QuickLinks

Search

Records Quarterly
Vol. 1 No. 2 Winter 2008

Information Security
Educational Opportunities
Vital Records
UC Public Records Policy
Protecting the University
Program News
Records in the News
Leg & Reg
Coming Up in Records Quarterly
About University Records Management
About Records Quarterly

Information Security
Ten Steps to Securing Your Sensitive Records

Information security has been a hot issue at the University of Cincinnati in recent months, resulting in some not-so-pleasant media stories. But there is good news - we can do something to improve future headlines. By following some simple steps UC staff can secure the information with which we have been entrusted.

1. Don’t create unnecessary documents.
Cut off your problems before they even begin by analyzing your recording practices and determining if you really need to create or record everything that you do. Before you print a report from an electronic database, think. Before you make a paper copy of a record, think. Do you really need that document or will you be able to get the information from an existing source when you need it? The less you have to manage, the easier it will become.

2. Identify records that include sensitive information.
Student records, medical records, and personnel records all contain sensitive, personally identifiable information that needs to be secured and protected from unauthorized use. In addition, these types of records are specifically protected by federal law, including FERPA and HIPAA. Check your records retention schedule and determine records series that contain this kind of information. If your schedules are outdated or if you do not have schedules, contact Records Management and together we will conduct an inventory.

3. Take care in using email to send sensitive data.
Once you send an email you have little control over what happens to it. If you must use email, don’t send sensitive information unless it is encrypted. Information Security is currently investigating the use of encryption software at UC. Also avoid forwarding email or copying recipients unless the person has a legitimate reason for needing the information. Make sure that your email account is password protected to prevent the use or access of it by unauthorized individuals.

4. Avoid including Social Security Numbers in records.
Since UC moved to “M” numbers as personal identifiers, many reasons for recording SSNs are no longer valid. Don’t record a SSN if it isn’t absolutely necessary. SSNs in existing records should be removed if they are no longer needed. This can be done by redacting, or shredding the documents if they have reached their minimum office retention period.

5. Keep paper records that contain sensitive information in locked, secure cabinets and areas.
Active records should be stored in cabinets and areas that can be locked and that are only accessible to those staff members who absolutely need the information to do their jobs. Keys should be secured as well. Take particular care in choosing storage facilities for inactive records that may be removed from your immediate office area. Visit vendor facilities that you contract with and make sure that their security measures are adequate. Whether you use onsite or offsite storage facilities, inactive records of a sensitive nature should be kept in secure areas and only retrievable by approved staff.

6. Take steps to secure electronic records.
Don’t share passwords. Keep records stored on external media in locked, secured cabinets. Set the screen saver on your PC or laptop to lock if you are away from your desk. Contact your network administrator to see how you can use your login screen to lock your PC if you are away.

7. Stick to your retention policy.
If your records retention schedules say to dispose of records, DISPOSE OF THEM, don’t keep them around. Retention periods are designed to keep records as long as legally necessary, but no longer than your administrative needs demand. If you think you need to keep them longer than the stated retention period, there should be a valid administrative need to do so and your retention schedule should reflect that.

8. Destroy both paper and electronic records.
Make sure that records that should be destroyed, rather than discarded, are handled properly by shredding. Shredding can be done in-house or through the use of a shredding vendor. Vendors today are bonded and can guarantee safe, secure destruction of your records. A list of vendors can be found at http://www.libraries.uc.edu/libraries/arb/records_management/vendors.html. Electronic records can be shredded as well. Most shredding vendors can handle electronic media, like floppies, CDs, tapes, and microforms. UCit has a policy for scrubbing retired equipment, which can be found at http://www.uc.edu/ucit/documents/RETIRED_EQUIPMENT_CLEANING_PROCESS.pdf.

9. Don’t send records with personally identifiable information to the University Archives.
Collections held by the University Archives are available for public research. The Archives will not accept student records, medical records or personnel records. If they are found in a collection, they will be returned to the transferring office for destruction. Records approved for transfer to the University Archives will be noted on your retention schedule by the term “Archives” in the disposition column. Questions about what can be transferred can be directed to the Archives.

10. Get answers from the experts.
If you would like to discuss your information security needs, please contact UC’s Information Security Office.
http://www.uc.edu/infosec/
558-ISec
infosec@uc.edu

If you need help with records retention schedules, storage or shredding vendors, or transfer policies, contact Records Management.
http://www.libraries.uc.edu/libraries/arb/records_management/index.html
556-1958
Janice.schulz@uc.edu

Educational Opportunities

Introduction to Records Management

The next Introduction to Records Management workshops will be held in the spring. Exact dates and times will be announced in the spring edition of Records Quarterly and on the Records Management website.

This workshop can also be brought to your department. To set up your own presentation, contact Janice.

If you have interest in a more advanced records topic, please let us know and we may be able to design a workshop.

ARMA International Meetings

The local chapters of the Association of Records Managers and Administrators (ARMA) offer monthly presentations on the latest records management issues. Guests are always welcome to attend the presentations.

Greater Cincinnati Chapter

February 12, 2008—Assured Records Management (ARM): A New Performance Standard with Lori J. Ashley, Cohasset Associates, Inc.
March 11, 2008—Panel Discussion on Legal Holds

Cincinnati meetings are held from 11:15-1:00 and are $20.00 for non-members. The fee includes lunch. To register for a meeting or to get more information, please contact Kay Swisshelm at kay_swisshelm@cinfin.com or 870-2000 ext. 4777. Meetings are usually held at Cincinnati Insurance Companies, 6200 South Gilmore Rd., Fairfield.

Greater Dayton Chapter

The Greater Dayton chapter posts presentation announcements at it website: http://www.greaterdaytonarma.org/welcome.html.

Vital Records

Vital Records are defined as those that are essential to the operation of an organization. They protect legal and financial rights and are necessary to continue operations following a disaster. Identifying and protecting vital records are important components of a records management program.

What records are considered vital?
Some examples of vital records include contracts and agreements, customer lists, leases, licenses, accounts receivable and payable, by-laws, insurance policies and personnel payroll information and histories. These are just a few and you will need to appraise your own records to determine what records are vital in your department. Only about 2 to 6 percent of an organization’s records are vital.

Protecting vital records
The basic method for protection of vital records is to make copies and send them offsite. Paper copies are preferable to electronic or microform for vital record purposes in the case that special equipment is not functional or available in the aftermath of a disaster. Make copying these records part of the normal creation process. You can routinely send the copies to other departments that reside in a different building within the organization or you can choose to store them offsite with a storage vendor. In either case, make sure that the location has the same level of security that the originals require and that the records will be readily accessible, preferably 24/7.

The Vital Records Plan

You should develop a written vital records plan that should include the following:
A description of those records identified as vital
Offsite storage locations for backups of vital records
Methods for creating backup copies of vital records and storing the copies
Maintenance of records stored offsite
Procedures for retrieving records, including a list of staff members who are authorized to do so
Procedures for recovering and/or restoring data and records after a disaster

UC Resources
UCit Risk Management: http://www.uc.edu/infosec/Risk.htm

UC Public Records Policy

In accordance with Ohio’s Public Records Laws, the Office of General Counsel has written a policy that specifies procedures for requesting records for both public and staff. The new policy satisfies a requirement of the law made by Ohio House Bill 9, which was signed in December, 2006.
Below is the Triple-D announcement regarding the policy. The full policy can be accessed on the UC website at http://www.uc.edu/af/documents/general_counsel/Public_Records_Policy.pdf.

From: Mitchell D. McCrate
Interim General Counsel
To: Deans, Directors and Department Heads
Date: November 28, 2007
Re: Public Records

The Office of General Counsel has adopted a public records policy in accordance with university rules and in compliance with recent amendments to the Ohio Public Records Act. This policy is available online at the web address below.

In general, the Ohio Public Records Act requires that records that document the organization, functions, policies, decisions, operations, or other activities of the university be made available to any member of the general public upon request.

The new policy encourages requestors to submit requests directly to the Office of General Counsel.

The policy also informs university personnel that:

Requests need not be in writing, though a written request provides the benefits of memorializing the “when” and “what” of the request and reducing confusion;
the identity of the requestor and the intended use of the records may not be required as a condition of disclosure; and
no request for university records by the public, however it might be made, should be ignored or refused.

The policy directs university personnel to:

forward public records requests to the Office of General Counsel;
be familiar with the university records management and retention policies, as well as the specific policy applicable to their own university unit; and
ensure that the records retention schedule of each university unit is readily available. (For a copy of the records retention scheduled of your unit, or to create a new one, contact the Office of University Archives, at 556-1958 or janice.schulz@uc.edu.)

Contact the Office of General Counsel at 556-3483 with any questions.

Protecting the University

Compliance with the legal and regulatory directives that govern an organization and its operations is a vital part of doing business. With that in mind, one of the objectives of UC Records Management is to ensure compliance with all internal, state, and federal policies regarding the creation and disposition of University records.

Internal policies are created to ensure that the University maintains standards for accreditation and other regulatory bodies, including the North Central Association of Colleges and Schools (NCA), individual college accreditation, and the National Collegiate Athletic Association (NCAA).

Laws of the State of Ohio require us to develop and follow a records management program. Additionally, the Public Records Act requires each department at a state entity to provide requesters with a copy of their records retention schedule.

The Federal Government protects certain types of records through acts such as the Family Educational Rights and Privacy Act (FERPA), which protects student records, and the Health Insurance Portability and Accountability Act (HIPAA), which protects health records.

Both the Ohio Revised Code and the United States Code of Federal Regulations mandate the creation and retention of records regarding employment, health and safety, taxes, contractual agreements, and various other business functions.

The Inter-University Council matrix is used by the University to ensure compliance with these state and federal regulations. Additionally, the Federal Register and the Register of Ohio are checked daily to find any changes in federal or state law that will affect our records. Legislation changes are reported in Records Quarterly and monthly records updates.

Penalties can be steep for non-compliance. The City of Akron recently sold bonds to cover a nearly $1 million fine for the illegal destruction of records (see the news section in this issue.) The fine imposed by the State of Ohio for illegal destruction is $1000 per record. Penalties other than monetary can hurt the University as well, such as loss of accreditation or NCAA sanctions.

Our retention policies protect the University by making sure that we are following specific directives concerning records creation retention and by providing evidence that we are adhering to all internal, state and federal policies and procedures.

Program News

Schedule Development

New Schedules:
College of Business, Sr. Associate Dean
Department of Anesthesia
Research Compliance—Director and Research Compliance Officer
Campus Services—Operations
Campus Services—Campus Recreation Center
Campus Services—University Conferencing

Updated Schedules:
University Libraries—Personnel
CCM Public Relations
Continuing Education—Administration
Arts & Sciences—Department of Geography
University Libraries—Circulation Services

Records Management Listserv

The Records Management Listserv is used to distribute important news and information to records coordinators and others interested in UC records management. It is the primary vehicle for the distribution of Records Quarterly, the official publication of UC Records Management, and monthly updates in between publications. This is a receive-only, or broadcast listserv, and subscribers cannot send messages, but can only receive those sent by UC Records Management.

Sign up for the listserv by going to http://listserv.uc.edu/cgi-bin/wa.exe?SUBED1=lib-recmgmt&A=1, or by sending an email to Janice.Schulz@uc.edu. Please include your name and email address and use "listserv sign-up" in the subject line.

Records Management Website

The website has a new look! University Libraries is redesigning individual library sites to be consistent with the look of the main site. The information has not changed, but the result is a cleaner, more streamlined look. Check it out at http://www.libraries.uc.edu/libraries/arb/records_management/index.html.

IUC Manual Updates

The Inter-University Council of Ohio’s working group charged with updating the records retention manual has decided to purchase a network license for Donald Skupsky’s Retention Manager 3 for use by all member institutions. The software, which will be customized by Skupsky to reflect the IUC Manual, is to be hosted at The Ohio State University. After installation of the software, representatives from all member institutions will be trained by Skupsky. Retention Manager 3 will be continually updated as records retention requirements change so we will always be working with up-to-date information rather than from a static manual that needs to be updated periodically. This will better ensure that we are compliant with federal and state retention requirements. A timeline for purchase, installation, and training is yet to be set.

Records Transfers

The following University records have been transferred to the University Archives:

Faculty Senate
Accession No. UA-07-13, 17 Boxes
Records, including minutes, reports, studies, correspondence, committee files, and subject files. 1995-2002

Athletics, Training
Accession No. UA-07-15, 4 Boxes
Records, including policies & procedures, conference and event manuals, bowl game handbooks and planning, JRC-AT self-study reports, correspondence for the Athletic Training Department. 1998-2005

College of Business Administration, Office of the Dean
Accession No. UA-07-18, 2 Oversized Boxes
Display boards from 2006 UC Showcase. Posters and banners previously displayed in Carl H. Lindner Hall. 2006

University Branding & Marketing
Accession No. UA-07-23, 2 Boxes
Reports, proposals, policies, and correspondence relating to University of Cincinnati branding and marketing. 1973-2000

College of Medicine, Office of Medical Education
Accession No. UA-07-25, 1 Box
College of Medicine Promotion Board guidelines, correspondence and grading policies, and honor council guidelines. 1973-2005

College of Design, Art, Architecture, & Planning
Accession No. UA-08-01, 1 Box
DAAP Undergraduate Student Handbooks, 1976-2008

Records in the News

We can learn from the experiences, triumphs and pitfalls of other organizations in the management of their records. Here are some news stories, mostly of local interest.

College Students Help Police Solve Cold Cases
September 14, 2007
WLWT.com

The Cincinnati police homicide unit is using local criminal justice students to comb through evidence files, hoping to produce new leads in cold cases. The students will be validating information in the files and verifying that property is still available for use in investigation. There are 274 cold cases in the homicide unit.

Lessons learned:

This story shows the benefits of a records program with sound retention policies. Sometimes it is difficult to justify an indefinite retention period in one’s mind and we might wonder, who would ever use this? Fifty years ago that may have been the case concerning these files, but with advances in investigative technology, the decision to retain certain documents may be key to solving a case.
Without proper records management, the information needed to investigate these cases could be lost to detectives and the chance of solving the crimes would be greatly diminished.

Hospital Workers Suspended for Allegedly Peeking at Clooney Medical Info
FoxNews.com
October 10, 2007

George Clooney was treated at Palisades Medical Center in North Bergen, NJ, after a motorcycle accident on September 21, 2007. In the following weeks, 27 unauthorized employees took the opportunity to check out his records and were each suspended for four weeks.

Lessons learned:

The Health Insurance Portability and Accountability Act (HIPAA) provides federal law concerning the transfer, protection, and privacy of patient medical records. Only those employees directly charged with a patient’s care are authorized to examine records.
The Federal Educational Rights and Privacy Act (FERPA) provides the same type of protection for student records.

Akron to Sell Bonds to Pay Nearly $1 Million in Lawsuit Settlement
Cleveland Plain Dealer
October 18, 2007

Akron City Council voted recently to sell bonds to cover a nearly $1 million penalty for destroying employee time records. The penalty comes from the discovery that overtime records for two employees who sued the city for compensation had been destroyed prior to the case being filed. Sale of the bonds is necessary to cover the unexpected expense.

Lessons learned:

Illegal destruction of records can be very costly.

Man May See Wife’s E-mails
Judge Tells State Cabinet to Turn Them Over
November 20, 2007
Kentucky.com

In June 2006, a Kentucky man, suspecting that his wife was being unfaithful, requested copies of email messages that she had sent as an employee of the Kentucky Justice and Public Safety Cabinet. As the messages were created and sent using the state-supported email system, the husband claimed that they were public records subject to the Open Records Act. Although the Cabinet denied the request on the grounds that the messages were exempt because of privacy exceptions, the Office of Attorney General disagreed and ruled that the Open Records Act had been violated by the denial, saying, "In this case, the communications are by definition non-work-related, but that does not mean there is no public interest in the disclosure of such e-mails. The fact that state employees are using state resources to exchange non-work-related messages during working hours is a matter of legitimate inquiry for the public." The Cabinet is still evaluating the ruling.

Lessons learned:

The use of University resources for personal needs may open you up to discovery issues. Be aware and use discretion. UCit has polices for the use of electronic resources at http://www.uc.edu/ucit/policies/infotechuse.html.
Although documents of a personal nature are not considered University records, and are probably not open to Public Records requests under Ohio definition, they can still be open for discovery under legal terms. In the event of a court subpoena, any documents found in a University office, including the email system, can be submitted as evidence. It’s best to keep personal information out of your University business.

Leg & Reg

Legislation and Regulations Affecting Records Management

Federal Register

U.S. Food and Drug Administration
The U.S. Food and Drug Administration is requesting comments on proposed changes in regulations regarding blood and blood components. Proposed changes to 21 CFR 606.160(e) include maintaining records of donors determined ineligible or deferred and the use of a master list of such donors at multiple sites of a common organization. Comments are requested by February 6, 2008. The proposed rule can be found in Federal Register Vol. 72, No. 216, dated Thursday, November 8, 2007.

Drug Enforcement Administration
The Drug Enforcement Administration is requesting comments for changes in DEA Form 222, used to order schedule I and/or II controlled substances as proscribed by 21 CFR 1305. The proposed rule would change the form from a three-part carbon to a single sheet form with enhanced security features. The change is designed to make the form easier to use for DEA and registrants. Comments are requested by January 28, 2008. The proposed rule can be found in Federal Register Vol. 72, No. 227, dated Tuesday, November 27, 2007.

The Federal Register can be searched at http://www.gpoaccess.gov/fr/advanced.html.

Department of Education Releases Guidance Pamphlets on FERPA

On Tuesday, October 30, the U.S. Department of Education released several pamphlets to help educate people about balancing school safety and student privacy. Following the Virginia Tech tragedy, questions were raised by legislators and institutions about whether the release of the shooter’s psychological records could have prevented the events from happening. It was determined that different interpretations of the Family Educational Rights and Privacy Act of 1974 (FERPA) had been made by officials, and that the DOE needed to clarify the law to help those involved better understand what is required and what is allowed. The guidance pamphlet for colleges and universities can be found at http://www.ed.gov/policy/gen/guid/fpco/brochures/postsec.html and additional resources at http://www.ed.gov/policy/gen/guid/fpco/ferpa/safeschools/index.html.

Please remember that University Rules govern the privacy of student records: http://www.uc.edu/Trustees/Rules/RuleDetail.asp?ID=96. Use this new information from the DOE as a guide to what school officials might be able to do in the face of safety issues. If you have any questions whatsoever concerning the privacy and release of student records, contact the Office of the Registrar. They also offer excellent information about FERPA on their website at http://www.uc.edu/registrar/Records_Privacy_and_FERPA.html, including reference sheets for faculty and office staff.

Coming Up In Records Quarterly

Active Records Systems—is your plan working for you? What are the important elements of an efficient, easy to maintain filing system?
Certain activities make cleaning out your files come to the forefront. What do you do with your records if your office is moving or you are retiring?
Office Efficiency—the final step in our series on records management objectives

University Records Management

The University Records Management Program is administered by the University Archives in compliance with UC Rule 10-43-10.

Janice M. Schulz,
University Records Manager and Archives Specialist
Office Location: 806 Carl Blegen Library
Mail Location: 113
Email: Janice.Schulz@uc.edu
Phone: 556-1958
Fax: 556-2113
Website:
www.libraries.uc.edu/libraries/arb/records_management/