250 likes | 399 Views
To Keep or Not to Keep: The Legalities of Record Retention. Mastering the Maze 2008 Joint presentation by: Tom Mercurio, General Counsel and Erica Heffner, Institutional Compliance. Overview. Importance of Records Management What is a “Record”
E N D
To Keep or Not to Keep:The Legalities of Record Retention Mastering the Maze 2008 Joint presentation by: Tom Mercurio, General Counsel and Erica Heffner, Institutional Compliance
Overview Importance of Records Management What is a “Record” Review of Policy and Records Schedule Sources of Rules and about Preservation and Destruction Duty to Destroy and how to do it right Special Topics
Why is Records Management Important? • Records are an information asset and hold value for an organization • Organizations have a duty to stakeholders to manage records effectively • Organizations must comply with regulatory retention requirements
Who is responsible for managing records and information? • Each employee has an important role to play in protecting the University by creating, using, retrieving and disposing of records in accordance with University policy. • Each employee should be familiar with the policy and know how to access the schedule
What are records? • Records are the evidence of what an organization does. They capture the business activities and transactions, correspondence, personnel files. • Records come in many formats, including paper, e-mail, databases, web content, and can reside on PDA’s, flash drives, desktops, and servers.
What are records? • Records are things that (1) exist longer than it takes to create them, and (2) can be preserved and revisited later. • Choices we make (consciously or not): to create a record; to preserve it; to destroy it • All records are “public” records; not all records are “official” or need to be preserved.
Policy Definition - Records • Records: means any and all written or recorded matter produced or acquired in the course of University business, including without limitation all papers, documents, e-mail messages, machine-readable materials, and any other written or recorded matters, regardless of their physical form or characteristics.
Sources of Rules About Preservation and Destruction • Rules imposed upon us by law or other authority • Rules we fashion and impose on ourselves (and must obey!)
UVM Policy Statementhttp://www.uvm.edu/~uvmppg/ppg/general_html/recordretention.pdf Threefold policy statement (Create and maintain, Protect, Destroy): • To preserve the integrity (maintain) of documents created or maintained in the course of institutional business, • To secure sensitive information contained in University records, and • To ensure that records that are no longer needed or have no value are discarded at the appropriate time.
Maintenance and Preservation of Records • The Records Retention Schedules sets forth retention periods for University records (http://www.uvm.edu/~complian/record_retention/uvmretentionschedule.pdf) • Periods are based on federal or state regulatory requirements, professional association guidance and management needs • Schedule is updated as requirements change, refer to the posted schedule for most current version
Common Departmental Retention Requirements The following records are common to most departments: • Employment files not in Human Resources • Timesheets and supporting documentation • Employment applications and interview notes • Contracts • Journal Entry Support • Interdepartmental billing records • Budget Change Orders Support Detail (if not entered into Peoplesoft) • Sponsored research data
Duty to Secure Sensitive Information The policy specifically identifies personal information as: • Personal information: means an individual’s signature, Social Security number, physical characteristics or description, passport number, driver’s license or state identification card number, insurance policy number, bank account number, credit card number, debit card number, or any other financial information.
Duty to Secure (cont.) • Records containing personal information should be secured to prevent unauthorized disclosure. • Accidental public disclosure of personal information requires reporting and disclosure in accordance with VT act 162 provisions. • Social Security numbers, in particular, should no longer be used as a unique identifier for employees or students. Peoplesoft and Banner systems have unique identifiers (student or employee id #’s) that should always be used when a unique identifier is required. SSN’s should be used only in those instances when required (usually by Federal agencies) or for credit application.
Duty to Destroy - Record Disposal • When records have reached the end of their retention period they should be discarded or destroyed. • Any records containing personal information should be destroyed by either shredding, erasing or otherwise modifying personal information make it unreadable or indecipherable.
Legal Reference - Document Destruction • VT Act 162 Document Safe Destruction Act (Effective January 1, 2007) An organization shall take all reasonable steps to destroy or arrange destruction of a customer’srecords when those records contain personal information which is no longer to be retained by the business.
Record Disposal- Resources • Procurement has arranged a pricing agreement with SecurShred for favorable rates on paper and tape destruction. SecureShred (802)863-3003 phone Contact: David Van Mullen http://www.securshred.com/ • Special consideration should be given when disposing of computers or other types of “Techno Trash” that may hold data (including personal information) CD’s, floppy drives, zip drives, thumb drives, PDA’s etc. These items should be erased of any data before disposal and then disposed of properly through University recycling. Disposal resources include: • Disposal of Surplus Computers (Directions for erasing hardrives) • https://www.uvm.edu/ets/security/erase/ • Techno Trash Recycling at UVM • http://www.uvm.edu/%7Erecycle/?Page=Guide/technotrash.html
Special Topics • VT Act 162 • UVM’s Social Security Number Policy • Security Breaches • “Litigation Holds” • Public Records Act Requests • Confidentiality: FERPA, HIPAA
Special TopicsVT Act 162 Protection of Personal Information State law passed in 2006 with effective dates in 2007, containing three major provisions: • Security Breach Notification - notifications required when personal information is compromised • Prohibitions on uses of Social Security Numbers • Document safe destruction Act - addressed in Records Retention Policy
The University must collect social security numbers of students and employees to fulfill its responsibilities under federal and state law. The University must comply with federal and state laws that govern confidentiality of ssn’s and the destruction of records containing those numbers The policy includes Act 162 prohibitions on the uses of SSN’s, including: Intentionally communicating or making a SSN available to the public Intentionally printing a SSN on any card required for access to services Requiring an individual to transmit a SSN over the internet unless the internet connection is secure Printing a SSN on any materials that are mailed to an individual unless required by law Selling, leasing, lending, trading or otherwise disclosing an individual’s SSN to a third party without consent. UVM’s SSN Policy (under review)
Security Breach Notification Requirements • Notification required of a security breach of personal data • Personal Data - includes a persons first name or initial, last name in combination with SSN, Drivers license number, account number, credit card number, account password or PIN number. • UVM’s security breach website: • (https://www.uvm.edu/ets/security/?Page=breach.html)
Litigation Holds When NOT to destroy: Pending or anticipated litigation External investigation Internal audit or investigation Pending request to see a record
Public Records Request • Records and Documents Request Policy (http://www.uvm.edu/~uvmppg/ppg/general_html/record_request.pdf)
FERPA Rights Disclosure Policy http://www.uvm.edu/~uvmppg/ppg/student/ferpa.pdf Addresses students rights to access to their educational records Students have legal expectation that their education records kept confidential, however, does not prevent communicating student information to UVM faculty and staff with legitimate need to know basis. HIPAA UVM hybrid entity, only those covered components are subject to HIPAA privacy requirements http://www.uvm.edu/~complian/compliance/?Page=HIPAA_UVM.html FERPA/HIPAA
Respect and secure Personal Information Respect privacy of student records Know when NOT to destroy records Know when and how to properly destroy official records Use discretion with all other records Points to Remember
Wrap -up • Questions? • Resources: • Tom Mercurio - General Counsel Office ph: 656-8585 • Erica Heffner- Institutional Compliance ph: 656-1398