record retention january 10, 2007

Record Retention

January 10, 2007

Nebraska’s Pride is 500-miles wide

I. Introduction

Keith Swarts


Record Retention ART and DAS January 10, 2007 Agenda

I. Introduction 5 minutes Keith Swarts

II. Why We Are Here 15 minutes Sheila WrobelImportance of record retentionWhat is a record?Records destructionExecutive Memorandum 29 and E-Discovery

III. Electronic Document Storage 10 minutes Sharon WelnaEmail and file storageNon-University owned computersPortable media drives

IV. Employee Records Retention 45 minutes Connie RushClarify rolesReview scheduleFeedback

V. Where Do We Go Next? 10 minutes Keith SwartsFinalize retention schedule in MarchBegin destruction of recordsNext series of records retention review:Medical records and facility records


II. Why We Are Here

Sheila Wrobel


Importance of Retaining Records Records provide documentation to support actions

taken Records required during audits, investigations &

litigation to prove: Policies & procedures followed; “standard of care” Funds spent appropriately (State $; Grants; Medicare & Medicaid) Employees (prospective also) & Students’ rights were not violated

“What hasn’t been documented hasn’t been done”


Scenario 1 A Hispanic female, age 61, is terminated from

employment for poor job performance. She files a complaint with the Nebraska Equal Opportunity Commission (NEOC) claiming discrimination based on sex, race and age

Employer must prove that termination was for cause What documents should the employer have retained

to prove the termination was not “against public policy”? How long should they have been retained?


Scenario 2 The DHHS Office of the Inspector General conducts

an audit of an NIH grant and requests documentation showing proof that Dr. Jones spent 60% of his time on the grant as his effort report indicates

What documentation should Dr. Jones have retained

to prove how his time was spent and how long should he retain it?


Scenario 3

You are in charge of a search committee to hire a department manager. You receive a reference via

e-mail from a previous co-worker of one of the finalists for the position.

Do you need to retain the e-mail reference, and if so,

for how long?


What is a Record? Records contain information relating to the operation

of the University and/or the interests of persons employed by, enrolled at, or otherwise associated with the University;

Records may be in any form: Paper, including handwritten & typed Electronic, including e-mails & e-documents (SAP, etc.) Sound & video recordings, still pictures

Assume most records are potentially subject to disclosure to the public under public records statutes or to third parties through legal process


What Medium? The form of the record is not as important as the

substantive content Unless otherwise required by law or university

policy, records may be retained in any medium Records must be capable of being retrieved

If microfiche, maintain a microfiche reader Electronic records must be in a format accessible by

current technology Create system to retrieve records in a timely manner (i.e.

an index)


Record Destruction Establish a system to date & flag records for

destruction on a regular schedule See UNMC Policy and Procedures 6056 in handouts

for proper methods of destruction Record retention schedules set a minimum time for

retention UNMC schedules will list the repository(s) for each

record Only a single copy of each record must be kept;

destroy duplicates as soon as possible


Executive Memorandum 29

Designates records officers & responsibilities Joshua Mauk is university-wide records officer Keith Swarts is UNMC records officer

Preservation Notices for records subject to legal proceedings or public records requests Recipients must make a good faith effort to collect and

preserve records subject to the Notice Retention schedules suspended for these records – do not

destroy during preservation period


E-Discovery Rules

Federal Rules of Civil Procedure amendments effective Dec 1, 2006 related to discovery of electronically stored information in litigation

Addresses the duty to disclose ESI Party from whom discovery is sought has the

burden of proving that ESI is not reasonably accessible because of undue burden or cost


Record Retention Resources

UNMC Record Retention website at: http://www.unmc.edu/dept/compliance/index.cfm?L1_ID=34&CONREF=10

UNMC Record Retention and Destruction FAQs

University of Nebraska General Counsel E-Discovery FAQs


III. Electronic Document Storage

Sharon Welna


Email and File Storage


Email and file storage

Organize your electronic documents and email Use the same file structure within email as you

store electronic documents

http://office.microsoft.com/en-us/help/HA012191731033.aspx http://office.microsoft.com/en-us/workessentials/HA011450561033.aspx


Email and file storage

Set up a file structure which will be easy to maintain

Examples:Subject

Year created Record Retention

Presentations 2007


Non-University Owned Computers

If you store UNMC records on a non-University owned computer, this computer could be needed to respond to a records request.

It is highly recommended that you segregate UNMC records and personal records.

It will be your responsibility to produce the records on the non-University owned computer to respond to a records request.


Data stored on Local hard drive

Employee has responsibility for bringing forward any data stored on a local hard drive similar to data stored on a non-University owned PC

Example: ITS is requested to provide legal a copy of the mail data base for a particular individual. All ITS will be able to provide is data stored on the mail server. It will be the employee’s responsibility to identify other area’s where mail has been stored.


Information Security:Mobile Devices


What is a mobile device? USB devices

Thumbs drives USB removable disk drives

Smart Phones Laptops PDA iPod Blackberry And more every day………..


Facts to Consider 81% of US firms lost laptops with sensitive

data in the past year 97% of stolen computers are never recovered 60% of information theft results from lost or

stolen equipment, only 25% from network intrusions

Source: Computerworld, August 16, 2006


VA to Encrypt All Computers

VA will install data encryption technology on ALL of its computer

Cost: $3.7 million

Source: Health Data Management (August 15, 2006)


Do NOT put confidential information on a mobile

device

But, what if I have to?

You MUST ensure that the data is encrypted and password protected.


Encryption Recommended product to use:

TruCrypt

Contact workstation support if you have questions


Risks of Encrypting Data

If you lost the encryption key, there is virtually no way to recover.

Encryption should only be used on mobile devices

Encrypted file should NOT be your only copy. Keep a copy on a file server


Computer Use Policy It is the responsibility of the workforce to utilize the

information technology resources in an appropriate manner. Individuals with access to information systems are expected to safeguard resources and maintain appropriate levels of confidentiality in order to protect the integrity of all data and of the interests of the entity.

It is the responsibility of the workforce to protect confidential information when stored electronically (at rest) and when the data is being transferred outside of the facility such as on a mobile device or a diskette


End User Device Policy Confidential Information on Mobile devices (such as PDA’s laptops):

Members of the workforce must utilize password protection. All computerized confidential information should be encrypted where technically feasible. The use of physical security measures such as using safes, locking furniture drawers, and locking office doors is recommended as a supplementary measure to protect confidential information while the data is being stored (or at rest). Members of the workforce are responsible for safeguarding and protecting confidential information when the information is transferred off campus such as on a diskette, PDA, or laptop.. Members of the workforce are responsible for ensuring information obtained and stored on mobile devices is obtained pursuant to the UNMC Policy No. 6051, Computer Use and Electronic Information Security.


Blackberry

If a Blackberry is misplaced, lost or stolen Notify the IT Help Desk immediately IT will work with you to notify Verizon

Misplaced Blackberry device Server can send a “set password” and “lock” command

Lost or stolen Server can send an “erase application data” command Server can send a show owner information command


Preventing Mobile Device Theft

No place is safe. Never leave mobile devices unattended Never leave user id/password in the carrying

case


Avoid a disaster while on the road

Start every trip with a backup of your system Connect to the office using your VPN connection and

back up files to your home drive When in doubt, switch to paper


Make security a habit to ensure retention of records


IV. Employee Records Retention

Connie Rush


V. Where Do We Go Next?

Finalize retention schedule and permanent records

Destruction of records Next series of record retention review Questions?

record retention january 10, 2007

Documents