Presentation on theme: "Electronic Records Management: What Management Needs to Know May 2009."— Presentation transcript:
Electronic Records Management: What Management Needs to Know May 2009
Who would handle this scenario at your institution (and how)? A request for copies of e-mails between two individuals is requested for the past five years.
Who would handle this scenario at your institution (and how)? A class action lawsuit is filed against the institution for sexual harassment that goes back a number of years and impacts several departments. Add this to the scenario: During e-discovery you find that two departments involved in the lawsuit set their own differing retention policies for the records. One department destroyed the records, the other retained them but it does not provide the whole story.
Who would handle this scenario at your institution (and how)? A celebration of the institution’s history is being planned and a timeline is needed of…
Who would handle this scenario at your institution (and how)? A federal investigator requests copies of student records as part of a student financial aid investigation.
Be Proactive! Thinking about these scenarios before they happen is much easier than addressing them on the fly…
What are the issues? Information is important and must be properly cared for. Faculty and staff are responsible for protecting the information that have been entrusted to them in the course of performing their jobs.
What are the issues? (continued…) Some information is sensitive or confidential and requires special care when handling. Some types of data require adherence with state/federal laws. Protocols for releasing information to others, including law enforcement agencies. Protocols when a breach occurs.
What are the issues? (continued…) Retaining records for longer than required or necessary can create unnecessary risk. Destroying records or information inappropriately may cause legal issues and may put the history and/or reputation of an institution at risk.
Getting Started Get support Identify a champion Build a team Research what others are doing. Determine legal and contractual requirements. Develop written policies and procedures. Start with the most sensitive or valuable. Train Employees
Initial Desired Outcomes or Goals A set of written policies that set expectation for behavior A retention/disposition schedule for your institution and/or departments Training and/or informational materials that clarify expectations & behavior
Many Ways to Get Started – Pick one that works for your institution Raise awareness, then build and provide tools Build and provide tools, then raise awareness Focus on the records first
Why is this Important? (Management Drivers) Documents management decisions Provides historical references of transactions and events Enhances our organization’s operational efficiencies Demonstrates regulatory compliance Provides litigation support Reduction in cost for storage
Why is this Important? (Legal, Statutory, Regulatory, and Contractual Requirements) Sector coveredConcerns Privacy Act 1974 U.S. Government Privacy Family Educational Rights and Privacy Act (FERPA ) 1974 Education records Privacy Health Insurance Portability and Accountability Act (HIPAA) 1996 Protected health information Privacy and security rules Financial Modernization Act (Gramm- Leach-Bliley or GLB) 1999 Certain financial data Security safeguards Fair and Accurate Credit Transactions Act (FACTA) 2003 Credit records Secure disposal State Laws 2002 + Personal data (primarily SSN) Privacy, notification, secure disposal Payment Card Industry Data Security Standards (PCI-DSS) 2005 Credit card data Security standards Federal Rules of Civil Procedure – Electronically stored information rules2006 Red Flag Regulations 2007 Credit records Identity theft
16 The AICPA listed Electronic Data Retention Strategy as one of the top Technology initiatives for 2009. Current Issues Committee found that data administration is one of the top 10 areas of most expenditure in human or financial resources. 16 Watch for the new study on Data Management in the Fall of 2009 Timely Topic
Building a Team Provide leadership and commitment Establish cross functional representation Legal Counsel Internal Audit Information Security Chief Financial Officer Student Affairs Chief Academic Officer Archivist or Librarian Chief Information Officer Human Resources Identify other stakeholders
Information Lifecycle… Created (or received) Managed Used Actively In-Active (stored) Transformed Permanently Archived Disposed
Components of an Effective Records and Information Management Program Preservation Disposition Disaster Prevention and Recovery Disaster Prevention and Recovery Vital Record Conversion Retention Scheduling Retention Scheduling Records Classification Records Classification Files & Forms Management Files & Forms Management Records Inventory Records Inventory Records & Information Management Records & Information Management Policy & Procedures
Data/Records Classification (how sensitive or valuable is it?) There are laws, regulations, rules, or policies (federal, state, and institutional) that require classification of data. Public Non-public Factors for grouping may include: Record type Sensitivity Confidentiality Desired longevity Desired availability
Records Retention & Disposition (keeping track of it & for how long!) How long should records be maintained? Federal and State Laws – In Minnesota “official records” cannot be disposed of unless on an approved record retention schedule. –Minnesota Official Records Act – “all officers and agencies” at all levels of government “shall make and preserve all records necessary to a full and accurate knowledge of their activities.” How should records be disposed? Record Retention Compliance
Key Definitions Information - Data that has been given value through analysis, interpretation, or compilation in a meaningful form Record - recorded information, regardless of physical form or characteristics, which serves to document the institution, functions, policies, decisions, or other activities of the institution and its faculty, staff, and students. Electronically Stored Information (ESI)-- All electronically stored information and data subject to possession, control, or custody of an institution regardless of its format and the media on which it is stored. Data Classification - The process of assigning a level of sensitivity to data as it is being created, amended, enhanced, stored, or transmitted. Records Retention and Disposition Schedules - An approved listing of records held by an organization. It includes retention and destruction requirements. Electronic Records Management – The process by which an organization creates, classifies, controls, and authorizes access to electronic records.