders, or other requests for records in a timely fashion;
3. Responsibilities of Applicable Members.
All Applicable Members are responsible for the University Records in their possession. Applicable Members are responsible for reviewing the content of the records they use in conducting University business and complying with this policy.
The IT Office is not responsible for determining whether or not an electronic record must be retained or destroyed in accordance with this policy.
Every Applicable Member is responsible for complying with this policy as well as the record management practices and procedures established by their Department. Failure to comply with this policy may result in disciplinary action (up to and including termination) and/or legal action. If a Member believes another University Member is violating this policy (e.g. destroying University Records required to be retained), such University Member should immediately contact the OGC or report such incidents through the University’s Hotline.
VI. Requirements for Department Record Management Practices and Procedures
A Department’s practices and procedures must cover all aspects of records management including maintaining, identifying, retrieving, preserving and destroying University Records. Such practices must take into account business needs as well as legal and security requirements. In addition, such practices should allow for efficient access and retrieval of University Records.
A. Indexing System: Management of Active, Inactive and Archival Records
Departments shall implement and maintain a Department-wide centralized and/or uniform indexing system with which all Applicable Members of the Department must comply. The indexing system should be based on the nature of the Department’s business need. This will ensure efficient and streamlined accessibility, retrieval, and destruction. Thus, the same indexing system used for maintaining Active Records in the ordinary course of business should be followed for the centralized storage of Inactive Records.
B. Protection and Security of Confidential Information
Departments must implement practices that protect confidential information contained in University Records in accordance with relevant laws and University policies. Such protections must be applied in maintaining Active Records, the storage of Inactive and Archival Records, and the destruction of Expired Records. Thus, the level of security that applies to an Active Record must be maintained when such a record becomes an Inactive or Archival Record. See Section F below for further requirements for destroying such records.
C. Responding to Records Requests
Departments must implement practices that allow for efficient compliance and response to any Litigation Hold Notice, internal or external investigation, court order, or other requests for University Records in a timely fashion.
D. Physical Storage Facilities Practices
A Department’s storage facility practices must ensure the preservation of all University Records in their original condition while also ensuring efficient retrieval of such records. Departments should secure any physical on-campus storage facility to avoid unauthorized access. In addition, such facility and set up should protect such records from possible physical damage such as:
- Pest infestation
- Fire, smoke, or sprinkler damage
- Water damage (e.g., humidity, leaky pipes)
- Damage from magnets (e.g., digital data on magnetic storage media)
For off-site storage, Departments may only use a University-designated storage facility. For more information, contact University Procurement.
E. Retention Practices
University Records must be retained by the Custodian of Record in the following manner:
- Hardcopies must be retained in hardcopy form unless it is converted to electronic format in a University centrally managed system (e.g. Banner, AllScripts, etc.).
- Electronic records, such as e-mails, pdfs, and other electronic documents that are not retained in a University centrally managed system (e.g. Banner, AllScripts, etc.) should be printed in hard copy form in a manner that preserves their original content and form.
- Electronic records stored within a University centrally managed system (e.g. Banner, Electronic Medical Records, etc.) must comply with the requirements under Section VI.B and C above and other applicable University policies. The Custodian of Record is responsible for contacting and consulting with the IT Office to ensure such compliance.
F. Destruction of Expired Records
If the Custodian of Record believes that an Expired Record has historical value and should be permanently retained as a Historical Record, the University Archives Department should be consulted. Otherwise, all other Expired Records must be destroyed by the Custodian of Record in the following manner:
1. Hardcopy Destruction.
Expired Records in hardcopy form that do not contain confidential information should be recycled. Expired Records in hardcopy form that do contain confidential information should be shredded in a manner that renders them unreadable and that would prevent them from being reconstructed. Security of the Expired Records should be maintained until proper destruction is actually performed.
2. Electronic Records.
E-mails and other electronic documents (e.g., Word Documents, Excel, and PDFs) should be deleted.
The Custodian of Record is responsible for contacting and consulting with the IT Office to ensure that Expired Records contained in a University centrally managed system (e.g. Banner, AllScripts, etc.) are properly destroyed.
Devices or other media that store electronic records (e.g., jump drives, CDs, etc.) should be destroyed in a manner consistent with media sanitization methods which include disintegration, incineration, pulverization or melting. The type of sanitization required will depend on the type of device as well as the nature of the information contained in the device. Such destruction methods require trained professionals and should be conducted by authorized personnel. The IT Office and the University’s designated off-site storage facility currently provide such services. Consult the IT Office or the University’s designated off-site storage facility to arrange for such destruction.