2.43 Record Retention and Disposition Policy
Policy Statement
This policy provides for the systematic review, retention, and disposition of documents and records received, created, or maintained by Ithaca College in connection with College business. This policy is designed for: effective record retention to preserve the College’s archival records; to enhance compliance with federal and state laws and regulations; to ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS); to eliminate accidental or innocent destruction of records; and to facilitate the College’s operations by promoting efficiency and maximizing the availability of valuable storage space.
Applicability
This policy applies to all records and documents, including both original documents and reproductions generated in the course of the College’s operations. It applies to records stored electronically and on microform as well as paper records. Duplicate or multiple copies of records retained in locations other than official repositories must be disposed of in compliance with the College Record Retention Schedule.
Definitions
"Archival records” – An original record that is inactive, not required to be retained in the office in which it originated or was received, and has permanent or historic value.
“Documents” or “Records” – when used in this policy, includes any original documents or reproductions created, received, or maintained by College departments, divisions, offices, and employees of the College in connection with College business, regardless of physical form (hard copy or electronic form, including email).
“Confidential Information” – when used in this policy includes any personally-identifiable records, including, but not limited to: student, employee, financial, health, alumni, and donor records; strategic planning documents, contracts, research data, and College financial/proprietary data and information.
“Financial Records” – any records containing social security number, financial account information, tax returns, asset statements, bank or credit card account numbers, income and/or credit information, payment card transactional information especially cardholder data (CHD), or any other records containing “personally-identifiable financial information” regarding students, parents, employees, alumni, potential donors, and other third parties. Financial Records also include the documentation for all College business transactions, its system of accounting and records of official financial statements.
“Official Repository” – the unit originating a record or receiving an original record from an external party is designated as having responsibility for retention and timely destruction of original records and documents as indicated on the College Record Retention Schedule. Such responsibility is assigned to the administrative director/academic dean or his/her designee.
Policy
A. Document Retention
The College will retain documents in accordance with the College Record Retention Schedule developed by the Office of General Counsel. Documents not listed in the schedule that are substantially similar to those listed in the schedule, or that pertain to a particular transaction or matter documented by a record listed in the schedule, shall be retained for the length of time required for the substantially similar/related document.
B. Electronic Documents and Records
Electronic documents will be retained as if they were paper documents. Therefore, any electronic files that fall into one of the document types on the schedule, or that represent a substantially similar/related document as discussed in paragraph A above, will be maintained for the scheduled length of time. E-mail messages and/or other electronic files that need to be retained under this policy should be stored in their native file formats .
C. Payment Card Data
Any record, paper or electronic, containing cardholder data (CHD) must have the CHD portion immediately destroyed after the data has been used to authorize the payment. Destruction must be by cross-cut shredding (or by any other method approved by the PCI Security Standards Council) and only the CHD is required to be destroyed. Upon removal of the CHD from the record, the remainder of the document must be retained in accordance with the College Record Retention Schedule.
D. Disaster Planning and Preparedness
Ithaca College records will be stored in a safe, secure, and accessible manner. Documents and financial files that are essential to keeping the College operating in an emergency are to be duplicated and backed-up on a regular schedule.
E. Document Disposition
Divisions and Departments identified as an “official repository” are responsible for the safe and secure maintenance, storage, and disposition of their own original records and documents, with oversight by the relevant Vice-President and Dean. The Office of General Counsel will serve as a resource for the ongoing process of identifying records that meet the required retention period. The following hardcopy records will be destroyed by cross-cut shredding: 1. College financial records; 2) individually-identifiable financial, medical, student, or personnel-related records; and 3) any other documents or records containing confidential information, as defined above, and/or non-public information about the College. If in doubt as to the proper method to destroy a document, shred it. All documents, whether original or reproductions, must be disposed of in accordance with the College Record Retention Schedule. Retention of documents beyond the time period indicated in the College Record Retention Schedule is strictly prohibited unless there is a litigation hold as defined below or the record is an archival record.
F. Litigation Hold
Document disposition will be suspended immediately and all potentially relevant records and documents, whether listed on the Retention Schedule or not, must be preserved and maintained when a lawsuit is filed or is reasonably anticipated. Documents that are subject to a “litigation hold” as determined by the Office of General Counsel shall be preserved and retained until such time as the Office of General Counsel specifically authorizes the documents to be disposed.
G. Duties of Administrative Manager/Dean or designee
The Administrative Manager/Dean or his/her designee for a College department or division will be responsible for the following: serving as the “official repository” for original records, implementing the department or division’s record management practices for both original and reproduced documents, ensuring that the record management practices are consistent with this policy, preserving inactive records of historic value and transferring those records to the College archives, and destroying inactive records that have no archival value upon passage of the applicable retention period.
All questions about these responsibilities will be directed to the Office of the General Counsel, who will work closely with the department or division to ensure understanding of this policy and implementation of these responsibilities.
H. Compliance
Failure on the part of employees to follow this policy can result in possible civil and criminal sanctions against the College and its employees. Failure on the part of employees to follow this policy may result in disciplinary action.
I. Review and Amendment
The Office of General Counsel will periodically review this policy to see that it complies with new or revised laws, regulations and institutional policies, and will bring necessary amendments to the President for approval.
Approved and Added: October 14, 2011