Printer Friendly

Utah Valley University
Policies and Procedures

Title Retention of Electronic Files Number 451
Section Facilities, Operations, and Information Technology Approval Date Oct 09,2008
Subsection Information Technology Effective Date Oct 09,2008
I. Purpose
  1. The purpose of this policy is to establish rules and procedures for the retention of electronic documents, messages and files in accordance with state and federal law and the established practices of the university.

II. References
  1. Board of Regent Policy R132 GRAMA Guidelines

  2. Computer Matching and Privacy Protection Act  of 1988, P.L. 100-503

  3. The Privacy Act of 1974, 5 U.S.C. § 552a (2000)

  4. The Freedom of Information Act, 5 U.S.C. § 552, As Amended By, Public Law No. 104-231, 110 Stat. 3048

  5. Utah State Code, Title 63G, Chapter 2, Government Records Access and Management Act (GRAMA)

  6. UVU Policy 133 Compliance with Government Records Access and Management Act (GRAMA)

  7. UVU Policy 443 Ethics in Computer Usage

  8. UVU Policy 449 Private Sensitive Information

III. Terms
  1. “Shredding” of electronic documents/data: A process or device that physically demolishes the platters of a hard disk to ensure that the contents can never be recovered. Hard drive shredding services may be offered by service companies that shred paper and microfilm. These procedures require that the data are “shredded” (meaning over-written with meaningless data) or the device/IT resource storing the data is physically destroyed.

IV. Policy
  1. The individual creator, sender, and/or receiver of electronic messages, documents, and files must determine which information should be retained or archived. Records should be retained in accordance with the institution's financial and administrative policies on records retention and disposition (i.e., UVU Policy #133 Compliance with Government Records Access and Management Act), Utah State code and federal law.

    1. Records that are retained by an individual, even if they are retained on an electronic medium, are subject to the Freedom of Information Act and the Privacy Act.
    2.  Current electronic technology available to individuals is not considered acceptable for archival storage, except for specifically approved systems.
    3. Documents judged to be archival should be stored on an appropriate medium.
    4. All electronic data stored on university leased or owned equipment is subject to this policy.

  2. Electronic mail and voice communications are vehicles for delivery of information and not mechanisms for the retention or archiving of such information.

  3. When equipment is retired from service, or is transferred to another individual, disposal or “shredding” of electronic documents or data on that equipment is required.

V. Procedures
  1. List of Approved Electronic Systems for Archival Storage

    1. Only approved systems shall be used for archival storage.  Approved systems include the Banner Administrative Systems and the BMI Imaging System.  To qualify, systems must have an archival backup system and schedule and must be approved by the Enterprise Application Committee (EAC).  A complete list of approved systems will be maintained by the Office of Information Technology.
  2. Retention Practices of E-mail

    1. Electronic mail (“E-mail") is a method of communicating information and does not necessarily constitute a public record in and of itself. However, the information transmitted through the use of E-mail may become a public record if it meets the definition of a “record” pursuant to Utah Code 63-2-103.  If information transmitted by E-mail meets the definition of a "record," then it may not be deleted or otherwise disposed of except in accordance with a records retention schedule approved by the State Division of Archives or approved by UVU’s record retention policy. The content of the E-mail message determines the retention requirement.
    2. The legal "custodian" of an E-mail message will normally be the originator if that person is a university employee; otherwise, it will be the individual to whom the message is addressed once the message is received. The legal custodian is the person responsible for ensuring compliance with Utah’s Government Records Access and Management Act (“GRAMA”).  See Utah Code 63-2-101, et seq.  Although most state entities also periodically backup information residing on system hard drives, this is not done for archival purposes or in order to meet the requirements of GRAMA, but as a safety measure in case of system failure or unlawful tampering ("hacking"). The system administrator is not the legal custodian of messages which may be included in such backup files. UVU E-mail servers are provided only to facilitate the delivery of E-mail. UVU E-mail servers are NOT provided for archival purposes; therefore, Information Technology Services cannot guarantee that E-mail delivered to recipients actually originated from the person or persons indicated on the E-mail message.
    3. While all E-mail messages need to be assessed in accordance with GRAMA, E-mail messages generally fall into two categories.

      1. First, some E-mail is of limited or transitory value. For example, a message seeking dates for a proposed meeting has little or no value after the meeting date has been set. Retention of such messages in the computer system serves no purpose and takes up space. Such messages may be deleted as soon as they no longer serve an administrative purpose.
      2. Second, E-mail is sometimes used to transmit records having lasting value. For example, E-mail about interpretations of an institution’s policies or regulations may be the only record of that subject matter. Such records should not be maintained in E-mail format, but should be transferred to another medium and appropriately filed, thus permitting E-mail records to be purged at regular intervals.

    4. While the methods for reviewing, storing or deleting E-mail vary, compliance with the retention requirements of GRAMA may be accomplished by doing one of the following:

      1. Print the E-mail and store the hard copy in the relevant subject matter file as would be done with any other hard copy communication. Printing the E-mail permits maintenance of all the information on a particular subject matter in one central location, enhancing its historical and archival value.
      2. Electronically store the E-mail in a file, a disk, or approved UVU server, so that it may be maintained and stored according to its content definition under the pertinent records retention policy.

    5. In the event of any litigation, all pertinent email is subject to discovery and a hold shall be placed on all such email, such that no pertinent email should be deleted or destroyed.

  3. Retention Practices of Voicemail

    1. Phone voicemail communications may be deleted by individuals or by automated rules established by the telephone switch administrator based on the following practices:

      1. Individuals may delete at any time voicemail from their voice mailbox.
      2. Voicemail may be saved by individual users in their voice mailbox for 30 days. Messages may be saved by individuals for additional 30 day periods of time.

  4. Retention Practices of Electronic Files on Local Computer Hard Drives and Mediums

    1. Retention of electronic files on local computer hard drives and mediums are the responsibility of individual users and should be done within the rules of state and federal law and university policies and procedures, including the policy on Private Sensitive Information (see UVU Policy 449 Private Sensitive Information).  Caution should be taken by the individuals to secure these devices and backup critical information.  Disposal or transfer of devices must be done in accordance with the disposal procedures below.  All such information on university owned computer storage devices is considered university data and may be discoverable within the guidelines of state and federal law and university policy.  University data stored on devices not owned by the institution is still university owned data and must be removed from the device upon the request of the university or upon termination of employment with the institution.  Private sensitive information must be completely destroyed by shredding (see UVU Policy 449 Private Sensitive Information).

  5. Retention Practices of Network Storage

    1. Information that is stored on network storage (U: and S: drives) is backed-up and retained according to the following practices:

      1. Incremental backups are made on a daily basis at night.
      2. Full backups are done weekly.
      3. Weekly tapes are kept for 3 months before they are overwritten.
    2. Department owned servers and storage may, or may not be, backed up according to the above schedule.
    3. Departments should have their own retention procedures and publish them to their affected constituents.

  6. Retention Practices of Administrative Systems Data

    1. Information that is stored within the Banner Administrative Systems is backed-up and retained according to the following practices:

      1. Incremental backups are made on a daily basis each night.
      2. Full backups are done every other day.
      3. A weekly full backup done on the weekend is duplicated and one copy stored at the university in a tape vault and one copy is sent to an offsite storage facility.
      4. Weekly tapes are kept for 3 months before they are overwritten.

  7. Disposal Practices

    1. If a piece of computer equipment or electronic storage device is retired or surplused the following procedures shall be followed:

      1. Any identified records that should be retained by the institution should be removed and stored appropriately.

        1. The device should be electronically shredded so that no information can be retrieved.
        2. If electronic shredding is not possible, the device must be physically destroyed.

      2. If a piece of computer equipment or electronic storage device is transferred to another university employee that should have access to the information on the device (has the same job function and security level), the information may be retained on the device when granted permission by the supervisor.
      3. If a piece of computer equipment or electronic storage device is transferred to anyone else, the following procedures shall be followed:

        1. Any identified records that should be retained by the institution should be removed and stored appropriately.
        2. The device should be electronically shredded so that no information can be retrieved.
        3. If electronic shredding is not possible, the device must be physically destroyed.

  8. Procedures for Computer Equipment Repairs by Third-Party

    1. When computer equipment containing institutional data is sent off campus for repair, institutional data should be backed up and removed from the equipment if possible and practical.  If removal is not possible or if it is impractical, the data should be secured as well as possible and the third-party should agree to and sign a confidentiality/nondisclosure document.

Cara O'Sullivan, Policy Officer | mailto:cara.osullivan@uvu.edu | (801) 836-7355
Utah Valley University • 800 West University Parkway • Orem, UT 84058 • (801) 863-INFO (4636) • Rights & Responsibilities | © 2013 UVUFeedback/Report Errors