Record Retention and Disposal
This policy defines the standards and procedures for retention,
handling, and disposal of university records.
The University at Buffalo (UB, university) requires retention of
university records, regardless of format, for specific periods of
time in accordance with federal, state, and other legal and
institutional requirements. The university is committed to
effective and consistent record management that:
- maintains the privacy and security of institutional and
- ensures records are retained for the required duration
- preserves records of historical value
- requires disposal of outdated and unnecessary records in a
manner appropriate for the format
- optimizes the use of space
- minimizes the cost of record retention.
Managing University Records
The designated Office of Record is responsible for maintaining
the official copy of a university record. The official documents
must be retained for the required duration outlined in the
applicable Record Retention Schedule and then disposed of in a
manner appropriate for the record format.
Departments that are not designated as an Office of Record must
dispose of duplicate copies of university records in an appropriate
manner when there is no longer an administrative need for them.
Retaining records when there is no legal requirement to do so may
place additional burdens on the unit:
- Records containing personal identifying information must be
protected against theft. If such records are accessed
inappropriately or lost, the unit could be subjected to fines,
penalties, cost to notify individuals whose records were breached,
and loss of reputation.
- In the event of a legal proceeding or audit, the unit must
provide all documentation that has been maintained regardless of
the retention requirements. This can be a very time consuming and
Offices who are not the Office of Record should refer to the
Office of Record to provide them with the necessary copies.
Record Retention Schedules
The university is required to follow the record retention
guidelines provided in the following schedules. These indicate the
minimum length of time that a record, regardless of format, must be
retained. The applicable schedule is dependent on the type or
source of the record.
- State University of New York Records Retention and
Disposition Schedule – includes the record categories
specific to the State University of New York (SUNY); other record
categories of a more general nature are included in the New York
State General Retention and Disposition Schedule. When records are
included in both schedules, the SUNY requirements take
- New York State General Retention and Disposition
Schedule – defines the record retention requirements for
all New York State (NYS) agencies. Refer to this schedule for
record categories not covered by the SUNY Records Retention and
- Research Foundation Records Management Policy –
provides legal and corporate retention and disposal requirements
pertaining to Research Foundation (RF) business.
Many records contain confidential and/or regulated private data
protected by federal, state, and local regulations such as the
Family Educational Rights and Privacy Act (FERPA), Health Insurance
Portability and Accountability Act (HIPAA), Personal Privacy
Protection Law (PPPL), and the Fair Credit Reporting Act. In
addition to the statutory requirements, confidential records and
regulated private data must be handled in accordance with the
university’s privacy and information security policies.
Preservation of Records Relevant to Legal Matters
Disposal of records (regardless of format) relevant to pending
or anticipated litigation, claim, audit, agency charge,
investigation, or enforcement action must be suspended until final
resolution of the matter. Employees who become aware that an
investigation or legal proceeding has commenced or is anticipated,
must preserve all records with potential relevance.
An Office of Record that chooses to maintain documents
electronically must establish a procedure to implement the use of
electronic records in substitution for original paper records. The
procedure must ensure the:
- process maintains the integrity of the original records, is
reliable and secure, and that authenticity can be validated
- image process preserves accurate images of original records,
including signatures, worksheets, relevant notes, and other papers
necessary to reconstruct and understand the original record
- system will not permit additions, deletions, or changes to the
images without leaving a record of such additions, deletions, or
- index system provides secure, on-time, and convenient access
and retrieval of imaged records so that each document is
sufficiently indentified to permit retrieval
- accessibility of electronic records is not lost because of
changing technology, portability of the medium, or transfer to a
- metadata information that describes how, when, and by whom it
was collected, as well as size and storage requirements, must be
preserved with electronic records.
- An effective electronic record security procedure must be
- allow only appropriate, authorized personnel access to
electronic records and that such personnel are trained to protect
sensitive, proprietary, or classified electronic records
- provide for the backup and recovery of electronic records as
protection against information loss
- minimize the risk of unauthorized change or erasure of
- retain electronic records according to the retention schedule
applicable to the original record.
Most records in the SUNY schedule have been pre-authorized for
replacement so that paper records that have been scanned or
otherwise converted may be destroyed prior to the end of their
retention period. If not pre-authorized, replacement or destruction
of the paper records can only occur upon approval by the State
Federal Acquisition Regulations (FAR) and RF policy require that
original RF documents be retained for a minimum of one year after
imaging to permit periodic validation of the imaging system.
Generally, records transmitted through email systems have the
same retention periods as records in other formats that are related
to the same function or activity. It is recommended that users
identify and purge all non-records in email, segregating official
records from transitory information. There are two options for
filing and managing email records: printing and filing in a
manual filing system or transferring messages to an electronic
Records Retained by University Archives
Archival records are records that the university must keep
permanently to meet fiscal, legal, or administrative needs or that
contain historically significant information. Records do not have
to be old to be archival. What makes a record worthy of permanent
retention and special management is the continuing importance of
the information it contains. Among these are President’s
annual reports, minutes of campus councils, governance organization
minutes or handbooks, inaugural or commencement records, and
important documents generated by or for the campuses such as
strategic plans, accreditation reports, etc.
The University Archives accepts records for permanent retention;
it does not hold records temporarily or manage records until
scheduled destruction. For questions, or to arrange for the
transfer of material to the University Archives, contact the
This policy pertains to all university documents and records,
regardless of format.
Records that the university must keep
permanently to meet fiscal, legal, or administrative needs, or
because they contain historically significant information. What
makes a record worthy of permanent retention and special management
is the continuing importance of the information it contains.
Information that specifically
identifies and/or describes an employee, student, or UB affiliate;
an employee or student’s protected health information, or
organization information, which if disclosed or released would
result in negative financial, competitive, or productive loss, or
other non-beneficial impacts. Specific examples of confidential
information include, but are not limited to:
• an employee’s name when
combined with birth date, race, gender, marital status, disability
status, veteran status, citizenship, or social security number
• an employee’s home
address or telephone number; relatives’ names, addresses, or
• individual employment records
of living current or former employees, including records which
concern hiring, appointment, promotion, tenure, salary,
performance, termination, or other circumstances of employment
unless the employee grants access in writing
• individual education
records of living students or living former students, as defined by
FERPA, unless the student or former student grants access in
• all regulated private data
• records that have been
restricted by contract
• facilities management
documentation, including security system information
• auditing information,
including internal audit reports and investigative records
• organizational legal
documents, including pending lawsuits and attorney-client
Office of Record
The unit or individual designated as
having responsibility for retention and timely destruction of
official university records. If you are designated to maintain the
original document, you are considered the Office of Record and must
maintain the document for the period outlined in the applicable
record retention schedule.
The original copy of any record,
document, or information that supports the transaction of
university business. Paper/text documents, computer data,
electronic records, microfilm, computer tapes, and video/audio
recordings are considered records.
The primary resource in a business
office who interprets policies and retention requirements related
to the specific record type for which they have been assigned
responsibility. In addition, the Record Coordinator is responsible
for providing guidance to departmental record custodians pertaining
to the retention and destruction of these records.
The individual responsible for
oversight of departmental records.
Regulated Private Data
Includes bank credit/debit card
numbers with or without PINs, social security numbers, state-issued
driver license numbers, state-issued non-driver identification
numbers, protected health information, passwords, and computer
access protection information.
The length of time for which the
Office of Record is responsible for the maintenance of specific
Department Chair or Unit Head
- Assign a departmental Record Custodian.
- Implement record management practices consistent with this
- Restrict access to confidential records.
Office of Record
- Maintain official records in accordance with the appropriate
Record Retention Schedule and the requirements of this policy.
- Provide records when requested by internal or external entities
when such requests are deemed appropriate and necessary.
- Destroy records in an appropriate manner.
- The subject matter expert for a specific record category (e.g.
Personnel, Financial, Student) who will provide guidance to
departmental Record Custodians pertaining to the retention and
destruction of the specific record categories for which they are
- Determine if the department is the Office of Record for any
records. If necessary, consult with the Record Coordinator.
- Preserve appropriate records with historical value by
transferring them to the University Archives.
- Appropriately dispose of all records for which the department
is not the Office of Record.
- When the department maintains the official university copy
(Office of Record), consult the appropriate Record Retention
Schedule and dispose of the records when the Schedule indicates
they are no longer required.
- Maintain a record of the identity, inclusive dates, and
approximate quantity of disposed records.
Disposition of records should be carried out regularly, at least
once a year and should not be deferred until records become a
pressing storage problem. Maintain records of the identity,
inclusive dates, and approximate quantity of disposed
Consult the appropriate Record Retention Schedule to determine
the required retention period:
- SUNY Records Retention and Disposition Schedule
- NYS General Retention and Disposition Schedule
- RF Records Management Policy
In instances where NYS and SUNY retention periods conflict,
the SUNY Schedule should be utilized.
Disposal of General University Records
Once it has been determined that it is appropriate to dispose of
records, destroy them in one of the following ways:
- recycle non-confidential paper records
- shred or render unreadable records with confidential
- utilize a confidential disposal bin that will be emptied and
disposed of by University Facilities utilizing black plastic trash
bags; these papers are not recycled
- erase electronically stored non-confidential records
- overwrite or physically destroy the media on which confidential
electronic records are stored.
Disposal of Confidential University Records
University Facilities provides general disposal services
(shredding) for confidential records that are not suitable for
internal recycling. Contact the University Facilities Customer
Service department to arrange for document
Disposal of Regulated Private Data
For disposal of regulated (HIPAA, FERPA) documents, departments
should contract directly with a reputable vendor to ensure
compliance with the appropriate regulations. Contact the UB
Director of HIPAA Compliance to determine if a Business Associate
Contract is required.
Additional information and guidelines related to HIPAA are
available on the HIPAA website or by contacting the UB Director of
Brian T. HInes
Records Management Officer
420 Crofts Hall
Buffalo, NY 14260
Phone: 716-645-2916, ext. 256
173 Biomedical Education Building
Buffalo, NY 14214
Related Documents, Links