To Keep or Not to Keep:The Legalities of Record Retention

Mastering the Maze 2008

Joint presentation by: Tom Mercurio, General Counsel and

Erica Heffner, Institutional Compliance

Overview

• Importance of Records Management• What is a “Record”• Review of Policy and Records Schedule• Sources of Rules and about Preservation

and Destruction• Duty to Destroy and how to do it right• Special Topics

Why is Records Management Important?

• Records are an information asset and hold value for an organization

• Organizations have a duty to stakeholders to manage records effectively

• Organizations must comply with regulatory retention requirements

Who is responsible for managing records and

information?

• Each employee has an important role to play in protecting the University by creating, using, retrieving and disposing of records in accordance with University policy.

• Each employee should be familiar with the policy and know how to access the schedule

What are records?

• Records are the evidence of what an organization does. They capture the business activities and transactions, correspondence, personnel files.

• Records come in many formats, including paper, e-mail, databases, web content, and can reside on PDA’s, flash drives, desktops, and servers.

What are records?

• Records are things that (1) exist longer than it takes to create them, and (2) can be preserved and revisited later.

• Choices we make (consciously or not): to create a record; to preserve it; to destroy it

• All records are “public” records; not all records are “official” or need to be preserved.

Policy Definition - Records

• Records: means any and all written or recorded matter produced or acquired in the course of University business, including without limitation all papers, documents, e-mail messages, machine-readable materials, and any other written or recorded matters, regardless of their physical form or characteristics.

Sources of Rules About Preservation and Destruction

• Rules imposed upon us by law or other authority

• Rules we fashion and impose on ourselves (and must obey!)

UVM Policy Statementhttp://www.uvm.edu/~uvmppg/ppg/general_html/recordretention.pdf

Threefold policy statement (Create and maintain, Protect, Destroy):

• To preserve the integrity (maintain) of documents created or maintained in the course of institutional business,

• To secure sensitive information contained in University records, and

• To ensure that records that are no longer needed or have no value are discarded at the appropriate time.

Maintenance and Preservation of Records

• The Records Retention Schedules sets forth retention periods for University records (http://www.uvm.edu/~complian/record_retention/uvmretentionschedule.pdf)

• Periods are based on federal or state regulatory requirements, professional association guidance and management needs

• Schedule is updated as requirements change, refer to the posted schedule for most current version

Common Departmental Retention

Requirements The following records are common to most

departments:

• Employment files not in Human Resources

• Timesheets and supporting documentation

• Employment applications and interview notes

• Contracts

• Journal Entry Support

• Interdepartmental billing records

• Budget Change Orders Support Detail (if not entered into Peoplesoft) • Sponsored research data

Duty to Secure Sensitive Information

The policy specifically identifies personal information as:

• Personal information: means an individual’s signature, Social Security number, physical characteristics or description, passport number, driver’s license or state identification card number, insurance policy number, bank account number, credit card number, debit card number, or any other financial information.

Duty to Secure (cont.)

• Records containing personal information should be secured to prevent unauthorized disclosure.

• Accidental public disclosure of personal information requires reporting and disclosure in accordance with VT act 162 provisions.

• Social Security numbers, in particular, should no longer be used as a unique identifier for employees or students. Peoplesoft and Banner systems have unique identifiers (student or employee id #’s) that should always be used when a unique identifier is required. SSN’s should be used only in those instances when required (usually by Federal agencies) or for

credit application.

Duty to Destroy - Record Disposal

• When records have reached the end of their retention period they should be discarded or destroyed.

• Any records containing personal information should be destroyed by either shredding, erasing or otherwise modifying personal information make it unreadable or indecipherable.

Legal Reference - Document Destruction

• VT Act 162 Document Safe Destruction Act (Effective January 1, 2007) An organization shall take all reasonable steps to destroy or arrange destruction of a customer’s records when those records contain personal information which is no longer to be retained by the business.

Record Disposal- Resources

• Procurement has arranged a pricing agreement with SecurShred for favorable rates on paper and tape destruction.

SecureShred(802)863-3003 phoneContact: David Van Mullenhttp://www.securshred.com/

• Special consideration should be given when disposing of computers or other types of “Techno Trash” that may hold data (including personal information) CD’s, floppy drives, zip drives, thumb drives, PDA’s etc. These items should be erased of any data before disposal and then disposed of properly through University recycling. Disposal resources include: Disposal of Surplus Computers (Directions for erasing hardrives)

• https://www.uvm.edu/ets/security/erase/ Techno Trash Recycling at UVM

• http://www.uvm.edu/%7Erecycle/?Page=Guide/technotrash.html

Special Topics

• VT Act 162

• UVM’s Social Security Number Policy

• Security Breaches

• “Litigation Holds”

• Public Records Act Requests

• Confidentiality: FERPA, HIPAA

Special TopicsVT Act 162 Protection of Personal Information

State law passed in 2006 with effective dates in 2007, containing three major provisions:

• Security Breach Notification - notifications required when personal information is compromised

• Prohibitions on uses of Social Security Numbers• Document safe destruction Act - addressed in Records

Retention Policy

UVM’s SSN Policy (under review)

• The University must collect social security numbers of students and employees to fulfill its responsibilities under federal and state law.

• The University must comply with federal and state laws that govern confidentiality of ssn’s and the destruction of records containing those numbers

• The policy includes Act 162 prohibitions on the uses of SSN’s, including:

• Intentionally communicating or making a SSN available to the public

• Intentionally printing a SSN on any card required for access to services

• Requiring an individual to transmit a SSN over the internet unless the internet connection is secure

• Printing a SSN on any materials that are mailed to an individual unless required by law

• Selling, leasing, lending, trading or otherwise disclosing an individual’s SSN to a third party without consent.

Security Breach Notification Requirements

• Notification required of a security breach of personal data

• Personal Data - includes a persons first name or initial, last name in combination with SSN, Drivers license number, account number, credit card number, account password or PIN number.

• UVM’s security breach website:• (https://www.uvm.edu/ets/security/?Page=breach.html)

Litigation Holds

• When NOT to destroy:1. Pending or anticipated litigation

2. External investigation

3. Internal audit or investigation

4. Pending request to see a record

Public Records Request

• Records and Documents Request Policy (http://www.uvm.edu/~uvmppg/ppg/general_html/record_request.pdf)

FERPA/HIPAA

• FERPA Rights Disclosure Policy

• http://www.uvm.edu/~uvmppg/ppg/student/ferpa.pdf

• Addresses students rights to access to their educational records

• Students have legal expectation that their education records kept confidential, however, does not prevent communicating student information to UVM faculty and staff with legitimate need to know basis.

HIPAA • UVM hybrid entity,

only those covered components are subject to HIPAA privacy requirements

• http://www.uvm.edu/~complian/compliance/?Page=HIPAA_UVM.html

Points to Remember

• Respect and secure Personal Information

• Respect privacy of student records

• Know when NOT to destroy records

• Know when and how to properly destroy official records

• Use discretion with all other records

Wrap -up

• Questions?

• Resources:– Tom Mercurio - General Counsel Office

ph: 656-8585– Erica Heffner- Institutional Compliance

ph: 656-1398