Records Management

As department head, you are responsible for the records management function in your department. To assist you with this responsibility, the University has a records retention and disposition policy (University Policy FI0120). The policy follows guidelines issued by Tennessee’s Department of General Services.

The retention schedule in Policy FI0120 lists the minimum retention periods necessary to meet legal, fiscal, and administrative requirements. Included are business and financial, employee, purchasing, risk management, student, and transportation and traffic records. Also, guidelines are provided for establishing a cost-effective records management program at the departmental level.

Key Terms

A record is any unit of information, regardless of form, made or received by any administrative staff in transacting University business. Examples include books, letters, maps, memos, forms, reports, photographs, films, x-rays, microfiche, and electronic files.

A retention schedule lists the minimum time periods that an organization’s records should be retained for legal, fiscal, or administrative reasons and is usually organized by groups of similar records.

Back to top »

Storage of Records

Compact storage methods provide a space- and cost-efficient means of storing records in paper form. Once records are transferred to a compact storage medium, it is not necessary to keep both the original paper copy and the stored record. Before discarding paper copies, departments must ensure that the electronic records are readable, retrievable, transferable, secure and routinely backed up to an offsite facility. The stored records must be kept for the minimum retention period (time in office plus time in storage) specified in Policy FI0120.

There are federal restrictions and industry standards on how personally identifiable information (PII) is transmitted and how it is stored. The Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry (PCI) standards dictate that information classified as personal health information or credit card information must be transmitted in an encrypted form AND stored in an encrypted format. FERPA guidelines (education records) do not specify encryption, but the recommendation is to make every effort to protect the information from exposure to unauthorized persons. However, encryption alone is not enough. Access to sensitive information must also be considered and restricted to only those authorized to view or process the information. Consult your campus Office of Information Technology on the proper ways to store, encrypt and share information with protected PII.

 

Before disposing of or transferring electronic media that contain sensitive or confidential information (medical, student, or employee information), the information should be made inaccessible, i.e., ’sanitize’ computer hard drives, shred sensitive documents so that the data cannot be retrieved.

Back to top »

Filing Records in the Department

Official records must be stored in a manner that is consistent, protects against misplacement, destruction, or theft, and allows quick identification and retrieval. The department is the responsible office for certain records. Failure to retain proper documentation can result in disciplinary action, including termination.

The following filing methods are suggested for payroll, disbursement, and deposit records.

  • Separate records by type or category, e.g., paid invoices, deposit information, procurement card data, payroll information.
  • Store payroll records by pay period and chronologically.
  • Store deposit information chronologically.
  • Separate procurement card records by card number and file receipts with each card statement in chronological order.
  • Store paid invoices and other disbursement documents by cost center/WBS element, by fiscal year (if fewer than 25 invoices paid each year), or by vendor (if more than 25 invoices paid in a year).

 

Note: Regardless of the storage method chosen, original, confidential, and sensitive documents should be stored in a secure place.
Whenever feasible, records not needed to conduct current businessand consulted infrequently should be stored away from the department in campus or approved off-site storage facilities.

Back to top »

Your Role in Records Management

Your primary responsibilities include the following activities.

  1. Ensure that all records are maintained properly (see Policy FI0120).
  2. Ensure that your department has developed a written retention schedule for records not addressed in University fiscal policy, e.g., intra-office memos, departmental reports.
  3. Ensure that all employees are aware of and consult the University’s and the department’s retention schedules before disposing of any records.
  4. Review (or designate someone to review) departmental records at least annually to dispose of all non-records (e.g., drafts and extra copies of documents) and records whose retention periods have expired. (Some records must be audited before disposal. See Policy FI0120.)
  5. Review and approve (sign) a list of records scheduled for disposal before action is taken and ensure that the approved list is retained.
  6. All electronic storage media containing confidential or protected information should be electronically wiped clean (not just deleted) or physically destroyed in such a manner that the information cannot be reconstructed. The destruction of electronic records should be documented using the same procedures as paper records. Subsequent destruction should also be properly documented and approved by Surplus Property.

Back to top »