Records Management - FAQ
What defines a record?
- Your office created;
- Your office acted on;
- Your office receives it for action;
- Your office is designated as the custodian of (i.e. record-holder);
- Your office needs to document its decisions.
Are emails considered records?
How long should emails be kept?
Are phone message transcripts considered records?
- Transcripts of phone messages may or may not be records, and you’ll need to make that determination.
- If they are not records, or if they are convenience copies for you, please delete them.
- If you’ve determined that a phone message transcript is a record that you need to manage as the Office of Record Retention, you’ll want to identify its record series, using the instructions at https://kb.ndsu.edu/page.php?id=99046 . Then, move the record out of your phone/email account and into a system in which you can retain it - and then dispose of it - as directed in the Records Retention Schedule; information on storage solutions is available at https://kb.ndsu.edu/page.php?id=102743 .
- Now that we are using the Zoom phone service, deleted recordings will remain available for 30 days in the Trash folder and will be automatically permanently deleted after 270 days.
What is the definition of "Office of Record Retention?"
- Note: the Office of Record Retention is not always the office of origin.
What are the records management duties of copyholders?
How can I make it easier to distinguish between official records and convenience copies?
When and how is a copyholder supposed to dispose of a convenience copy whose original is to be retained permanently?
Who is responsible for managing records and information?
How often do I need to review my records for disposal?
- Review your records inventory.
- If any new record series have been created, add them to the records schedule in consultation with the NDSU Records Management leadership.
- Properly dispose of records in accordance with the disposal guidelines in the Records Retention Schedules used at NDSU.
Can I keep records longer than the published retention period?
What resources are available to answer questions?
- Contact your unit's records coordinator; or
- Email NDSU.RecordsManagement@ndsu.edu
How are records classified as “Public,” “Private” and “Restricted”?
- Restricted- This is data that requires the highest level of protection. It is data protected by federal or state laws, regulations, contracts, or policy.
- Private- This is data that should not be available to the public. It is data that may be protected by federal or state laws, regulations, contracts, or policy. This data required protection, but not at the same level as "Restricted" data.
- Public- It is data that can generally be released to the public. It typically required minimal protection.
How do I report disposal of records that I have in both electronic and paper form?
If a particular email constitutes a record and has been saved as a pdf or txt document, is it still considered an email if we receive an open records request for “email documents”?
Why is the NDSU records disposal deadline the end of November, since we have until the end of the calendar year to dispose of records?
At what time during the calendar year should records disposal be conducted and reported?
What is the process for transferring records to the NDSU Archives?
I’ve received an open records request. What do I do?
Information about open records and personal cell phones, as provided by Enrique Garcia, NDSU’s Chief Information Security Officer:
- Open records requests submitted to an NDSU department or individual must be forwarded to Chris Wilson, Chief of Staff, to address and process.
- NDSU employees must comply with North Dakota law (NDCC 44-04) and produce any relevant record that is responsive to an open records request, regardless of the device or service used.
- It is highly recommended that NDSU employees do not use personal devices for work since there are security concerns, such as how well they are managed, who has access (physical and electronic) to personal devices, and encryption, to name a few.
How do I manage and dispose of my email records?
How should we safeguard personally identifiable information, health information and financial information?
- stored in an unprotected area and/or on an unprotected electronic device
- shared without proper protection
- shared with anyone without a legitimate need to know
- sent or received in an email required for online forms
How do I manage the paper document of grades that have been assigned, after the grades have been electronically recorded?
How do records management requirements impact Skype conversations?
How do we manage Authorizations for Out-of-state Travel?
- It is strongly encouraged that travel authorizations be provided with T&E [Travel & Expense] reports. It is much easier for audit purposes to have all documentation attached.
- Also, when the travel authorization is attached to the T&E report, it will become the official record and responsibility of Accounting to manage this record, rather than the department.
- Departments would then only be responsible for keeping the original travel authorization for the current fiscal year plus one additional fiscal year, at which point, that document becomes a convenience copy.
- Individual colleges or departments may require the inclusion of travel authorizations with the T&E reports.
How do we manage Student Course Response Questionnaires (formerly SROI) raw data and summary reports?
Following are information and resources that will assist you in the management of both paper and electronic Student Course Response Questionnaires data and reports.
Notably, once a summary report is delivered to an academic department, raw data is no longer considered a record and may be disposed. The summary report will be the record to be managed according to the records retention schedules used at NDSU.
A. The record series for these records is from the NDUS-general records retention schedule.B. The control number is 020207, and the record series title is “Student Evaluations of Course and Instructor.”C. The description of this record series has recently been changed to read: “This record series contains a summary report of the evaluations done on advisors, instructors, and courses, including all numerical and narrative responses from individual evaluations. Following the delivery of the summary report, the raw data has no retention value and can be destroyed in accordance with the individual institution's procedure. Departmental office may maintain a copy of the instructor evaluation summaries in the faculty personnel file." ***The description previously read, “This record series contains a summary report of the evaluations done on advisors, instructors, and courses. Department office may maintain a copy of the instructor evaluation summaries in the faculty personnel file.”D. The retention period is 10 years after the current fiscal year.E. Academic departments may keep these records or, prior to the end of the retention period, have them added to the corresponding faculty personnel files.
Please note that the description of record series #600606, “Faculty Personnel Files,” from the NDUS-general records retention schedule, has recently been changed:
i. This record series now reads: “This record series contains information that documents the faculty member's work history. It includes information such as job title, rank and education, employment background, grant work, training, and certifications. This may include copies of a request to recruit, request to appoint, initial vitae, letter of intent, letters of reference, academic records, supplements, tenure forms, yearly contracts, listing of grant work, and students' evaluations of course and instructor summary sheets. This includes both academic and clinical faculty. Note: personnel information may exist in different locations (i.e., department, provost office, etc.).” ***The description previously read, “This record series contains information that documents the faculty member's work history. It includes information such as job title, rank and education, employment background, grant work, training, and certifications. This may include copies of a request to recruit, request to appoint, initial vitae, letter of intent, letters of reference, academic records, supplements, tenure forms, yearly contracts, listing of grant work, and students' evaluations of course and instructor summary sheets. This includes both academic and clinical faculty. Note: The official personnel file may consist of different information than the department. This includes appointments and contracts, summer session faculty files, and Extension Program Instructor Files.”ii. The retention period is six years after termination.
How do we manage notes of informal staff meetings?
What is the difference between “Information Governance” and “Records Management”?
What is an inactive record series?
How are Docusign documents to be managed?
How do we deal with records that had been managed by an employee who transferred to a different department at NDSU or left NDSU altogether?
- NDSU records are the property of NDSU. The records under the custody of a particular unit remain with that unit even after the employee who managed them leaves the unit (or the university) for whatever reason, and a new custodian of such records is to be designated by the unit supervisor.
- If the unit is moved to a different department, division or college within the university, its records go with it.
- If a unit is discontinued, the last custodian of its records needs to transfer them to the unit or employee who is assigned responsibility for each specific project for which records exist. This may at times be a bit perplexing, so please don’t hesitate to contact NDSU’s records management leadership for guidance.
How do I work with institutional records while working remotely?
Following is information and guidance on working with institutional records as a remotely working employee, kindly provided by Enrique Garcia, NDSU Chief Information Security Officer, on Aug. 28, 2020.
Records are constantly being created by employees while using a computing device. Employees have a duty to protect those records from threats. Some examples are:
- Disclosure. Access to an institutional record by an individual who is not authorized to see that record
- Cryptolocking. Data on a computer are encrypted by malware. and ransom is demanded in order to decrypt the information. Legal counsel’s current opinion is that NDSU cannot pay ransom.
- Exfiltration. Data on a computer is sent to a repository on the internet. Ransom is demanded in order to not make the information public.
- Alteration and destruction. Data is modified or deleted knowingly or unknowingly by an unauthorized individual.
Recommendations:
- NDSU owned devices such as computers, cellphones and tablets
- Limit browsing to sites needed for work related activities. Using a work device for everyday browsing exposes the device to sites that can contain malware and infect the computer.
- Only the employee should use the device. Other individuals could access records that are protected by privacy laws such as FERPA. Additionally, institutional records could be altered or deleted. Finally, non-employees are more likely to browse to sites not related to work and therefore exposing the device to malware.
- Personally-owned devices
- The use of personally owned computers is discouraged for the following reasons:
- Security of the device is not managed by NDSU IT so the level of security varies widely
- Personally -owned devices can be used by many individuals which cannot ensure the confidentiality of institutional records
- Browsing on personally owned devices is not limited to safe sites which exposes the computer to a higher probability of malware infection
- Not all personally owned computers have disk encryption approved by NDSU IT. If the device is lost, there is a potential for disclosure of institutional records
- The use of personally owned computers is discouraged for the following reasons: