Records Management - FAQ
Below are frequently asked questions about Records Management.
What defines a record?
Through 6/30/23, NDCC 54-46-02 defines a record as "A document, book, paper, photograph, sound recording or other material, regardless of physical form or characteristics, made or received pursuant to law in connection with the transaction of official business."
A record is anything that:
- Your office created;
- Your office acted on;
- Your office receives it for action;
- Your office is designated as the custodian of (i.e. record-holder);
- Your office needs to document its decisions.
Are emails considered records?
Email is a method of communication that is no different than a paper record.
How long should emails be kept?
NDSU has been advised that the University System will be responsible for a technical solution that will manage compliance with the new email retention requirements without the need for action by each employee. Accordingly, all NDSU employees are being asked to continue to follow their regular retention procedures for all records, including emails. In other words, continue to treat an email in accordance with the record series associated with its content.
Are phone message transcripts considered records?
- Transcripts of phone messages may or may not be records, and you’ll need to make that determination.
- If they are not records, or if they are convenience copies for you, please delete them.
- If you’ve determined that a phone message transcript is a record that you need to manage as the Office of Record Retention, you’ll want to identify its record series, using the instructions at https://kb.ndsu.edu/page.php?id=99046 . Then, move the record out of your phone/email account and into a system in which you can retain it - and then dispose of it - as directed in the Records Retention Schedule; information on storage solutions is available at https://kb.ndsu.edu/page.php?id=102743 .
- Now that we are using the Zoom phone service, deleted recordings will remain available for 30 days in the Trash folder and will be automatically permanently deleted after 270 days.
What is the definition of "Office of Record Retention?"
The "Office of Record Retention" is the organization or administrative unit that is officially designated for the maintenance, preservation and disposition of the official record according to the Records Retention Schedule.
- Note: the Office of Record Retention is not always the office of origin.
What are the records management duties of copyholders?
Copy holders are individuals who are in possession of copies of records but are not the Office of Record Retention. They will dispose of their copies any time prior to the expiration of their retention period, in the method specified in the Records Retention Schedule, and with no need to include them in their annual Records Disposal Reports.
How can I make it easier to distinguish between official records and convenience copies?
As soon as you identify a document as a convenience copy, mark it as such: either write “convenience copy” on it, get a “convenience copy” stamp made and stamp the document, or, if it’s a PDF, add “convenience copy” text to it. That way, as time passes, you won’t need to try to remember if a particular document is the official record or a convenience copy.
When and how is a copyholder supposed to dispose of a convenience copy whose original is to be retained permanently?
The retention period for some record series is “PERM – Permanent,” and, naturally, there is no disposal method specified. In that case, copyholders may dispose of their convenience copies at any time. Regarding the disposal method, they should err on the side of caution and use shredding – the most secure method possible.
Who is responsible for managing records and information?
Everyone is.
How often do I need to review my records for disposal?
Annually:
- Review your records inventory.
- If any new record series have been created, add them to the records schedule in consultation with the NDSU Records Management leadership.
- Properly dispose of records in accordance with the disposal guidelines in the Records Retention Schedules used at NDSU.
Can I keep records longer than the published retention period?
No. Records must be managed in accordance with North Dakota state law.
What resources are available to answer questions?
If you have other questions:
- Contact your unit's records coordinator; or
- Email NDSU.RecordsManagement@ndsu.edu
How are records classified as “Public,” “Private” and “Restricted”?
Data types within a ND University System (NDUS) institution are classified as follows, according to the NDUS Data Classification and Information Security Standard 1901.2.1, https://ndus.edu/makers/procedures/ndus/default.asp?PID=488&SID=62&printable=1 :
- Restricted- This is data that requires the highest level of protection. It is data protected by federal or state laws, regulations, contracts, or policy.
- Private- This is data that should not be available to the public. It is data that may be protected by federal or state laws, regulations, contracts, or policy. This data required protection, but not at the same level as "Restricted" data.
- Public- It is data that can generally be released to the public. It typically required minimal protection.
How do I report disposal of records that I have in both electronic and paper form?
Once a record has been imaged electronically, the electronic version becomes the official record and should be tested for electronic integrity three months after imaging. At that time, the paper version becomes a convenience copy and is to be managed as such.
If a particular email constitutes a record and has been saved as a pdf or txt document, is it still considered an email if we receive an open records request for “email documents”?
Yes, an email record that is saved in another format is still considered an email record.
Why is the NDSU records disposal deadline the end of November, since we have until the end of the calendar year to dispose of records?
We established the Nov. 30 deadline for NDSU because our office needs to compile, tabulate and sum up all the NDSU reports and submit our cumulative report before the end of the calendar year. This takes some time, so we set our deadline a month ahead of the end of the calendar year to ensure that we get the NDSU report to the Bismarck ITD office on time. If after submitting your disposal report you find that you still have records to dispose of between Dec. 1 and Nov. 30, you can go ahead and report the additional disposal data; if we haven’t yet submitted our cumulative report to Bismarck, we will include that additional information to it, otherwise, it will be the start of the next calendar year’s disposal report.
At what time during the calendar year should records disposal be conducted and reported?
NDSU departments may conduct their annual disposal and submit their disposal reports through their Unit Records Coordinators, during the time in the calendar year that works best for them, making sure that the same time frame is followed every year.
Nov. 30 of each year is the deadline for Unit Records Coordinators to record their units’ disposal data. However, if it works best for their departments to do so earlier in the year, that is perfectly fine. A department can designate another month for its annual disposal and reporting, and follow that designation consistently from year to year.
What is the process for transferring records to the NDSU Archives?
Unit Records Coordinators coordinate the transfer of paper and electronic records to Archives as per the requirements in the Records Retention Schedule. Instructions on this process, and the transmittal forms to be filled out, are available at https://library.ndsu.edu/ndsuarchives/collections/university-archives
I’ve received an open records request. What do I do?
The procedure for handling public records request, along with additional information related to identification and management of public/open/confidential records, is described in NDSU Policy 718; this policy is available at https://www.ndsu.edu/fileadmin/policy/718.pdf
Information about open records and personal cell phones, as provided by Enrique Garcia, NDSU’s Chief Information Security Officer:
- Open records requests submitted to an NDSU department or individual must be forwarded to Chris Wilson, Chief of Staff, to address and process.
- NDSU employees must comply with North Dakota law (NDCC 44-04) and produce any relevant record that is responsive to an open records request, regardless of the device or service used.
- It is highly recommended that NDSU employees do not use personal devices for work since there are security concerns, such as how well they are managed, who has access (physical and electronic) to personal devices, and encryption, to name a few.
How do I manage and dispose of my email records?
Guidance and recommendations on management and disposal of e-mail records is provided at E-Records Management. Questions may be directed to NDSU.RecordsManagement@ndsu.edu.
How should we safeguard personally identifiable information, health information and financial information?
NDSU recommends that personally identifiable information (PII), health information and financial information must NEVER be:
- stored in an unprotected area and/or on an unprotected electronic device
- shared without proper protection
- shared with anyone without a legitimate need to know
- sent or received in an email required for online forms
How do I manage the paper document of grades that have been assigned, after the grades have been electronically recorded?
Students have the right to dispute grades they’ve received, so we need to keep all documentation pertaining to grades awarded until a dispute can no longer be filed.
According to NDSU policy 337, Grade Appeals Board, found at https://www.ndsu.edu/fileadmin/policy/337.pdf, a student who disputes an assigned grade must initiate a request for a change of grade “15 instructional days of the first day of the semester immediately following the semester in which the grade was awarded.”
Therefore, please hold on to the paper copies of assigned grades until at least 15 instructional days have passed in the following semester. After that time, the paper copies of the grades can be disposed of, as the electronic version will serve as the official record.
How do records management requirements impact Skype conversations?
Skype conversations may be documented in O365 email. If so, then the content of a particular conversation would determine whether or not it is a record, in which case it will need to be managed according to the Records Retention Schedules used at NDSU.
How do we manage Student Course Response Questionnaires (formerly SROI) raw data and summary reports?
Following are information and resources that will assist you in the management of both paper and electronic Student Course Response Questionnaires data and reports.
Notably, once a summary report is delivered to an academic department, raw data is no longer considered a record and may be disposed. The summary report will be the record to be managed according to the records retention schedules used at NDSU.
Upon receipt of the summary reports of Student Course Response Questionnaires data, academic departments will become the Office of Record Retention. Management of these records is as follows:
A. The record series for these records is from the NDUS-general records retention schedule.B. The control number is 020207, and the record series title is “Student Evaluations of Course and Instructor.”C. The description of this record series has recently been changed to read: “This record series contains a summary report of the evaluations done on advisors, instructors, and courses, including all numerical and narrative responses from individual evaluations. Following the delivery of the summary report, the raw data has no retention value and can be destroyed in accordance with the individual institution's procedure. Departmental office may maintain a copy of the instructor evaluation summaries in the faculty personnel file." ***The description previously read, “This record series contains a summary report of the evaluations done on advisors, instructors, and courses. Department office may maintain a copy of the instructor evaluation summaries in the faculty personnel file.”D. The retention period is 10 years after the current fiscal year.E. Academic departments may keep these records or, prior to the end of the retention period, have them added to the corresponding faculty personnel files.
Please note that the description of record series #600606, “Faculty Personnel Files,” from the NDUS-general records retention schedule, has recently been changed:
i. This record series now reads: “This record series contains information that documents the faculty member's work history. It includes information such as job title, rank and education, employment background, grant work, training, and certifications. This may include copies of a request to recruit, request to appoint, initial vitae, letter of intent, letters of reference, academic records, supplements, tenure forms, yearly contracts, listing of grant work, and students' evaluations of course and instructor summary sheets. This includes both academic and clinical faculty. Note: personnel information may exist in different locations (i.e., department, provost office, etc.).” ***The description previously read, “This record series contains information that documents the faculty member's work history. It includes information such as job title, rank and education, employment background, grant work, training, and certifications. This may include copies of a request to recruit, request to appoint, initial vitae, letter of intent, letters of reference, academic records, supplements, tenure forms, yearly contracts, listing of grant work, and students' evaluations of course and instructor summary sheets. This includes both academic and clinical faculty. Note: The official personnel file may consist of different information than the department. This includes appointments and contracts, summer session faculty files, and Extension Program Instructor Files.”ii. The retention period is six years after termination.
How do we manage notes of informal staff meetings?
Notes and agendas of informal staff meetings, such as check-ins, updates, discussions of workloads, etc., where no voting or departmental decisions are made, are not considered official minutes or agendas. Rather, they are informal notes - not records - and may be shredded when they are no longer needed.
What is the difference between “Information Governance” and “Records Management”?
Information governance is a consistent, logical framework comprised of policies, standards, procedures, roles and processes required to meet legal, regulatory, risk and business needs for the University. It provides guidance for how the institution and its employees handle information created, shared and received by the institution. It includes records management, information security, data governance/classification, electronic discovery, risk management, privacy, storage, archiving and disposal of information.
Records management, one of the components of information governance, involves a set of policies, procedures and processes that require the logical, systematic control of the creation, distribution, use, maintenance/retention and disposition or archival of recorded information, regardless of format, which detail the activities of the institution. Records management’s primary concern is the management of the University’s records as well as the reduction or mitigation of risk associated with them.
What is an inactive record series?
An inactive record series is one that is no longer in use. This could be because a new record series replaced it, or because the types of records in it are no longer being created. If you have records that you feel belong in a particular record series and you see that that record series is inactive, you'll need to find an active record series that fits. If you can't find such a record series, please contact the Records Management leadership.
How are Docusign documents to be managed?
As soon as a Docusign document has been fully signed, the Office of Record Retention for it should move it off email to another location, so it can be managed as directed by the Records Retention Schedules used at NDSU.
Docusign documents will be automatically deleted after two years. When DocuSign purges documents, it emails the recipients and lets them know which documents are about to be deleted. If they so desire, users can disable these notifications by logging into DocuSign and adjusting their notification preferences.
How do we deal with records that had been managed by an employee who transferred to a different department at NDSU or left NDSU altogether?
- NDSU records are the property of NDSU. The records under the custody of a particular unit remain with that unit even after the employee who managed them leaves the unit (or the university) for whatever reason, and a new custodian of such records is to be designated by the unit supervisor.
- If the unit is moved to a different department, division or college within the university, its records go with it.
- If a unit is discontinued, the last custodian of its records needs to transfer them to the unit or employee who is assigned responsibility for each specific project for which records exist. This may at times be a bit perplexing, so please don’t hesitate to contact NDSU’s records management leadership for guidance.
How do I work with institutional records while working remotely?
Following is information and guidance on working with institutional records as a remotely working employee, kindly provided by Enrique Garcia, NDSU Chief Information Security Officer, on Aug. 28, 2020.
Records are constantly being created by employees while using a computing device. Employees have a duty to protect those records from threats. Some examples are:
- Disclosure. Access to an institutional record by an individual who is not authorized to see that record
- Cryptolocking. Data on a computer are encrypted by malware. and ransom is demanded in order to decrypt the information. Legal counsel’s current opinion is that NDSU cannot pay ransom.
- Exfiltration. Data on a computer is sent to a repository on the internet. Ransom is demanded in order to not make the information public.
- Alteration and destruction. Data is modified or deleted knowingly or unknowingly by an unauthorized individual.
Recommendations:
- NDSU owned devices such as computers, cellphones and tablets
- Limit browsing to sites needed for work related activities. Using a work device for everyday browsing exposes the device to sites that can contain malware and infect the computer.
- Only the employee should use the device. Other individuals could access records that are protected by privacy laws such as FERPA. Additionally, institutional records could be altered or deleted. Finally, non-employees are more likely to browse to sites not related to work and therefore exposing the device to malware.
- Personally-owned devices
- The use of personally owned computers is discouraged for the following reasons:
- Security of the device is not managed by NDSU IT so the level of security varies widely
- Personally -owned devices can be used by many individuals which cannot ensure the confidentiality of institutional records
- Browsing on personally owned devices is not limited to safe sites which exposes the computer to a higher probability of malware infection
- Not all personally owned computers have disk encryption approved by NDSU IT. If the device is lost, there is a potential for disclosure of institutional records
- The use of personally owned computers is discouraged for the following reasons: