Date Established: 5/16/2011
Date Last Updated: –
Administration and Governance
Policy an Organizational Excellence
Vice President for Finance and Administration
This policy defines the standards and procedures for retention, handling, and disposal of university records.
The University at Buffalo (UB, university) requires retention of university records, regardless of format, for specific periods of time in accordance with federal, state, and other legal and institutional requirements. The university is committed to effective and consistent record management that:
The designated Office of Record is responsible for maintaining the official copy of a university record. The official documents must be retained for the required duration outlined in the applicable Record Retention Schedule and then disposed of in a manner appropriate for the record format.
Departments that are not designated as an Office of Record must dispose of duplicate copies of university records in an appropriate manner when there is no longer an administrative need for them. Retaining records when there is no legal requirement to do so may place additional burdens on the unit:
Offices who are not the Office of Record should refer to the Office of Record to provide them with the necessary copies.
The university is required to follow the record retention guidelines provided in the following schedules. These indicate the minimum length of time that a record, regardless of format, must be retained. The applicable schedule is dependent on the type or source of the record.
Many records contain confidential and/or regulated private data protected by federal, state, and local regulations such as the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Personal Privacy Protection Law (PPPL), and the Fair Credit Reporting Act. In addition to the statutory requirements, confidential records and regulated private data must be handled in accordance with the university’s privacy and information security policies.
Disposal of records (regardless of format) relevant to pending or anticipated litigation, claim, audit, agency charge, investigation, or enforcement action must be suspended until final resolution of the matter. Employees who become aware that an investigation or legal proceeding has commenced or is anticipated, must preserve all records with potential relevance.
An Office of Record that chooses to maintain documents electronically must establish a procedure to implement the use of electronic records in substitution for original paper records. The procedure must ensure the:
Most records in the SUNY schedule have been pre-authorized for replacement so that paper records that have been scanned or otherwise converted may be destroyed prior to the end of their retention period. If not pre-authorized, replacement or destruction of the paper records can only occur upon approval by the State Archives.
Federal Acquisition Regulations (FAR) and RF policy require that original RF documents be retained for a minimum of one year after imaging to permit periodic validation of the imaging system.
Generally, records transmitted through email systems have the same retention periods as records in other formats that are related to the same function or activity. It is recommended that users identify and purge all non-records in email, segregating official records from transitory information. There are two options for filing and managing email records: printing and filing in a manual filing system or transferring messages to an electronic filing system.
Archival records are records that the university must keep permanently to meet fiscal, legal, or administrative needs or that contain historically significant information. Records do not have to be old to be archival. What makes a record worthy of permanent retention and special management is the continuing importance of the information it contains. Among these are President’s annual reports, minutes of campus councils, governance organization minutes or handbooks, inaugural or commencement records, and important documents generated by or for the campuses such as strategic plans, accreditation reports, etc.
The University Archives accepts records for permanent retention; it does not hold records temporarily or manage records until scheduled destruction. For questions, or to arrange for the transfer of material to the University Archives, contact the Archives directly.
This policy pertains to all university documents and records, regardless of format.
Records that the university must keep permanently to meet fiscal, legal, or administrative needs, or because they contain historically significant information. What makes a record worthy of permanent retention and special management is the continuing importance of the information it contains.
Information that specifically identifies and/or describes an employee, student, or UB affiliate; an employee or student’s protected health information, or organization information, which if disclosed or released would result in negative financial, competitive, or productive loss, or other non-beneficial impacts. Specific examples of confidential information include, but are not limited to:
• an employee’s name when combined with birth date, race, gender, marital status, disability status, veteran status, citizenship, or social security number
• an employee’s home address or telephone number; relatives’ names, addresses, or telephone numbers
• individual employment records of living current or former employees, including records which concern hiring, appointment, promotion, tenure, salary, performance, termination, or other circumstances of employment unless the employee grants access in writing
• individual education records of living students or living former students, as defined by FERPA, unless the student or former student grants access in writing
• all regulated private data
• records that have been restricted by contract
• facilities management documentation, including security system information
• auditing information, including internal audit reports and investigative records
• organizational legal documents, including pending lawsuits and attorney-client communications.
Office of Record
The unit or individual designated as having responsibility for retention and timely destruction of official university records. If you are designated to maintain the original document, you are considered the Office of Record and must maintain the document for the period outlined in the applicable record retention schedule.
The original copy of any record, document, or information that supports the transaction of university business. Paper/text documents, computer data, electronic records, microfilm, computer tapes, and video/audio recordings are considered records.
The primary resource in a business office who interprets policies and retention requirements related to the specific record type for which they have been assigned responsibility. In addition, the Record Coordinator is responsible for providing guidance to departmental record custodians pertaining to the retention and destruction of these records.
The individual responsible for oversight of departmental records.
Regulated Private Data
Includes bank credit/debit card numbers with or without PINs, social security numbers, state-issued driver license numbers, state-issued non-driver identification numbers, protected health information, passwords, and computer access protection information.
The length of time for which the Office of Record is responsible for the maintenance of specific university records.
Disposition of records should be carried out regularly, at least once a year and should not be deferred until records become a pressing storage problem. Maintain records of the identity, inclusive dates, and approximate quantity of disposed records.
Consult the appropriate Record Retention Schedule to determine the required retention period:
Once it has been determined that it is appropriate to dispose of records, destroy them in one of the following ways:
University Facilities provides general disposal services (shredding) for confidential records that are not suitable for internal recycling. Contact the University Facilities Customer Service department to arrange for document disposal.
For disposal of regulated (HIPAA, FERPA) documents, departments should contract directly with a reputable vendor to ensure compliance with the appropriate regulations. Contact the UB Director of HIPAA Compliance to determine if a Business Associate Contract is required.
Additional information and guidelines related to HIPAA are available on the HIPAA website or by contacting the UB Director of HIPAA Compliance.