Policy Title: Records Retention | Category: Administration |
Owner: Provost/Executive Vice President | Policy ID#: 2.08.00 |
Contact:
Provost/Executive Vice President
Web: http://www.csupueblo.edu/provost Email: provostoffice@csupueblo.edu Phone: 719-549-2313 |
Effective Date: 10/11/2023
Supersedes Policy ID#: 02-14-00 |
Viewing/Downloading Options:
|
POLICY PURPOSE:
The purpose of this policy is to provide clarity, consistency, and guidance to the institution for retention of CSU Pueblo’s records, including retention periods, digitization, and disposition of such records.
POLICY APPLIES TO (Persons affected by):
All persons creating, holding or using Records at the University.
DEFINITIONS:
- Email System: The hardware, software and network used to provide a uniform email address, email functionality and efficiency to CSU Pueblo users, primarily for use to carry out the business of the institution.
- Litigation Hold: An indefinite period during which all Records that are related to any pending or reasonably expected audit, inspection, governmental investigation, claim, lawsuit, or other official process must be retained, and not be modified, deleted or disclosed except upon the direction of the General Counsel.
- Personally Identifiable Information (PII): Information that, if disclosed alone or in combination with other available information, would make it possible to identify an individual to whom the information pertains. This includes items such as a name; social security number; personal identification number; password; official government-issued driver's license or identification card number; passport number; biometric data, such as that defined in Colorado Revised Statutes (C.R.S.) § 24-73-103(1)(a); employer, student, or military identification number; financial transaction device as defined in C.R.S. § 18-5-701(3); financial/account information; University ID photo; class and work schedules; residency status; and age, birth date and place of birth.
- Record or University Record: Any file, document, recorded sound, or image made, produced, executed, or received in connection with the transactions and official activities of the University or executed in the conduct of university business. Examples include documents, books, paper, electronic records, photographs, videos, sound recordings, databases, and other data compilations that are used for multiple purposes, or other material, regardless of physical form or characteristics. Types of Records include:
- Active Record: A Record that is currently serving a business or educational purpose.
- Archival Record: A Record that has permanent or historic value, is Inactive, and is not required to be maintained in the office in which it originated or was received. Archival Records are maintained by University Archives and Special Collections in the CSU Pueblo Library.
- De-Identified Record: De-Identified Records are those from which Personally Identifiable Information has been permanently and irretrievably removed. Data that is de-identified is usually “rolled up” or aggregated for business or reporting purposes.
- Electronic Record: A Record kept in a digital format. These include, but are not limited to, word processor documents, spreadsheets, databases, HTML documents, scanned or imaged documents, audio and video recordings, and any other type of file (except program files and executable files) held on an electronic storage medium (portable drive, hard drive or server) or cloud storage service.
- Inactive Record: A record that is (i) not an Active Record, but still must be retained pursuant to the Records Retention Schedule, law, rule, or policy; or (ii) is no longer required to be retained but has not yet been destroyed.
- Records Custodian: An individual assigned responsibility for management or maintenance of University Records for a division, department, or other unit. The provost is the Records Custodian for all University Records.
- Records Retention Schedule: A categorical listing of proper Retention Periods for Records. CSU Pueblo follows the State of Colorado, Department of Personnel and Administration, State Archives Records Management Manual, Schedule 8 (Higher Education) as its Records Retention Schedule.
- Retention Period: The length of time a record needs to be maintained to satisfy the purposes for which it was created and to fulfill the legal, fiscal, and administrative requirements of the University and external agencies. The Retention Periods for specific Records are defined in the Records Retention Schedule. All Retention Periods are based on the fiscal year, from July 1 through June 30, and are in addition to the current year. For example, a three-year Retention Period means a document created this year should be kept until June 30th and then three additional years.
- Sensitive Information: Data that is not publicly available and contains PII that, through unauthorized disclosure, may adversely affect an individual and/or the University. Examples include social security numbers, health information, financial information including credit card numbers, personnel and student performance information, proprietary research and academic information, student and staff ID photos, and personal location information including IP address.
- System of Record: An information storage and retrieval system that is the authoritative source for a particular data element.
POLICY STATEMENT:
- All University departments and offices maintain University Records in physical format such as paper and photographs, and in digital format using University’s systems, software and databases. The University is committed to the proper retention, storage, security, retrieval, and disposal of such Records to meet legal requirements, optimize use of space, minimize cost, and secure university data.
- All University Records are the property of the University, even when they are in the possession of individuals, including those who work remotely, and must not be permanently removed from their appropriate location at the University nor destroyed other than as provided in this policy. University Records are to be used for official university business purposes, and not for personal use. Records that are used by individuals working from a remote location must be returned to the proper office at the University when the remote work ends.
- Unless otherwise specified in an applicable law, regulation, policy, or procedure, all Records shall be retained in accordance with the applicable Records Retention Schedule, regardless of their format.
- Records related to federally sponsored programs shall be retained for a period of six years from the date of submission of the final financial report or until all existing audit questions have been resolved, whichever is later.
- For Records that are not addressed in the Records Retention Schedule, or for assistance with Retention Periods, please contact the Office of the General Counsel.
- University Records should be retained only so long as they are valid and useful for legitimate university business purposes, or as specified in the applicable Records Retention Schedule (whichever is longer). Inactive Records should not occupy office, storage, or computer space. Those responsible for Records must dispose of them in accordance with this policy when the specified Retention Period has expired.
- Archival Records should be transferred to University Archives and Special Collections and no longer retained in the originating department after the Retention Period has expired.
- Important rule regarding Records related to pending audit, inspection, or litigation (Litigation Hold): Records whose Retention Period has expired must nevertheless be retained if related to any pending or reasonably expected audit, inspection, governmental investigation, claim, lawsuit, or other official process. Failure to hold and preserve Records under such circumstances is a serious matter that may expose a person to discipline and/or civil or criminal liability. Any Record that is the subject of litigation or a known claim shall be retained, regardless of the expiration of its Retention Period, until disposition of the Record has been approved by the Office of the General Counsel. For further guidance and instructions on retention and disposition of such Records, contact the Office of the General Counsel.
- Records in physical format that contain Sensitive Information or PII must be protected. Reasonable measures must be taken to prevent unauthorized access to these Records. Such methods may include locked file cabinets, locked office doors, and other security systems provided by the University.
- Electronic Records should be stored on secure university servers and devices that are password-protected in accordance with CSU Pueblo information technology security policies and procedures. All Records with Sensitive Information must not be stored on portable media (such as CDs and portable drives). If a Record is stored in a System of Record, it should not also be stored locally, with exceptions for credit card transaction records and Procurement Card records as reasonably required by approved business practices.
- Email Monitoring and Retention:
- Monitoring of Email System: CSU Pueblo at all times has the right to monitor and read all emails generated, sent or received by the Email System, for the official business and legal purposes of the institution including, but not limited to, audits, investigations, and legal matters. Only persons authorized by the Vice President of Information Technology or the General Counsel shall monitor or read emails that are not generated by, sent to or received by such persons. Due care shall be taken to maintain confidentiality of messages monitored or read according to this section, except as required by law, audit, investigation, or other such circumstances.
- Public Records: All employees of CSU Pueblo are advised that emails generated, sent or received in the Email System may be public records subject to disclosure under C.R.S. § 24-72-203.
- Retention of Emails: Emails generated, sent or received in the Email System shall be deleted by the User when they are no longer necessary for the business purposes of the institution. Deleted items shall be permanently deleted after 30 days. This section shall not apply to email messages that are subject to a Litigation Hold.
- Any breach of security exposing physical or Electronic Records to unauthorized release must be reported immediately to the Office of the General Counsel.
- Digitization of Records
- Most physical Records can be converted to an electronic format for purposes of storage, access, and subsequent destruction. With some exceptions, once digitized, a physical Record no longer needs to be retained, and should be destroyed in accordance with this policy, after assuring that the digitized Records are complete and there is no longer a need for the physical Record. Exceptions include:
- Original real property Records, contract documents and other Records that, in the judgment of the Office of the General Counsel, should be retained in their original form.
- To comply with Federal Acquisition Regulation 4.703(c)(3), which states, "the contractor or subcontractor retains the original Records for a minimum of one year after imaging to permit periodic validation of the imaging systems," original Records related to federal contracts are stored for one year after digitizing.
- Digitizing a Record does not alter its Retention Period. Just like paper Records, Electronic Records must be disposed of in accordance with this policy when their Retention Period has expired. Once digitized, the Record becomes subject to University’s information technology security policies and procedures.
- To assure that Records are properly digitized, and before disposing of the paper records, the responsible department should develop a plan to assure that digitization was accurate and complete, and in the appropriate format. Portable Document Format (PDF) is a file format intended to be suitable for long-term preservation of page-oriented documents and is the default format for all Inactive Records.
- Most physical Records can be converted to an electronic format for purposes of storage, access, and subsequent destruction. With some exceptions, once digitized, a physical Record no longer needs to be retained, and should be destroyed in accordance with this policy, after assuring that the digitized Records are complete and there is no longer a need for the physical Record. Exceptions include:
- Disposition of Records
- Records disposition is the final phase in a Record's lifecycle. It normally involves destruction, but, in some cases, the disposition may be to transfer the Record to University Archives and Special Collections or to another state or federal agency. Known requirements are listed in the Records Retention Schedule.
- All University departments and offices are strongly encouraged to conduct an audit of their Records at least annually to determine whether any such Records have reached the end of their Retention Period and should be disposed of in accordance with this policy.
- Records should be destroyed promptly after the end of their Retention Period unless there is a continuing legitimate business need to retain them as established by the Records Custodian.
- The approved method of destroying physical Records is by shredding to the current security standard for Sensitive Information, rendering the Records permanently irretrievable and illegible.
- Electronic Records must be permanently erased so that they cannot be recovered by any means or device. Simply deleting them is not enough, as data often can be recovered after deletion using specialized tools and techniques. Portable physical media, such as CD-ROM disks, tapes, optical disks, memory sticks, memory cards, etc., should not be used for records containing Sensitive Information or PII, but, when they exist, they must be transferred to the Information Technology Department for proper disposal in accordance with applicable IT security policies and procedures. This includes computer hard drives (including servers) being removed from service at the University. Such items should never be transferred to another entity nor permitted to be converted to personal use. Units utilizing cloud-based storage must first have a security review and approval from University Information Technology, and then work with the vendor to arrange for data to be purged after the expiration of the Retention Period. The responsible department must receive documentation that destruction is complete.
- Requests for Records:
The University is a public entity governed by the Colorado Public (Open) Records Act (CORA), C.R.S. Title 24, Article 72. As such, most University Records are subject to disclosure when the requirements of the statute for requesting records are met. However, various provisions of Article 72 protect some Records from disclosure. In order to assure that all Records requests are handled appropriately, and within the very short time limits for disclosure, all University departments and employees must:
a. Immediately upon receiving a request for Records from any person or entity external to the University, forward the request to the Office of the General Counsel.
b. Determine whether the Records described in the request exist, and, if so, in what format.
c. Not destroy or alter such records until the request has been handled (although normal business activities that add to or change the Records may continue).
d. Not respond to the request for disclosure of the Records before consulting with the Office of the General Counsel.
RELATED LAWS, POLICIES & PROCEDURES:
State of Colorado, Department of Personnel and Administration, State Archives Records Management Manual, Schedule 8 (Higher Education)