Date Established: 5/16/2011
Date Last Updated: 11/2/2018
Administration and Governance
Policy, Compliance and Internal Controls
Vice President for Finance and Administration
This policy defines the standards and procedures for retention, handling, and disposition of university records.
The University at Buffalo (UB, university) requires retention of university records, regardless of format, for specific periods of time in accordance with federal, state, and other legal and institutional requirements. The university is committed to effective and consistent record management that:
The designated Office of Record must maintain the official copy of a university record for the required duration outlined in the applicable record retention schedule and then disposed of in a manner appropriate for the record format.
Departments that are not designated as an Office of Record must dispose of duplicate copies of university records in an appropriate manner when there is no longer an administrative need for them. Retaining records when there is no legal requirement to do so may place additional burdens on the unit:
Offices who are not the Office of Record should refer to the Office of Record to provide them with the necessary copies.
The university is required to follow the record retention guidelines provided in the following schedules. These indicate the minimum length of time that a record, regardless of format, must be retained. The applicable schedule is dependent on the type or source of the record.
Many records contain Category 1 – Restricted Data or Category 2 – Private Data. This data is protected by federal, state, or local regulations such as the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), and the Fair Credit Reporting Act. In addition to statutory requirements, Category 1 – Restricted Data and Category 2 – Private Data must be handled in accordance with the university’s privacy and information security policies.
Disposal of records, regardless of format, relevant to pending or anticipated litigation, claim, audit, agency charge, investigation, or enforcement action must be suspended until final resolution of the matter. Employees who are made aware of a Legal Hold must preserve all records with potential relevance, until receiving official notice that the Legal Hold may be released.
An Office of Record that chooses to maintain documents electronically must establish a procedure to implement the use of electronic records in substitution for original paper records. The procedure must ensure the:
An effective electronic record security procedure must:
University systems may retain backups of deleted files for up to two years after files are deleted; this is dependent on the system and department.
Most records in the SUNY schedule have been pre-authorized for replacement so that paper records that have been scanned or otherwise converted may be destroyed prior to the end of their retention period. If not pre-authorized, replacement or destruction of the paper records can only occur upon approval by the State Archives.
Federal Acquisition Regulations (FAR) and RF policy require that original RF documents be retained for a minimum of one year after imaging to permit periodic validation of the imaging system.
Generally, records transmitted through email systems have the same retention periods as records in other formats that are related to the same function or activity. It is recommended that users identify and purge all non-records in email, segregating official records from transitory information.
Archival records are records that the university must keep permanently to meet fiscal, legal, or administrative needs or that contain historically significant information. Records do not have to be old to be archival. What makes a record worthy of permanent retention and special management is the continuing importance of the information it contains (e.g., President’s annual reports, minutes of campus councils, governance organization minutes or handbooks, inaugural or commencement records, documents generated by or for the campuses such as strategic plans and accreditation reports).
The University Archives accepts some records for permanent retention; it does not hold records temporarily or manage records until scheduled destruction.
Perform record disposition regularly, at least once each year.
Disposal of University Records
When disposing of records, destroy them in an appropriate manner:
Disposal of Category 1 - Restricted Data and Category 2 - Private Data
For disposal of Category 1 - Restricted Data and Category 2 – Private Data, departments should contract directly with a reputable vendor to ensure compliance with the appropriate regulations.
University records must be maintained to support operational needs and internal controls, protect privacy, and meet federal, state, and regulatory requirements. Document retention standards and systems must ensure that transactions and related authorizations are fully supported in the event of an audit, litigation, or other external action.
This policy pertains to all university documents and records, regardless of format.
Records that the university must keep permanently to meet fiscal, legal, or administrative needs, or because they contain historically significant information. What makes a record worthy of permanent retention and special management is the continuing importance of the information it contains.
Category 1 – Restricted Data
Protection of the data is required by law or regulation. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances, or reputation.
Restricted data includes the definition of private information in the New York State (NYS) Security and Breach Notification Act as a foundation: bank account, credit card, debit card numbers; social security numbers; state-issued driver license numbers; and state-issued non-driver identification numbers. To this list, university policy adds protected health information (PHI), computer passwords, other computer access protection data, and passport numbers.
Category 1 – Restricted Data are exempt from disclosure or release under the NYS Freedom of Information Law (FOIL). The NYS Information Security Breach and Notification Act requires the university to disclose any breach of the data to New York residents. (State entities must also notify non-residents; see the NYS Information Security Policy.)
Individuals who access, process, store, or in any other way handle Category 1 – Restricted Data must implement controls and security measures as required by relevant laws, regulations, and university policy. In instances where laws or regulations conflict with university policy, the more restrictive policy, law, or regulation governs.
Category 2 – Private Data
Includes university data not identified as Category 1 – Restricted Data, and data protected by state and federal regulations. This includes Family Educational Rights and Privacy Act (FERPA)-protected student records and electronic records that are specifically exempt from disclosure by the NYS FOIL.
Category 2 – Private Data must be protected to ensure that they are not disclosed in a FOIL request. Private data must be protected in order to ensure that they are only disclosed as required by law, including FOIL. Decisions about disclosure must be made by the Records Management Officer.
The National Institute of Standards and Technology (NIST) Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations maps to the Category 2 – Private Data risk classification.
Information recorded in a format that requires a computer or other electronic device to access it and that otherwise satisfies the definition of a record.
Electronically Stored Information (ESI)
Any information, record, document, file, or data that is stored electronically. ESI may include audio recordings, videotape, voice mail, email, instant messages, text messages, word processing documents, spreadsheets, databases, calendars, telephone logs, contact information, internet usage files, metadata, and all other electronic information created, received, or maintained on computer systems. ESI may reside on a university system, device, or server of any kind or on an employee’s personal device or account if such device or account is used for conducting university business.
The process by which UB Information Technology personnel preserve certain records and ESI pursuant to a Legal Preservation Notice by Counsel.
Legal Preservation Notice
A set of written instructions that is sent from Counsel to Key Persons and their supervisors, with notice to the E-Discovery Response Team in order to initiate a Legal Hold when an event gives rise to a reasonable anticipation of litigation.
Office of Record
The unit or individual designated as having responsibility for retention and timely destruction of official university records. If you are designated to maintain the original document, you are considered the Office of Record and must maintain the document for the period outlined in the applicable record retention schedule.
The original copy of any record, document, or information that supports the transaction of university business. Paper or text documents, computer data, electronic records, microfilm, computer tapes, and video or audio recordings are considered records.
The primary resource in a business office who interprets policies and retention requirements related to the specific record type for which they have been assigned responsibility; also responsible for providing guidance to departmental record custodians pertaining to the retention and destruction of these records.
The individual responsible for oversight of departmental records.
The length of time for which the Office of Record is responsible for the maintenance of specific university records.
Full review. Updated the policy to:
• Change the title of the policy from Record Retention and Disposal to Record Retention and Disposition
• Revise terminology related to Category 1 - Restricted Data and Category 2 - Private Data to consistent with the Protection of University Data Policy
• Add definitions for Electronically Stored Information, Legal Hold, and Legal Preservation Notice