1.18 Document Retention
13 February 2009
Executive Director, Finance
This policy primarily addresses the retention, management, and destruction of governance, financial and personnel records. A comprehensive records management policy includes multi-media records including e-mail, electronic records, voicemail as well as financial and non-financial records. Developing a strategic plan for classifying, archiving, reviewing and destroying all non-financial records of the University, including electronic and hard copy records, is beyond the scope of this Policy; however, the University will develop policies to address non-financial records, as appropriate.
Gallaudet University ("University") requires records retention and disposal to be a standardized and consistent process. The objective of our Records Retention and Management Policy ("Policy") is to ensure that the University complies with all applicable laws and regulations governing the management, retention and destruction of University records and to reduce the risk of accidental or erroneous destruction of records.
The University is committed to effective records management through:
- adherence to legal standards for record retention and protection of policy,
- optimizing the use of space,
- minimizing the cost of record retention, and
- properly destroying outdated or useless documents.
Gallaudet University Board of Trustees
Implementation of Policy
It is the responsibility of each applicable University employee to maintain and destroy the records that he or she originates, or otherwise receives, in accordance with this Policy and in order to comply with all applicable regulations governing the University's records, as such may be communicated by the Records Management Officer, from time to time.
Each applicable department is responsible for establishing appropriate records management procedures and practices, educating staff in sound record management practices, restricting access to confidential records and coordinating the destruction of records in accordance with this Policy. The Records Management Officer is available to assist in working with the departments to implement these requirements.
Definition of "Record"
A "record" is any recorded information in any format (including paper, electronic, and audiovisual materials, among others), wherever such information is stored which has been created or received by a University employee in connection with transactions of the University. Transitory documentation such as temporary notes of internal meetings, casual or personal email, etc. should not be considered "records" for purposes of this Policy. An employee is not required to maintain a copy of a record when the original or official copy is maintained elsewhere.
Records Management Officer
The Executive Director, Finance will serve as the University's Records Management Officer. To ensure compliance with the Policy, the Records Management Officer is responsible for overseeing the implementation of this Policy and providing guidance to applicable departments to ensure staff are educated in understanding sound record management practices, restricting access to confidential records and coordinating the appropriate and timely destruction of records.
Retention and Maintenance of Records
Federal, state and local regulations require the University to adhere to various record retention mandates. The appropriate time period for record retention is subject to ongoing statutory and regulatory changes. The Retention Schedule, attached to this Policy as Appendix A, lists the time period for which specific types of records can not be destroyed. The records included in Appendix A are not meant to be all-inclusive and employees should use their discretion and/or consult with the Records Retention Manager if they have questions regarding the time period for which a record should be maintained.
Many records subject to record retention requirements contain confidential information (such as name, address, social security number, bank account numbers, financial or financial aid information, student numbers, medical information, etc.). Such records are protected by federal, state and local statutes. In addition to the statutory requirements, any record that contains confidential information should be treated in accordance with the University's "Principles of Privacy."
Information on the University's "Principles of Privacy" or on specific privacy laws, such as the Family Educational Rights and Privacy Act (FERPA - student records); Health Insurance Portability and Accountability Act (HIPPA - personal health information); and the Privacy Act of 1974 (social security numbers) may be obtained from the Office of the Vice President, Administration and Finance, College Hall, Room 102, (202) 651-5075.
Additionally, any privacy rights of information stored on University computer systems are governed by University Policy 2.22 Use of Information Technology Resources, University Policy 3.06 Dissemination of Confidential Information, and Gallaudet Technology Services' guidelines.
Electronically Stored Information
The University has experienced a significant increase in the use and volume of electronically stored information in recent years. Due to the ease in creating, distributing and storing electronic documents in numerous locations as well as new rules regarding the use of electronically stored information in litigation (such as Amendments to the Federal Rules of Civil Procedure), the University must manage its electronic documents effectively, efficiently and in compliance with its legal obligations.
Electronic documents will be retained as if they were paper documents. Therefore, any electronic files, including records of donations made online, that fall into one of the document types described in the Retention Schedule at Appendix A will be maintained for the appropriate amount of time. If a user has sufficient reason to keep an email message, the message should be printed in hard copy and kept in the appropriate file or moved to an "archive" computer file folder so that such email, can be retrieved accurately and timely. Additional information on email back-ups can be found at Information Technology Service's guideline for Data Back Up.
Records Storage and Emergency Planning
The University's records will be stored in a safe, secure and accessible manner.
- Financial records in current use should be accessible in labeled file cabinets on site or through an electronic data management system.
- Historical records should be securely boxed and clearly labeled.
- A current inventory sheet should contain a description of the item, why it is being retained, where it can be found, how long it should be retained, and the format of the item (e.g. electronic, hard copy).
- File cabinets containing financial and confidential records should be appropriately secured.
As previously stated, each applicable department is responsible for establishing appropriate records management procedures and practices in accordance with this Policy.
Documents and financial files that are essential to keeping the University operating in an emergency should be duplicated and backed up regularly and maintained off site. Additional information on back-ups can be found at Information Technology Service's guideline for Data Back Up.
Disposal and Destruction of Records
Employees will dispose of all records following the expiration of the applicable retention period in accordance with this Policy, unless the Records Management Officer determines that a record must be retained for a longer period to comply with legal or other requirements or to serve a reasonable business purpose.
When it is deemed appropriate to dispose of any records in accordance with this Policy, they can be destroyed in the following manner:
- Recycle non-confidential paper records;
- Shred or otherwise render unreadable confidential paper records; or
- Erase or destroy electronically stored data - see further guidance below.
Disposal of Electronic Records
These guidelines are designed to ensure the proper disposal of all information on electronic devices or media in a manner that prevents inadvertent loss or disclosure. Steps should be taken to ensure that information is not recoverable by conventional methods. Proper disposal of information and licensed software on electronic devices and media is also governed by other policies and applicable law. In addition, proprietary information may also be subject to the terms of sponsored research agreements, non-disclosure agreements, or license agreements. Employees are responsible for making sure the following guidelines are followed and should contact the Records Management Officer or Information Technology Services for further assistance.
- The information on any computer hard drive, cell phone, PDA, or other electronic device must be erased and not recoverable before the equipment is reassigned.
- Outdated or broken computer equipment or other electronic devices cannot be discarded in dumpsters or regular trash containers.
- Electronic equipment can be disposed of by emailing firstname.lastname@example.org to arrange pickup by the University's contracted disposal vendor so that information contained within the equipment will be rendered unreadable.
Note: Employees should review electronic records and emails maintained in University systems or equipment periodically to ensure that records are appropriately destroyed after meeting the applicable retention period.
If you have questions about your responsibilities, please contact the Records Management Officer at 202-651-5299 or email@example.com.
The Records Management Officer will promptly communicate to employees any decision to suspend or extend an applicable retention period for the University's records (see Section titled "Suspension of Destruction of Records" below).
Suspension of Destruction of Records
In the event of litigation or anticipated litigation, or a claim, audit, agency charge, program review, investigation or enforcement action, the Records Management Officer will suspend any scheduled disposal of relevant documents and promptly notify employees of such suspension.
Employees who become aware of a pending or threatened action against the University will promptly notify the Records Management Officer so that the University can ensure the preservation of all relevant records. In the event of such action, the definition of the term "record" may be expanded to include even transitory documents that refer or relate in some way to such action, and employees may be asked to preserve such records.
This Section supersedes the timing of records destruction pursuant to the Retention Schedule at Appendix A. Upon conclusion of the matter, the applicability of the Retention Schedule will resume, but only upon notification to employees by the Records Management Officer.
Failure on the part of employees to follow this Policy can result in possible civil and criminal sanctions against the University and its employees and possible disciplinary action against responsible individuals. The Records Retention Manager will periodically review these procedures with legal counsel or other applicable parties to ensure that they are in compliance with new or revised regulations.