1 / 25

To Keep or Not to Keep: The Legalities of Record Retention

To Keep or Not to Keep: The Legalities of Record Retention. Mastering the Maze 2008 Joint presentation by: Tom Mercurio, General Counsel and Erica Heffner, Institutional Compliance. Overview. Importance of Records Management What is a “Record”

Download Presentation

To Keep or Not to Keep: The Legalities of Record Retention

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. To Keep or Not to Keep:The Legalities of Record Retention Mastering the Maze 2008 Joint presentation by: Tom Mercurio, General Counsel and Erica Heffner, Institutional Compliance

  2. Overview Importance of Records Management What is a “Record” Review of Policy and Records Schedule Sources of Rules and about Preservation and Destruction Duty to Destroy and how to do it right Special Topics

  3. Why is Records Management Important? • Records are an information asset and hold value for an organization • Organizations have a duty to stakeholders to manage records effectively • Organizations must comply with regulatory retention requirements

  4. Who is responsible for managing records and information? • Each employee has an important role to play in protecting the University by creating, using, retrieving and disposing of records in accordance with University policy. • Each employee should be familiar with the policy and know how to access the schedule

  5. What are records? • Records are the evidence of what an organization does. They capture the business activities and transactions, correspondence, personnel files. • Records come in many formats, including paper, e-mail, databases, web content, and can reside on PDA’s, flash drives, desktops, and servers.

  6. What are records? • Records are things that (1) exist longer than it takes to create them, and (2) can be preserved and revisited later. • Choices we make (consciously or not): to create a record; to preserve it; to destroy it • All records are “public” records; not all records are “official” or need to be preserved.

  7. Policy Definition - Records • Records: means any and all written or recorded matter produced or acquired in the course of University business, including without limitation all papers, documents, e-mail messages, machine-readable materials, and any other written or recorded matters, regardless of their physical form or characteristics.

  8. Sources of Rules About Preservation and Destruction • Rules imposed upon us by law or other authority • Rules we fashion and impose on ourselves (and must obey!)

  9. UVM Policy Statementhttp://www.uvm.edu/~uvmppg/ppg/general_html/recordretention.pdf Threefold policy statement (Create and maintain, Protect, Destroy): • To preserve the integrity (maintain) of documents created or maintained in the course of institutional business, • To secure sensitive information contained in University records, and • To ensure that records that are no longer needed or have no value are discarded at the appropriate time.

  10. Maintenance and Preservation of Records • The Records Retention Schedules sets forth retention periods for University records (http://www.uvm.edu/~complian/record_retention/uvmretentionschedule.pdf) • Periods are based on federal or state regulatory requirements, professional association guidance and management needs • Schedule is updated as requirements change, refer to the posted schedule for most current version

  11. Common Departmental Retention Requirements The following records are common to most departments: • Employment files not in Human Resources • Timesheets and supporting documentation • Employment applications and interview notes • Contracts • Journal Entry Support • Interdepartmental billing records • Budget Change Orders Support Detail (if not entered into Peoplesoft) • Sponsored research data

  12. Duty to Secure Sensitive Information The policy specifically identifies personal information as: • Personal information: means an individual’s signature, Social Security number, physical characteristics or description, passport number, driver’s license or state identification card number, insurance policy number, bank account number, credit card number, debit card number, or any other financial information.

  13. Duty to Secure (cont.) • Records containing personal information should be secured to prevent unauthorized disclosure. • Accidental public disclosure of personal information requires reporting and disclosure in accordance with VT act 162 provisions. • Social Security numbers, in particular, should no longer be used as a unique identifier for employees or students. Peoplesoft and Banner systems have unique identifiers (student or employee id #’s) that should always be used when a unique identifier is required. SSN’s should be used only in those instances when required (usually by Federal agencies) or for credit application.

  14. Duty to Destroy - Record Disposal • When records have reached the end of their retention period they should be discarded or destroyed. • Any records containing personal information should be destroyed by either shredding, erasing or otherwise modifying personal information make it unreadable or indecipherable.

  15. Legal Reference - Document Destruction • VT Act 162 Document Safe Destruction Act (Effective January 1, 2007) An organization shall take all reasonable steps to destroy or arrange destruction of a customer’srecords when those records contain personal information which is no longer to be retained by the business.

  16. Record Disposal- Resources • Procurement has arranged a pricing agreement with SecurShred for favorable rates on paper and tape destruction. SecureShred (802)863-3003 phone Contact: David Van Mullen http://www.securshred.com/ • Special consideration should be given when disposing of computers or other types of “Techno Trash” that may hold data (including personal information) CD’s, floppy drives, zip drives, thumb drives, PDA’s etc. These items should be erased of any data before disposal and then disposed of properly through University recycling. Disposal resources include: • Disposal of Surplus Computers (Directions for erasing hardrives) • https://www.uvm.edu/ets/security/erase/ • Techno Trash Recycling at UVM • http://www.uvm.edu/%7Erecycle/?Page=Guide/technotrash.html

  17. Special Topics • VT Act 162 • UVM’s Social Security Number Policy • Security Breaches • “Litigation Holds” • Public Records Act Requests • Confidentiality: FERPA, HIPAA

  18. Special TopicsVT Act 162 Protection of Personal Information State law passed in 2006 with effective dates in 2007, containing three major provisions: • Security Breach Notification - notifications required when personal information is compromised • Prohibitions on uses of Social Security Numbers • Document safe destruction Act - addressed in Records Retention Policy

  19. The University must collect social security numbers of students and employees to fulfill its responsibilities under federal and state law. The University must comply with federal and state laws that govern confidentiality of ssn’s and the destruction of records containing those numbers The policy includes Act 162 prohibitions on the uses of SSN’s, including: Intentionally communicating or making a SSN available to the public Intentionally printing a SSN on any card required for access to services Requiring an individual to transmit a SSN over the internet unless the internet connection is secure Printing a SSN on any materials that are mailed to an individual unless required by law Selling, leasing, lending, trading or otherwise disclosing an individual’s SSN to a third party without consent. UVM’s SSN Policy (under review)

  20. Security Breach Notification Requirements • Notification required of a security breach of personal data • Personal Data - includes a persons first name or initial, last name in combination with SSN, Drivers license number, account number, credit card number, account password or PIN number. • UVM’s security breach website: • (https://www.uvm.edu/ets/security/?Page=breach.html)

  21. Litigation Holds When NOT to destroy: Pending or anticipated litigation External investigation Internal audit or investigation Pending request to see a record

  22. Public Records Request • Records and Documents Request Policy (http://www.uvm.edu/~uvmppg/ppg/general_html/record_request.pdf)

  23. FERPA Rights Disclosure Policy http://www.uvm.edu/~uvmppg/ppg/student/ferpa.pdf Addresses students rights to access to their educational records Students have legal expectation that their education records kept confidential, however, does not prevent communicating student information to UVM faculty and staff with legitimate need to know basis. HIPAA UVM hybrid entity, only those covered components are subject to HIPAA privacy requirements http://www.uvm.edu/~complian/compliance/?Page=HIPAA_UVM.html FERPA/HIPAA

  24. Respect and secure Personal Information Respect privacy of student records Know when NOT to destroy records Know when and how to properly destroy official records Use discretion with all other records Points to Remember

  25. Wrap -up • Questions? • Resources: • Tom Mercurio - General Counsel Office ph: 656-8585 • Erica Heffner- Institutional Compliance ph: 656-1398

More Related