Record Management Policy
Policy Number: OGC-06
Effective Date: March 2004
Revisions: January 1, 2011
Responsible Officer: General Counsel
The purpose of the Record Management Policy is to (1) establish an efficient University-wide record management system for maintaining, identifying, retrieving, preserving and destroying records, (2) ensure that records are adequately protected, (3) preserve University history, (4) ensure that records that are no longer needed or of no value are destroyed at the appropriate time, and (5) comply with all applicable local, state, and federal laws and regulations.
This Policy applies to all records, including all University Information and University Resources, regardless of format, whether in paper, electronic, microform (e.g., microfilm, microfiche, magnetic tapes, and CD-ROM), or other medium.
III. Applicable Members
All employees and/or non-employee representatives who conduct business for or on behalf of the University (“Members”).
See “University Record” below.
See “University Record” below.
Custodian of Record
The designated Department, as identified in the Record Retention Schedule, responsible for retaining and timely destroying University Records in compliance with this Policy.
Any and all academic, clinical and administrative offices of the University.
See “University Record” below.
Litigation Hold Notice
See the Litigation Discovery Policy.
Record Management Administrator
The Department representative responsible for maintaining day-to-day record management practices and procedures.
Record Retention Period
The length of time for which the Custodian of Record is responsible for retaining a specified University Record in accordance with the Record Retention Schedule.
Record Retention Schedule
The table listing the required Record Retention Period and the designated Custodian of Record for each identified University Record.
Philadelphia Health & Education Corporation d/b/a Drexel University College of Medicine.
See Use of University Information and University Resources Policy .
Any recorded information that is created or received by a University Member or Department in the ordinary course of University business. All University Records regardless of their format (e.g. hardcopy or electronic) are subject to this Policy. The following terms are used to describe the retention status of a University Record:
A University Record that is currently being used in the ordinary course of University business.
A University Record that is no longer being used in the ordinary course of University business that must be retained until the end of its Record Retention Period and is not required to be preserved in accordance with a Litigation Hold Notice.
A University Record
- that is no longer being used in the ordinary course of University business;
- is not listed under the Record Retention Schedule or whose Record Retention Period has ended;
- that is not subject to a Litigation Hold Notice; and
- that is not an Historical Record.
A University Record that is no longer being used in the ordinary course of University business that is permanently retained for its historical value.
See Use of University Information and University Resources Policy.
A. University Records and Record Retention Schedule.
Active, Inactive, and Historical Records must be maintained in accordance with the Record Retention Schedule and this Policy. Expired Records must be destroyed in accordance with this Policy.
The Record Retention Schedule designates the Custodian of Record for each identified University Record.
If a record is not found under the Record Retention Schedule, it must be destroyed once it is no longer needed in the ordinary course of University business. However, if a Member believes a record not listed on the Record Retention schedule should be retained or a Member believes that a University Record should be retained beyond the time period specified on the Record Retention Schedule, the Member should not destroy such record without prior approval of the University’s Office of the General Counsel (“OGC”).
The Record Retention Schedule identifies certain Historical Records. However, some Historical Records could not be listed in the Record Retention Schedule given the nature of its content and the events associated with the Historical Record (e.g. a letter or e-mail written memorializing an important event). Retaining these types of Historical Records is a responsibility shared by all University Members. If a Member believes an Expired Record should be retained for its historical value and should be permanently retained as a Historical Record, it should consult University Archives.
If a record fits within two categories, each having a different retention period, the longer period governs. In order to facilitate compliance with this Policy, all Record Retention Periods expiring during a calendar year may be extended to the last day of such calendar year. Thus, all University Records expiring during a calendar year should be destroyed on the last day of that calendar year.
B. Non-University Records and Copies of University Records.
All Non-University Records (i.e. any communications not listed in the Record Retention Schedule, informal communications) should be immediately destroyed after use.
C. Copies of University Records.
Departments and Members that are not the designated Custodian of Record for an identified University Record are expected to only retain copies and drafts of such University Record to the extent necessary to conduct University business. Such University Departments and/or Members must destroy such copies/drafts once they are no longer needed to conduct University business unless subject to a Litigation Hold Notice.
The designated Custodian of Record for an identified University Record should only retain originals of Inactive Records and destroy all copies and drafts.
D. Litigation Holds Notices
All University Records are subject to the Litigation Discovery Policy. If there is any reason to believe that a claim may be asserted against the University for which any University Records may be relevant, such records must not be destroyed without the prior approval of the OGC.
E. Security - Confidential Information
Many University Records contain confidential information which is protected by University policies and procedures, as well as, state and federal laws and regulations including but not limited to the Family Educational Rights and Privacy Act (“FERPA”), the Health Insurance Portability and Accountability Act (“HIPAA”), the Gramm-Leach-Bliley Act, and the Fair and Accurate Credit Transactions Act of 2003. This Policy shall be implemented in a manner consistent with all such policies, procedures, laws and regulations, as those may be amended from time to time.
F. Record Management Responsibilities
Record management is the responsibility of all Members of the University.
1. University Department Head
The head of each University Department is responsible for:
- Developing and maintaining practices and procedures that meet the specific requirements under this Section V and Section VI below;
- Ensuring Members of the Department comply with this Policy;
- Reporting any potential or actual non-compliance with this Policy to the OGC;
- Designating one or more Record Management Administrators (depending on organizational structure). Where a Department is small or has minimum record management obligations, the head of the Department may consider serving as the Record Management Administrator; where a Department is large or has complex record management obligations, the Department Head should consider designating more than one Record Management Administrator; and
- Designating an Alternate Record Management Administrator in the event the current Record Management Administrator departs from the University or is unavailable.
Where a Department serves as Custodian of Record with regard to a University Record, the Department is responsible for maintaining their designated University Record in compliance with the Record Retention Schedule. 2. Responsibilities of Record Management Administrator.
The Record Management Administrator must implement the Department’s established record management practices and procedures on a day-to-day basis. Specifically, the Record Management Administrator is responsible for:
- Coordinating retention, preservation, and destruction of University Records in accordance with this Policy and the Department’s record management practices and procedures; and
- Coordinating the Department’s efforts to comply and respond to any issued Litigation Hold Notice, internal or external investigations, court orders, or other requests for records in a timely fashion;
3. Responsibilities of University Members.
All University Members are responsible for the University Records in their possession. University Members are responsible for reviewing the content of the records they use in conducting University business and complying with this Policy.
The Department of Information Technology is not responsible for determining whether or not an electronic record must be retained or destroyed in accordance with this Policy.
Every University Member is responsible for complying with this Policy as well as the record management practices and procedures established by their Department. Failure to comply with this Policy may result in disciplinary action (up to and including termination) and/or legal action. If a Member believes another University Member is violating this Policy (e.g. destroying University Records required to be retained), such University Member should immediately contact the OGC or report such incidents through the Whistleblower’s Hotline.
Requirements for Department Record Management Practices and Procedures
A Department’s practices and procedures must cover all aspects of record management including maintaining, identifying, retrieving, preserving and destroying University Records. Such practices must take into account business needs as well as legal and security requirements. In addition, such practices should allow for efficient access and retrieval of University Records.
A. Indexing System: Management of Active, Inactive and Archival Records
Departments shall implement and maintain a Department-wide centralized and/or uniform indexing system with which all Members of the Department must comply. The indexing system should be based on the nature of the Department’s business need. This will ensure efficient and streamlined accessibility, retrieval, and destruction. Thus, the same indexing system used for maintaining Active Records in the ordinary course of business should be followed for the centralized storage of Inactive Records.
B. Protection and Security of Confidential Information
Departments must implement practices that protect confidential information contained in University Records in accordance with relevant laws and University policies. Such protections must be applied in maintaining Active Records, the storage of Inactive and Archival Records, and the destruction of Expired Records. Thus, the level of security that applies to an Active Record must be maintained when such a record becomes an Inactive or Archival Record. See Section F below for further requirements for destroying such records.
C. Responding to Records Requests
Departments must implement practices that allow for efficient compliance and response to any Litigation Hold Notice, internal or external investigation, court order, or other requests for University Records in a timely fashion.
D. Physical Storage Facilities Practices
A Department’s storage facility practices must ensure the preservation of all University Records in their original condition while also ensuring efficient retrieval of such records. Departments should secure any physical on-campus storage facility to avoid unauthorized access. In addition, such facility and set up should protect such records from possible physical damage such as:
- Pest infestation
- Fire, smoke, or sprinkler damage
- Water damage (e.g., humidity, leaky pipes)
- Damage from magnets (e.g., digital data on magnetic storage media)
For off-site storage, Departments may only use a University designated storage facility. For more information, contact University Procurement.
E. Retention Practices.
University Records must be retained by the Custodian of Record in the following manner:
- Hardcopies must be retained in hardcopy form unless it is converted to electronic format in a University centrally managed system (e.g. Banner, AllScripts, etc.).
- Electronic records, such as e-mails, pdfs, and other electronic documents that are not retained in a University centrally managed system (e.g. Banner, AllScripts, etc.) should be printed in hard copy form in a manner that preserves their original content and form.
- Electronic records stored within a University centrally managed system (e.g. Banner, Electronic Medical Records, etc.) must comply with the requirements under Section VI.B and C above and other applicable University policies. The Custodian of Record is responsible for contacting and consulting with the Department of Information Technology to ensure such compliance.
F. Destruction of Expired Records
If the Custodian of Record believes that an Expired Record has historical value and should be permanently retained as a Historical Record, the University Archives Department should be consulted. Otherwise, all other Expired Records must be destroyed by the Custodian of Record in the following manner:
Expired Records in hardcopy form that do not contain confidential information should be recycled. Expired Records in hardcopy form that do contain confidential information should be shredded in a manner that renders them unreadable and that would prevent them from being reconstructed. Security should be maintained until proper destruction is actually performed.
E-mails and other electronic documents (e.g., Word Documents, Excel, and Pdfs) should be deleted.
The Custodian of Record is responsible for contacting and consulting with the Department of Information Technology to ensure that Expired Records contained in a University centrally managed system (e.g. Banner, AllScripts, etc.) are properly destroyed.
Devices or other media that store electronic records (e.g., jump drives, CDs, etc.) should be destroyed in a manner consistent with media sanitization methods which include disintegration, incineration, pulverization or melting. The type of sanitization required will depend on the type of device as well as the nature of the information contained in the device. Such destruction methods require trained professionals and should be conducted by authorized personnel. The Department of Information Technology and the University’s designated off-site storage facility currently provide such services. Consult the Department of Information Technology or the University’s designated off-site storage facility to arrange for such destruction.