University at Buffalo Crest

Policy Information

Date Established: 5/16/2011
Date Last Updated:
Administration and Governance
Responsible Office:
Policy an Organizational Excellence
Responsible Executive:
Vice President for Finance and Administration

Policy Contents

Record Retention and Disposal


This policy defines the standards and procedures for retention, handling, and disposal of university records.

Policy Statement

The University at Buffalo (UB, university) requires retention of university records, regardless of format, for specific periods of time in accordance with federal, state, and other legal and institutional requirements. The university is committed to effective and consistent record management that:

  • maintains the privacy and security of institutional and constituent information
  • ensures records are retained for the required duration
  • preserves records of historical value
  • requires disposal of outdated and unnecessary records in a manner appropriate for the format
  • optimizes the use of space
  • minimizes the cost of record retention.

Managing University Records

The designated Office of Record is responsible for maintaining the official copy of a university record. The official documents must be retained for the required duration outlined in the applicable Record Retention Schedule and then disposed of in a manner appropriate for the record format.

Departments that are not designated as an Office of Record must dispose of duplicate copies of university records in an appropriate manner when there is no longer an administrative need for them. Retaining records when there is no legal requirement to do so may place additional burdens on the unit:

  • Records containing personal identifying information must be protected against theft. If such records are accessed inappropriately or lost, the unit could be subjected to fines, penalties, cost to notify individuals whose records were breached, and loss of reputation.
  • In the event of a legal proceeding or audit, the unit must provide all documentation that has been maintained regardless of the retention requirements. This can be a very time consuming and costly process.

Offices who are not the Office of Record should refer to the Office of Record to provide them with the necessary copies.

Record Retention Schedules

The university is required to follow the record retention guidelines provided in the following schedules. These indicate the minimum length of time that a record, regardless of format, must be retained. The applicable schedule is dependent on the type or source of the record.

  • State University of New York Records Retention and Disposition Schedule – includes the record categories specific to the State University of New York (SUNY); other record categories of a more general nature are included in the New York State General Retention and Disposition Schedule. When records are included in both schedules, the SUNY requirements take precedence.
  • New York State General Retention and Disposition Schedule – defines the record retention requirements for all New York State (NYS) agencies. Refer to this schedule for record categories not covered by the SUNY Records Retention and Disposition Schedule.
  • Research Foundation Records Management Policy – provides legal and corporate retention and disposal requirements pertaining to Research Foundation (RF) business. 


Many records contain confidential and/or regulated private data protected by federal, state, and local regulations such as the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Personal Privacy Protection Law (PPPL), and the Fair Credit Reporting Act. In addition to the statutory requirements, confidential records and regulated private data must be handled in accordance with the university’s privacy and information security policies.

Preservation of Records Relevant to Legal Matters

Disposal of records (regardless of format) relevant to pending or anticipated litigation, claim, audit, agency charge, investigation, or enforcement action must be suspended until final resolution of the matter. Employees who become aware that an investigation or legal proceeding has commenced or is anticipated, must preserve all records with potential relevance.

Electronic Records

An Office of Record that chooses to maintain documents electronically must establish a procedure to implement the use of electronic records in substitution for original paper records. The procedure must ensure the:

  • process maintains the integrity of the original records, is reliable and secure, and that authenticity can be validated
  • image process preserves accurate images of original records, including signatures, worksheets, relevant notes, and other papers necessary to reconstruct and understand the original record
  • system will not permit additions, deletions, or changes to the images without leaving a record of such additions, deletions, or changes
  • index system provides secure, on-time, and convenient access and retrieval of imaged records so that each document is sufficiently indentified to permit retrieval
  • accessibility of electronic records is not lost because of changing technology, portability of the medium, or transfer to a different medium
  • metadata information that describes how, when, and by whom it was collected, as well as size and storage requirements, must be preserved with electronic records.
  • An effective electronic record security procedure must be established to:
    • allow only appropriate, authorized personnel access to electronic records and that such personnel are trained to protect sensitive, proprietary, or classified electronic records
    • provide for the backup and recovery of electronic records as protection against information loss
    • minimize the risk of unauthorized change or erasure of electronic records
    • retain electronic records according to the retention schedule applicable to the original record.

Most records in the SUNY schedule have been pre-authorized for replacement so that paper records that have been scanned or otherwise converted may be destroyed prior to the end of their retention period. If not pre-authorized, replacement or destruction of the paper records can only occur upon approval by the State Archives.

Federal Acquisition Regulations (FAR) and RF policy require that original RF documents be retained for a minimum of one year after imaging to permit periodic validation of the imaging system.


Generally, records transmitted through email systems have the same retention periods as records in other formats that are related to the same function or activity. It is recommended that users identify and purge all non-records in email, segregating official records from transitory information. There are two options for filing and managing email records:  printing and filing in a manual filing system or transferring messages to an electronic filing system.  

Records Retained by University Archives

Archival records are records that the university must keep permanently to meet fiscal, legal, or administrative needs or that contain historically significant information. Records do not have to be old to be archival. What makes a record worthy of permanent retention and special management is the continuing importance of the information it contains. Among these are President’s annual reports, minutes of campus councils, governance organization minutes or handbooks, inaugural or commencement records, and important documents generated by or for the campuses such as strategic plans, accreditation reports, etc.

The University Archives accepts records for permanent retention; it does not hold records temporarily or manage records until scheduled destruction. For questions, or to arrange for the transfer of material to the University Archives, contact the Archives directly.


This policy pertains to all university documents and records, regardless of format.


Archival Record

Records that the university must keep permanently to meet fiscal, legal, or administrative needs, or because they contain historically significant information. What makes a record worthy of permanent retention and special management is the continuing importance of the information it contains.

Confidential Record

Information that specifically identifies and/or describes an employee, student, or UB affiliate; an employee or student’s protected health information, or organization information, which if disclosed or released would result in negative financial, competitive, or productive loss, or other non-beneficial impacts. Specific examples of confidential information include, but are not limited to:

• an employee’s name when combined with birth date, race, gender, marital status, disability status, veteran status, citizenship, or social security number

• an employee’s home address or telephone number; relatives’ names, addresses, or telephone numbers

• individual employment records of living current or former employees, including records which concern hiring, appointment, promotion, tenure, salary, performance, termination, or other circumstances of employment unless the employee grants access in writing

• individual education records of living students or living former students, as defined by FERPA, unless the student or former student grants access in writing

• all regulated private data

• records that have been restricted by contract

• facilities management documentation, including security system information

• auditing information, including internal audit reports and investigative records

• organizational legal documents, including pending lawsuits and attorney-client communications.

Office of Record

The unit or individual designated as having responsibility for retention and timely destruction of official university records. If you are designated to maintain the original document, you are considered the Office of Record and must maintain the document for the period outlined in the applicable record retention schedule.


The original copy of any record, document, or information that supports the transaction of university business. Paper/text documents, computer data, electronic records, microfilm, computer tapes, and video/audio recordings are considered records.

Record Coordinator

The primary resource in a business office who interprets policies and retention requirements related to the specific record type for which they have been assigned responsibility. In addition, the Record Coordinator is responsible for providing guidance to departmental record custodians pertaining to the retention and destruction of these records.

Record Custodian

The individual responsible for oversight of departmental records.

Regulated Private Data 

Includes bank credit/debit card numbers with or without PINs, social security numbers, state-issued driver license numbers, state-issued non-driver identification numbers, protected health information, passwords, and computer access protection information.

Retention Period

The length of time for which the Office of Record is responsible for the maintenance of specific university records.  


Department Chair or Unit Head

  • Assign a departmental Record Custodian.
  • Implement record management practices consistent with this policy.
  • Restrict access to confidential records.

Office of Record

  • Maintain official records in accordance with the appropriate Record Retention Schedule and the requirements of this policy.
  • Provide records when requested by internal or external entities when such requests are deemed appropriate and necessary.
  • Destroy records in an appropriate manner.

Record Coordinators

  • The subject matter expert for a specific record category (e.g. Personnel, Financial, Student) who will provide guidance to departmental Record Custodians pertaining to the retention and destruction of the specific record categories for which they are responsible. 

Record Custodian

  • Determine if the department is the Office of Record for any records. If necessary, consult with the Record Coordinator.
  • Preserve appropriate records with historical value by transferring them to the University Archives.
  • Appropriately dispose of all records for which the department is not the Office of Record.
  • When the department maintains the official university copy (Office of Record), consult the appropriate Record Retention Schedule and dispose of the records when the Schedule indicates they are no longer required.
  • Maintain a record of the identity, inclusive dates, and approximate quantity of disposed records.


Record Disposal

Disposition of records should be carried out regularly, at least once a year and should not be deferred until records become a pressing storage problem. Maintain records of the identity, inclusive dates, and approximate quantity of disposed records. 

Consult the appropriate Record Retention Schedule to determine the required retention period:  

  • SUNY Records Retention and Disposition Schedule
  • NYS General Retention and Disposition Schedule
  • RF Records Management Policy
In instances where NYS and SUNY retention periods conflict, the SUNY Schedule should be utilized.  

Disposal of General University Records

Once it has been determined that it is appropriate to dispose of records, destroy them in one of the following ways:

  • recycle non-confidential paper records
  • shred or render unreadable records with confidential information
  • utilize a confidential disposal bin that will be emptied and disposed of by University Facilities utilizing black plastic trash bags; these papers are not recycled
  • erase electronically stored non-confidential records
  • overwrite or physically destroy the media on which confidential electronic records are stored.

Disposal of Confidential University Records

University Facilities provides general disposal services (shredding) for confidential records that are not suitable for internal recycling. Contact the University Facilities Customer Service department to arrange for document disposal.  

Disposal of Regulated Private Data

For disposal of regulated (HIPAA, FERPA) documents, departments should contract directly with a reputable vendor to ensure compliance with the appropriate regulations. Contact the UB Director of HIPAA Compliance to determine if a Business Associate Contract is required.  

Additional information and guidelines related to HIPAA are available on the HIPAA website or by contacting the UB Director of HIPAA Compliance.

Contact Information

Contact Phone Email
Records Management Officer 716-645-5464
University Archives 716-645-2916; ext. 256
University Facilities 716-645-2025
HIPAA Compliance 716-829-3866

Related Information

University Links

Related Links

Presidential Approval

Signed by President Satish K. Tripathi

Satish K. Tripathi, President