to keep or not to keep the legalities of record retention l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
To Keep or Not to Keep: The Legalities of Record Retention PowerPoint Presentation
Download Presentation
To Keep or Not to Keep: The Legalities of Record Retention

Loading in 2 Seconds...

play fullscreen
1 / 25

To Keep or Not to Keep: The Legalities of Record Retention - PowerPoint PPT Presentation


  • 151 Views
  • Uploaded on

To Keep or Not to Keep: The Legalities of Record Retention. Mastering the Maze 2008 Joint presentation by: Tom Mercurio, General Counsel and Erica Heffner, Institutional Compliance. Overview. Importance of Records Management What is a “Record”

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'To Keep or Not to Keep: The Legalities of Record Retention' - rocco


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
to keep or not to keep the legalities of record retention

To Keep or Not to Keep:The Legalities of Record Retention

Mastering the Maze 2008

Joint presentation by: Tom Mercurio, General Counsel and

Erica Heffner, Institutional Compliance

overview

Overview

Importance of Records Management

What is a “Record”

Review of Policy and Records Schedule

Sources of Rules and about Preservation and Destruction

Duty to Destroy and how to do it right

Special Topics

why is records management important
Why is Records Management Important?
  • Records are an information asset and hold value for an organization
  • Organizations have a duty to stakeholders to manage records effectively
  • Organizations must comply with regulatory retention requirements
who is responsible for managing records and information
Who is responsible for managing records and information?
  • Each employee has an important role to play in protecting the University by creating, using, retrieving and disposing of records in accordance with University policy.
  • Each employee should be familiar with the policy and know how to access the schedule
what are records
What are records?
  • Records are the evidence of what an organization does. They capture the business activities and transactions, correspondence, personnel files.
  • Records come in many formats, including paper, e-mail, databases, web content, and can reside on PDA’s, flash drives, desktops, and servers.
what are records6
What are records?
  • Records are things that (1) exist longer than it takes to create them, and (2) can be preserved and revisited later.
  • Choices we make (consciously or not): to create a record; to preserve it; to destroy it
  • All records are “public” records; not all records are “official” or need to be preserved.
policy definition records
Policy Definition - Records
  • Records: means any and all written or recorded matter produced or acquired in the course of University business, including without limitation all papers, documents, e-mail messages, machine-readable materials, and any other written or recorded matters, regardless of their physical form or characteristics.
sources of rules about preservation and destruction
Sources of Rules About Preservation and Destruction
  • Rules imposed upon us by law or other authority
  • Rules we fashion and impose on ourselves (and must obey!)
uvm policy statement http www uvm edu uvmppg ppg general html recordretention pdf
UVM Policy Statementhttp://www.uvm.edu/~uvmppg/ppg/general_html/recordretention.pdf

Threefold policy statement (Create and maintain, Protect, Destroy):

  • To preserve the integrity (maintain) of documents created or maintained in the course of institutional business,
  • To secure sensitive information contained in University records, and
  • To ensure that records that are no longer needed or have no value are discarded at the appropriate time.
maintenance and preservation of records
Maintenance and Preservation of Records
  • The Records Retention Schedules sets forth retention periods for University records (http://www.uvm.edu/~complian/record_retention/uvmretentionschedule.pdf)
  • Periods are based on federal or state regulatory requirements, professional association guidance and management needs
  • Schedule is updated as requirements change, refer to the posted schedule for most current version
common departmental retention requirements
Common Departmental Retention Requirements

The following records are common to most departments:

  • Employment files not in Human Resources
  • Timesheets and supporting documentation
  • Employment applications and interview notes
  • Contracts
  • Journal Entry Support
  • Interdepartmental billing records
  • Budget Change Orders Support Detail (if not entered into Peoplesoft)
  • Sponsored research data
duty to secure sensitive information
Duty to Secure Sensitive Information

The policy specifically identifies personal information as:

  • Personal information: means an individual’s signature, Social Security number, physical characteristics or description, passport number, driver’s license or state identification card number, insurance policy number, bank account number, credit card number, debit card number, or any other financial information.
duty to secure cont
Duty to Secure (cont.)
  • Records containing personal information should be secured to prevent unauthorized disclosure.
  • Accidental public disclosure of personal information requires reporting and disclosure in accordance with VT act 162 provisions.
  • Social Security numbers, in particular, should no longer be used as a unique identifier for employees or students. Peoplesoft and Banner systems have unique identifiers (student or employee id #’s) that should always be used when a unique identifier is required. SSN’s should be used only in those instances when required (usually by Federal agencies) or for credit application.
duty to destroy record disposal
Duty to Destroy - Record Disposal
  • When records have reached the end of their retention period they should be discarded or destroyed.
  • Any records containing personal information should be destroyed by either shredding, erasing or otherwise modifying personal information make it unreadable or indecipherable.
legal reference document destruction
Legal Reference - Document Destruction
  • VT Act 162 Document Safe Destruction Act (Effective January 1, 2007) An organization shall take all reasonable steps to destroy or arrange destruction of a customer’srecords when those records contain personal information which is no longer to be retained by the business.
record disposal resources
Record Disposal- Resources
  • Procurement has arranged a pricing agreement with SecurShred for favorable rates on paper and tape destruction.

SecureShred

(802)863-3003 phone

Contact: David Van Mullen

http://www.securshred.com/

  • Special consideration should be given when disposing of computers or other types of “Techno Trash” that may hold data (including personal information) CD’s, floppy drives, zip drives, thumb drives, PDA’s etc. These items should be erased of any data before disposal and then disposed of properly through University recycling. Disposal resources include:
    • Disposal of Surplus Computers (Directions for erasing hardrives)
      • https://www.uvm.edu/ets/security/erase/
    • Techno Trash Recycling at UVM
      • http://www.uvm.edu/%7Erecycle/?Page=Guide/technotrash.html
special topics
Special Topics
  • VT Act 162
  • UVM’s Social Security Number Policy
  • Security Breaches
  • “Litigation Holds”
  • Public Records Act Requests
  • Confidentiality: FERPA, HIPAA
special topics vt act 162 protection of personal information
Special TopicsVT Act 162 Protection of Personal Information

State law passed in 2006 with effective dates in 2007, containing three major provisions:

  • Security Breach Notification - notifications required when personal information is compromised
  • Prohibitions on uses of Social Security Numbers
  • Document safe destruction Act - addressed in Records Retention Policy
uvm s ssn policy under review
The University must collect social security numbers of students and employees to fulfill its responsibilities under federal and state law.

The University must comply with federal and state laws that govern confidentiality of ssn’s and the destruction of records containing those numbers

The policy includes Act 162 prohibitions on the uses of SSN’s, including:

Intentionally communicating or making a SSN available to the public

Intentionally printing a SSN on any card required for access to services

Requiring an individual to transmit a SSN over the internet unless the internet connection is secure

Printing a SSN on any materials that are mailed to an individual unless required by law

Selling, leasing, lending, trading or otherwise disclosing an individual’s SSN to a third party without consent.

UVM’s SSN Policy (under review)
security breach notification requirements
Security Breach Notification Requirements
  • Notification required of a security breach of personal data
  • Personal Data - includes a persons first name or initial, last name in combination with SSN, Drivers license number, account number, credit card number, account password or PIN number.
  • UVM’s security breach website:
  • (https://www.uvm.edu/ets/security/?Page=breach.html)
litigation holds

Litigation Holds

When NOT to destroy:

Pending or anticipated litigation

External investigation

Internal audit or investigation

Pending request to see a record

public records request
Public Records Request
  • Records and Documents Request Policy (http://www.uvm.edu/~uvmppg/ppg/general_html/record_request.pdf)
ferpa hipaa
FERPA Rights Disclosure Policy

http://www.uvm.edu/~uvmppg/ppg/student/ferpa.pdf

Addresses students rights to access to their educational records

Students have legal expectation that their education records kept confidential, however, does not prevent communicating student information to UVM faculty and staff with legitimate need to know basis.

HIPAA

UVM hybrid entity, only those covered components are subject to HIPAA privacy requirements

http://www.uvm.edu/~complian/compliance/?Page=HIPAA_UVM.html

FERPA/HIPAA
points to remember
Respect and secure Personal Information

Respect privacy of student records

Know when NOT to destroy records

Know when and how to properly destroy official records

Use discretion with all other records

Points to Remember
wrap up
Wrap -up
  • Questions?
  • Resources:
    • Tom Mercurio - General Counsel Office ph: 656-8585
    • Erica Heffner- Institutional Compliance ph: 656-1398