Policy Number: 1-13
Policy Name: Departmental Information and Records Management Policies
Date: June 5, 1989
Revisions: 1995 (1-14 and 1-15, dated 1989, were merged); July 2000; September 2000
The following policy defines the departmental role for records and information management, including records and information classification, maintenance, retention, retrieval, protection and preservation.
The policy addresses general departmental records and information management issues and responsibilities, while the attached guidelines address policy issues for information and records stored electronically.
The managers of each University area, unit, department or administrative entity must address the following recordkeeping issues inclusive of any and all media on which records and information are stored. Managers have responsibilities to:
Establish and document departmental standards for records classification and file organization to ensure effective retrieval mechanisms for departmental information and records;
Establish and document measures for protecting sensitive or critical departmental information and records from disclosure;
Establish and document procedures that ensure departmental records and information are protected from disaster (See Planning to Assure Business Continuance in the Event of a Disaster);
Develop documentation for department specific systems, such as data bases, spreadsheets or any customized application, to insure continuity of departmental operation;
Comply with the University's Records Retention Program.
NOTE: Departmental compliance with this policy will be monitored through the Records Retention Program.
GUIDELINES FOR COMPLIANCE WITH THIS POLICY
This document will provide guidance and assistance for departmental compliance with the foregoing University Policy as it relates to records in general, but in particular for records and information stored electronically.
The development of departmental file naming and records classification standards is determined by the department within the context of the University functions carried out by the department.
The Office of the University Archives, through its Records Retention Program and Records Management Training, provides records classification and filing assistance to departments.
PROTECTION OF RECORDS AND INFORMATION FROM DESTRUCTION, DISCLOSURE AND MODIFICATION
Once a department has identified those data or records which contain confidential information or information critical to the operation of the department, measures for protection must be determined. Most of the University's standard software products provide methods by which files can be password-protected. Specific instructions can be found in the software manuals. Further advice on software which provides file/record protection is available from User Services consultants.
The University's Responsible Computing Policy advises users of the dangers of sharing their passwords with others, and sets forth guidelines for creating passwords that cannot be guessed or "cracked" by system hackers. These warnings apply to setting passwords on centralized University accounts.
There is, however, another environment in which passwords are used. Most software that is available for desktop computing systems has provisions for password creation. For instance, word processing, database, and spreadsheet software allow you to protect sensitive or confidential information by assigning a password to a document so that others who may have occasion to use your system cannot view the password- protected document. This can become a problem if the person who password-protected a file is out of the office for any reason, and someone in authority needs access to the password-protected information.
For this reason, it is recommended that the person who password-protects a departmental file or system be required to notify the office or department manager of the password used. This insures that the office can continue to function and the information can be retrieved in the event that the person who named the password is unavailable.
Protection of Media
To protect University information and records from accidental erasure, hardware malfunction, or disaster, back-up procedures for information and records stored on departmental computers must be instituted. Departments will determine a regular back-up schedule and assign responsibility for insuring that the back-up schedule is kept.
Stand-Alone Departmental Systems
In developing a regular schedule for the backup of information on stand-alone departmental systems, a frequency of back-up must be determined. This should be based on:
Frequency of back-up
the frequency with which changes are made
the volume of changes made
the importance of the records or information to the function of the department.
For instance, if the database is updated daily and if the office would suffer operationally without the information in the database, then back-ups should be done on a daily basis.
Number of back-ups
The general rule for good back-up procedures dictates that there be three generations of back-up. For instance, data backed up on a daily basis would have back-up versions for three days. On the fourth day, the oldest back-up version would be overwritten by that day's back-up procedure.
Provisions for off-site storage
The need for off-site storage is determined by the department. The department must decide what information or records would be necessary to resume operations in the event of a disaster. It is incumbent upon the department to select a back-up and off-site storage schedule (i.e., daily, weekly, monthly) that protects the department and the University from loss of information necessary to the function of the department.
The Office of the University Archives has developed a procedure for off-site storage in their facility, and they will assist departments who wish to use their facility.
Networked Department Systems
Some departments have a local area network to which their departmental computers are attached. Normally, the network system administrator has responsibility for backing up files stored on the network, and these procedures are determined by departmental management. It is important to note, however, that one should not assume that their files are being backed up just because their computer is attached to the departmental network. Any file that is created and maintained on a computer attached to a network will only be backed up if the person who created the file takes the extra step of copying the file to the network server. The department, in this case, should publish its network back-up schedule and encourage staff to copy important files to the server.
NOTE: Information Technologies' (IT) Network and System Services staff have responsibility for the back up and protection of all files residing on IT's centrally supported computing systems.
Protection of Hardware
In the context of protecting University Records and Information, departments must determine whether their computers are vulnerable to theft. Departments are responsible for instituting measures for the physical security of system hardware, if hardware is determined to be vulnerable (by location, traffic, or previous history). Departments should seek assistance in selecting an appropriate physical security device, which can then be installed by the Lock Shop or by the department.
Documentation of departmental electronic recordkeeping systems must be available to support the uninterrupted functioning of the department in the event that the person who set up the system(s) is no longer available.
It is important to document the following:
the location of software disks and software documentation;
the backup and recovery procedures used by the department;
the file-naming standards and classification schemes used by the department;
a list of data bases and spreadsheets that support departmental functions, including a description of the application and its purpose, listings of spreadsheet cell formulas, listing of database field names, and a definition of any programs that are run in conjunction with departmental applications;
in the case of departmentally developed or modified software, user documentation must be written and the new or modified program code must be printed and on file.
UNIVERSITY RECORDS RETENTION PROGRAM
The Office of the University Archives is charged, among its other functions, with responsibility for the University Records Retention Program. This program is intended to establish general procedures for the permanent preservation of University records of enduring value and for achieving economy and efficiency in the creation, maintenance, use, and disposition of University records. The Records Retention Program is a mechanism whereby the Office of the Archives discharges its responsibility to University departments by overseeing and assisting with:
the identification of permanently valuable records of the University or those functions and activities for which documentation must be preserved;
the specification, through records retention schedules, of records to be preserved as having archival value;
the authorization, on a continuing basis, of disposal for specified recurring series of records;
the audit process, an annual event, to insure that retention schedules are up-to-date and followed;
training sessions and workshops on procedures to be followed for the creation and implementation of records retention schedules within the University.
As the storage and transmission of electronic documents (web forms, HTML files, e-mail, etc.) become the norm, retention schedules in use for paper versions will be carried forward as standards for electronic formats. In general, the modification or setting of retention periods for electronic documents will be determined by the office of record in consultation with the Office of University Archives. Departmental management is responsible for identifying those documents that constitute a record and applying the appropriate retention period to them.
GLOSSARY OF TERMS
The following glossary of terms is intended to clarify the language of this document.
Electronic Recordkeeping: The operation of recordkeeping systems in which a computer or machine interface is required for the user to create, manipulate or delete records. Examples are those records residing on magnetic tapes, disks and drums, video files and optical disks.
Guideline: A recommended method. A guideline is not a policy.
Information: Information is data organized and placed into a meaningful context for a specific purpose.
Procedure: A set of steps supporting a guideline, policy or operational process.
Policy: A University rule.
Records: All books, papers, maps, photographs, machine readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by a department or unit of the University of Delaware or in connection with the transaction of business and preserved or appropriate for preservation by the University of Delaware or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations or other activities of the University or because of the informational value of data in them.
UD Policy 1-10: University Archives and Records Management Program
UD Policy 1-14: Policy for Responsible Computing at the University of Delaware
UD Policy 1-18: Electronic Mail Management and Retention
UD Policy 1-19: Employees' Use of Electronic Mail
Submitted by: University Archives