Data Retention

I.                    Background

Records Management is a joint responsibility of the record creator and users.  All University employees who handle University records are responsible for knowing and following all laws, University policies, guidelines/standards and campus procedures that govern these records.

Staff and Faculty rely heavily on the records generated as a result of the business and operation of the University of Saint Francis (the University).  These records document ideas and activities, help the university better serve its mission, assist management in its decision making and act as an archive of the university’s and its partners history.  Records, like any vital resource, also have an intangible monetary value.  Because of the tangible and intangible value of university records, it is critical that they be part of a comprehensive records management program that ensures all university records are properly and securely managed, stored, retained and, in some cases, destroyed. 

A university data retention/destruction policy serves other purposes as well.  It improves efficiency, facilitates administrative access to inactive as well as active records, ensures the consistent maintenance of records, decreases operation costs, increases staff productivity, and assists the university in meeting legal and regulatory standards.  Obsolete records impede access to current records, pose a possible legal liability, and waste valuable space.

II.                 Purpose

It is the official policy of the University of Saint Francis to completely comply with all Federal, State and local laws in regard to data retention and destruction.  The purpose of this policy is to provide specific guidance as to what types of records (hard copy, digital copy, and email) are maintained by the University, the length of time that the records can and should be retained, how the records are to be handled/protected, and how the records are to be destroyed once the University is no longer required and/or needs to maintain the data.

This policy will also set forth guidelines for storage of protected data using off site facilities and service providers.

In the event that conflicting retention requirements are uncovered for a specific record, the longest requirement shall prevail.

For additional information regarding Data Retention and Data Destruction contact the Director of Technology Security and Compliance.

III.               Data Classification

Data owned, created, used, or maintained by the University will be classified into one of the three following categories:

Public – Public data is information that may or must be open to the general public.  It is defined as information with no existing local, national, or international legal restrictions on access or usage.

Internal Use Only – Internal use Only data is information that must be guarded due to proprietary, ethical or privacy consideration, and must be protected from unauthorized access, modification, transmission, storage, or other use.  This classification applies even though there may not be a civil statute requiring this protection.  Internal Use Only data is information that is restricted to members of the University community who have a legitimate purpose for accessing such data.

Confidential – Confidential data is information protected by statutes, regulations, University policies or contractual language.  Vice Presidents may also designate data as confidential.  Confidential data may be disclosed to individuals on a need-to-know basis only.  Disclosure to parties outside of the University should be authorized by executive management such as a Vice President, Provost, University Attorney or University President.

Please refer to the University of Saint Francis Data Classification Policy for more information.

 IV.              Responsibility

The University of Saint Francis has invested in an Electronic Content Management System (ECM).  The ECM system, ImageNow, will be able to retain many of the types of documents covered within this policy.  University Technology Services will configure the ECM system to retain all applicable documents in accordance with this policy.  However it is important that all university departments and/or schools understand that they are ultimately responsible for the proper storage, handling, and destruction of the data that is not stored within the ECM system as it relates to their departments and/or schools. 

It is also the responsibility of all departments and/or schools to notify University Technology Services when any of their data retention requirements change via law, regulation or policy.

It is the responsibility of all Department Directors and Chairs to ensure that all employees in their respective departments are aware of the types of data, disclosure requirements, storage requirements, retention requirements and destruction requirements for all the types of data that their departments maintain.

Any record that is relevant to pending or anticipated litigation, or that pertains to a claim, audit, agency charge, investigation or enforcement actions, shall be retained at least until final resolution of the action.  In the event of litigation, or anticipated or threatened litigation, the affected department will notify the Director of Technology Security and Compliance and any and all relevant departments.  The Director of Technology Security and Compliance will ensure that all pertinent records are retained and work with counsel to provide any and all relevant and requested information. 

V.                Accounting Records

Definition –  Manual or computerized records of assets and liabilities, monetary transactions; various journals, ledgers, and supporting documents (such  as agreements, checks, invoices, vouchers), which an organization is required to keep for certain number of years.

Disclosure Guidelines – Accounting records are classified as “INTERNAL USE ONLY” or “CONFIDENTIAL” and therefore disclosure must be in accordance with the Data Classification Policy.  Accounting Records must:  (1) not be disclosed to parties without explicit authorization from management, (2) may only be disclosed to employees with a direct job function requiring access, (3) disclosure to parties outside the University should be authorized by executive management such as a Vice President, Provost, University Attorney, or University President, and (4) must not be posted on a public website. 

When sending accounting records via fax, the data must be sent only to a location that has been verified secure.  

Accounting records should not be sent via electronic methods unless the electronic method utilizes strong encryption methods. 

Consult the Data Classification Policy for further information.

Storage Requirements – When stored in electronic format, accounting records must be protected with strong passwords and stored on servers that are physically protected in a UTS accessible space in order to protect against loss, theft, unauthorized access, and unauthorized disclosure. 

When stored in hard-copy format, data must be stored in a locked drawer, room or area where access is controlled by strict physical access control measures to prevent unauthorized access.

Electronic Mail – The Barracuda Email Archiver will journal all Exchange Emails every 30 seconds.  After the Exchange Server has maintained a copy of an email for 12 months from the time that it was sent or received it will automatically be deleted from the Exchange Server and at that time the only record of the email will be retained on the Barracuda Email Archiver.  The Barracuda Email Archiver will maintain a copy of all emails for period of 3 years from the date that the email was either sent or received. 

In the event that an individual or department is required to maintain a copy of an email(s) for a period of time exceeding 3 years it will be the responsibility of said individual or department to either make an electronic copy of the email that does not reside on the Barracuda Email Archiver or print a hard copy of the email for their records.

Retention – All accounting records, whether they are maintained in an electronic or hard copy format, will be maintained for a minimum of three years.  There are some accounting records that are required to be maintained for periods exceeding three years.   

Unless otherwise noted accounting records will be maintained for their required period of time starting November 15th of the next fiscal year from when they were acquired and/or created.

Please refer to the Data Retention Appendix in this policy to determine the exact length of time that various types of accounting records are required to be retained by the universitVI.             

VI.  Corporate Records

Definition – Corporate records are such records that are required by a corporation to show that it is functioning according to the rules of the Internal Revenue Service. Corporate records usually have a corporate record book which includes all the required documents. Corporate records can also be kept online or in a file cabinet. Such records must be maintained carefully to insure limited liability to the institution. The records must include a copy of the articles of incorporation, By-Laws, and the minutes of all Board of Trustee meetings. 

Disclosure Guidelines – Depending on the type data contained in a corporate record, corporate records are classified as either “INTERNAL USE ONLY” or “CONFIDENTIAL” and therefore disclosure must be made in accordance with the Data Classification Policy.  Corporate records at a minimum must: (1) not be disclosed to parties without explicit authorization from management and (2) must not be posted on a public website. 

Consult the Data Classification Policy for further information.

Storage Requirements – Storage requirements for corporate records will vary depending on the classification of the record(s).  Consult the Data Classification Policy for exact storage requirements.

At a minimum, corporate records, when stored in electronic format, should be protected with strong passwords to prevent access from outside the university. 

At a minimum, corporate records, when stored in hard-copy format, must be stored in a secure area where access by those outside the university is limited. 

Electronic Mail – The Barracuda Email Archiver will journal all Exchange Emails every 30 seconds.  After the Exchange Server has maintained a copy of an email for 12 months from the time that it was sent or received it will automatically be deleted from the Exchange Server and at that time the only record of the email will be retained on the Barracuda Email Archiver.  The Barracuda Email Archiver will maintain a copy of all emails for period of 3 years from the date that the email was either sent or received. 

In the event that an individual or department is required to maintain a copy of an email(s) for a period of time exceeding 3 years it will be the responsibility of said individual or department to either make an electronic copy of the email that does not reside on the Barracuda Email Archiver or print a hard copy of the email for their records. 

Retention – All corporate records, whether they are maintained in an electronic or hard copy format, will be maintained for a minimum of six years.  There are some corporate records that are required to be maintained for periods exceeding six years and up to an indefinite period of time.  

Unless otherwise noted corporate records will be maintained for their required period of time starting at the beginning of the next fiscal year from when they were acquired and/or created. 

Please refer to the Data Retention Appendix in this policy to determine the exact length of time that various types of corporate records are required to be retained by the university. 

VII.            Insurance Records 

Definition – Any record kept by an employer that is used to obtain and/or provide insurance for the institution and its employees.  Examples of insurance records are, but are not limited to, any accident report (that could or has been used for insurance purposes), any record of claims, any insurance inspection and/or walk-throughs, insurance policies, OSHA Forms, and group disability records. 

Disclosure Guidelines – Insurance records are classified as “CONFIDENTIAL” and therefore disclosure must be in accordance with the Data Classification Policy.  Accounting Records must:  (1) not be disclosed to parties without explicit authorization from management, (2) may only be disclosed to employees with a direct job function requiring access, (3) disclosure to parties outside the University should be authorized by executive management such as a Vice President, Provost, University Attorney, or University President, and (4) must not be posted on a public website.  

When sending insurance records via fax, the data must be sent only to a location that has been verified secure.  

Insurance records should not be sent via electronic methods unless the electronic method utilizes strong encryption methods. 

Consult the Data Classification Policy for further information. 

Storage Requirements – When stored in electronic format, insurance records must be protected with strong passwords and stored on servers that are physically protected in a UTS accessible space in order to protect against loss, theft, unauthorized access, and unauthorized disclosure. 

When stored in hard-copy format, data must be stored in a locked drawer, room or area where access is controlled by strict physical access control measures to prevent unauthorized access. 

Electronic Mail – The Barracuda Email Archiver will journal all Exchange Emails every 30 seconds.  After the Exchange Server has maintained a copy of an email for 12 months from the time that it was sent or received it will automatically be deleted from the Exchange Server and at that time the only record of the email will be retained on the Barracuda Email Archiver.  The Barracuda Email Archiver will maintain a copy of all emails for period of 3 years from the date that the email was either sent or received. 

In the event that an individual or department is required to maintain a copy of an email(s) for a period of time exceeding 3 years it will be the responsibility of said individual or department to either make an electronic copy of the email that does not reside on the Barracuda Email Archiver or print a hard copy of the email for their records.

Retention – All insurance records, whether they are maintained in an electronic or hard copy format, will be maintained for a minimum of three years.  There are some insurance records that are required to be maintained for periods exceeding three years and up to an indefinite period of time.  

Unless otherwise noted insurance records will be maintained for their required period of time starting at the beginning of the next fiscal year from when they were acquired and/or created. 

Please refer to the Data Retention Appendix in this policy to determine the exact length of time that various types of insurance records are required to be retained by the university. 

VIII.         Personnel Records

Definition – Any record kept by an employer that identifies an employee, to the extent that the record is used or has been used, or may affect or be used relative to that employee’s qualifications for employment, promotion, transfer, additional compensation or disciplinary action.  Information may include:

  • Name, address, date of birth, job title and description;
  • Salary or hourly wage and any other paid compensation;
  • Starting date of employment;
  • Job application, resumes or other employee responses to an employment advertisement;
  • All employee performance evaluation documents, including evaluations, written warnings of substandard performance, documents relating to disciplinary action, list of probationary periods or waivers signed by the employee; and
  • Copies of dated termination notices.

Disclosure Guidelines – Personnel records are classified as “CONFIDENTIAL” and therefore disclosure must be in accordance with the Data Classification Policy.  Personnel Records must:  (1) not be disclosed to parties without explicit authorization from management, (2) may only be disclosed to employees with a direct job function requiring access, (3) disclosure to parties outside the University should be authorized by executive management such as a Vice President, Provost, University Attorney, or University President, and (4) must not be posted on a public website. 

When sending accounting records via fax, the data must be sent only to a location that has been verified secure. 

Personnel records should not be sent via electronic methods unless the electronic method utilizes strong encryption methods.

Consult the Data Classification Policy for further information.

Storage Requirements – When stored in electronic format, personnel records must be protected with strong passwords and stored on servers that are physically protected in a UTS accessible space in order to protect against loss, theft, unauthorized access, and unauthorized disclosure.

Any medical record maintained within the personnel files must be kept in a separate file physically separate from the balance of the personnel file.  Any such medical record file will be maintained in a separate locked drawer, room, or area where access is limited to those with a need to know the medical information.

When stored in hard-copy format, data must be stored in a locked drawer, room or area where access is controlled by strict physical access control measures to prevent unauthorized access.

Electronic Mail – The Barracuda Email Archiver will journal all Exchange Emails every 30 seconds.  After the Exchange Server has maintained a copy of an email for 12 months from the time that it was sent or received it will automatically be deleted from the Exchange Server and at that time the only record of the email will be retained on the Barracuda Email Archiver.  The Barracuda Email Archiver will maintain a copy of all emails for period of 3 years from the date that the email was either sent or received. 

In the event that an individual or department is required to maintain a copy of an email(s) for a period of time exceeding 3 years it will be the responsibility of said individual or department to either make an electronic copy of the email that does not reside on the Barracuda Email Archiver or print a hard copy of the email for their records.

Retention – All personnel records, whether they are maintained in an electronic or hard copy format, will be maintained for a minimum of three years.  There are some personnel records that are required to be maintained for periods exceeding three years and up to an indefinite period of time.  

Unless otherwise noted all personnel records will be maintained for their required period of time starting at the time of hire, and/or application.   Certain records, (identified within the Appendix), will be required to be kept for a period of time after dismissal, resignation, retirement or death. 

Please refer to the Data Retention Appendix in this policy to determine the exact length of time that various types of personnel records are required to be retained by the university.

IX.               Student Records

Definition – Student records are defined as those records, files, documents, and other types of material which contain information directly related to students and which are maintained by the University or a party acting for the University. 

Disclosure Guidelines – Depending on the type data contained in a student record, student records are classified as “PUBLIC”, “INTERNAL USE ONLY” or “CONFIDENTIAL” and therefore disclosure must be made in accordance with the Data Classification Policy.  

Consult the Data Classification Policy for further information. 

Storage Requirements – Storage requirements will vary depending on the type of data contained in the student record.  Storage requirements may vary from no storage requirements to requiring the most stringent requirements as set forth in the DATA CLASSIFICATION POLICY.  Therefore it is imperative that person(s) with access to student records be familiar with the DATA CLASSIFICATION POLICY. 

Electronic Mail – The Barracuda Email Archiver will journal all Exchange Emails every 30 seconds.  After the Exchange Server has maintained a copy of an email for 12 months from the time that it was sent or received it will automatically be deleted from the Exchange Server and at that time the only record of the email will be retained on the Barracuda Email Archiver.  The Barracuda Email Archiver will maintain a copy of all emails for period of 3 years from the date that the email was either sent or received.  

In the event that an individual or department is required to maintain a copy of an email(s) for a period of time exceeding 3 years it will be the responsibility of said individual or department to either make an electronic copy of the email that does not reside on the Barracuda Email Archiver or print a hard copy of the email for their records. 

Retention – All student records, whether they are maintained in an electronic or hard copy format, will be maintained for a minimum of one year.  There are some student records that are required to be maintained for periods exceeding one year and up to an indefinite period of time.  

Unless otherwise noted student records will be maintained for their required period of time starting at the beginning of the next academic year from when they were acquired and/or created. 

Please refer to the Data Retention Appendix in this policy to determine the exact length of time that various types of student records are required to be retained by the university.

 X.                 Non-Specified Records

Definition – Non-Specified Data is defined as any data that is not specifically covered by one of the previously defined types of data.  Due to the subjective nature of this data it is important to use caution when defining data as non-specified.  If non-specified data is related to another type of data as defined within this policy then it is proper to classify the data with the data that it is related to.

Disclosure Guidelines – Depending on the type data contained in a non-specified record, non-specified records are classified as “PUBLIC”, “INTERNAL USE ONLY” or “CONFIDENTIAL” and therefore disclosure must be made in accordance with the Data Classification Policy.  

Consult the Data Classification Policy for further information. 

Storage Requirements – Storage requirements will vary depending on the type of data.  Storage requirements may vary from no storage requirements to requiring the most stringent requirements as set forth in the DATA CLASSIFICATION POLICY.  Therefore it is imperative that person(s) with access to data be familiar with the DATA CLASSIFICATION POLICY. 

Electronic Mail – The Barracuda Email Archiver will journal all Exchange Emails every 30 seconds.  After the Exchange Server has maintained a copy of an email for 12 months from the time that it was sent or received it will automatically be deleted from the Exchange Server and at that time the only record of the email will be retained on the Barracuda Email Archiver.  The Barracuda Email Archiver will maintain a copy of all emails for period of 3 years from the date that the email was either sent or received.  

In the event that an individual or department is required to maintain a copy of an email(s) for a period of time exceeding 3 years it will be the responsibility of said individual or department to either make an electronic copy of the email that does not reside on the Barracuda Email Archiver or print a hard copy of the email for their records. 

Retention – All Non-Specified records, whether they are maintained in an electronic or hard copy format will be maintained for only as long as the data is of use to its department or school.  It is important to purge non-specified data in order to free up university resources, when the data is no longer of use of is required to be maintained by the university.

XI.               Off Site Storage Requirements

Most University data is stored and backed up locally by University Technology Services, however there may be instances that some types of data may need to be stored and backed up off site.  These services can vary from remotely located services that the University uses (the “cloud” and “SaaS”) to backup and recovery services.  These types of services may not fall within the University’s ability to directly protect.  However, the University must take steps to ensure that business critical information is protected from disaster and/or unauthorized access regardless of its physical location.  Therefore any off site services used by the University must be reviewed and approved by the Directory of Technology Security and Compliance. 

 The Director of Technology Security and Compliance will ensure that the Off Site services meet all of the University’s requirements for backups and restoration, security, access controls, data retention, data destruction and ownership of the data.

XII.            Destruction Requirements

Data should not be retained any longer than is needed unless otherwise stated in this policy, court order, or by Federal, State, and local laws which pertain to the retention of said data. 

All non-archival, official, convenience, duplicate or multiple copies of records that are scheduled to be destroyed must be destroyed in accordance with the record’s data classification.  

Data classified as Public may be recycled as there are no destruction requirements for this type of data. 

Data classified as either Internal Use Only or Confidential must be destroyed by the following methods depending of the medium used to store the data (e.g., Paper, Microfiche, Disk, Tape, Hard Drive, etc…). 

  • Cross Shredding
  • Chemical destruction or incineration in an approved safe method
  • Degaussing, pulverizing, cutting or wiping electronic files or media.

When contracting with an external entity for record destruction, the contract should specify destruction measures consistent with these standards and should provide for some form of compliance monitoring and verification or record destruction.  External entities for record destruction must be approved by the Director of Technology Security and Compliance and all records must be maintained by the same.  Currently the only authorized external entity for record destruction for the University of Saint Francis is Iron Mountain Incorporated.

XIII.          Review and Approval

 This policy was reviewed on 02 April 2011 by attorneys Mr. Richard Fox and Mr. Tony Stites of Barrett & McNagny for legal compliance with state and federal laws.

 This policy was approved by the University of Saint Francis Presidents Cabinet April 27, 2012.

 This policy will be required to be reviewed annually by the Director of Technology Security and Compliance.

 XIV.         References

FERPA (Family Educational Rights and Privacy Act) –  http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

HEOA (Higher Education Opportunity Act) – http://www2.ed.gov/policy/highered/leg/hea08/index.html

FSAH (Federal Student Aid Handbook) –   http://ifap.ed.gov/ifap/byawardyear.jsp?type=fsahandbook

HIPPA (Health Insurance Portability and Accountability Act) – http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html

ADEA (Age Discrimination in Employment Act) – http://www.eeoc.gov/laws/statutes/adea.cfm

Equal Pay Act – http://www.eeoc.gov/laws/statutes/epa.cfm

FMLA (Family and Medical Leave Act) – http://www.dol.gov/whd/fmla/

IRCA (Immigration Reform and Control Act) – http://www.uscis.gov/portal/site/uscis/menuitem.5af9bb95919f35e66f614176543f6d1a/?vgnextchannel=b328194d3e88d010VgnVCM10000048f3d6a1RCRD&vgnextoid=04a295c4f635f010VgnVCM1000000ecd190aRCRD

OSHA (Occupational Safety and Health Act) – http://www.osha.gov/pls/oshaweb/owasrch.search_form?p_doc_type=oshact

Sarbanes-Oxley Act of 2002 – http://www.soxlaw.com/

 Although Institutions of Higher Education do not fall under the purvue of Sarbanes-Oxley it is prudent that it be used as a framework with financial records as it covers concerns that are universal.

XV.             Contacts

Security and Policy Questions:

Randy Troy

Director of Technology, Security and Compliance, 260-399-7700 x 6019

Reporting an incident:

Randy Troy

Director of Technology, Security and Compliance, 260-399-7700 x 6019

Teresa Sordelet

Associate Vice President, 260-399-7700 x 6020

XVI.              Data Retention Appendix

  

Posted in Employees, Policies