Records Retention

Information Technology Resources for an Informed Retention Schedule  [Keeping Your Retention Schedules Evergreen:  How Your IT Department Can Help You Find the Gaps in Your Retention Schedules]

by

By: Pari Swift and based on the 2023 presentation Mine the Gaps : Uncovering What You Don’t Know About Your Retention Schedule with Warren Bean, Zasio.

Are you ever shocked when you learn about a new type of record that your organization is maintaining? To uncover records series that may not be covered by your current retention schedules, leverage the work being done by your information technology department. Here are some IT resources that can help you uncover the gaps:

  • Software Procurement – Get involved in this process. As the records manager, you need to understand whether the software can adhere to your retention and disposition requirements. Additionally, being part of this process will inform you of what types of records and information will be put into the system. Often the vendor assessments offer a window into the purpose and function of the system. This will allow you, early in the process, to match those records to your retention schedule, or add a new series if the records are not already covered.
  • Privacy Officer – As part of their role to protect private information, privacy officers often evaluate information keeping systems, paper or electronic, to ensure that privacy laws are being followed and information is protected and secure. They need to know where sensitive data lives within the organization, so they should have a map or documentation that will shed light on potential records not yet covered by your retention schedule. Two of the tools that they use are the Privacy Threshold Analysis and Privacy Impact Analysis. These gather information about the type of information stored in a system, why it is collected, and how it will be used. This same information can shed light on the records that are already covered on a retention schedule and can be valuable in the records analysis process for determining retention.
  • Cyber Security – Similar to the privacy office, cybersecurity needs to know where data lives and what level of protection it needs. Much of the information that they gather about the records and information is the same as what records managers gather when doing a records analysis to describe a record series and determine retention.
  • Enterprise Architects – The purpose of enterprise architecture is to create a map or blueprint of the structure and operations of an organization, which should include a map of IT assets and an outline of business processes. You can use this information to learn more about what business processes exist and what records are created. Compare this information to what is in your retention schedule to learn whether further conversations about adding to or updating their retention schedules are necessary.
  • IT Backup Schedule – Your IT department most likely has a list of information systems as part of its backup process documentation. Are you aware of all the systems listed and what types of records or information they contain? If not, now you can work with the business unit using the system to ensure that the records are covered on your retention schedule.

These information technology resources are a starting point. They won’t give you all the information that you need to fully flesh out and develop a new record series.  You’ll still need to go to the department subject matter experts for that. What they will do is clue you in to what records might not be covered on your retention schedule so that you can reach out to the department to get them added. These resources may also provide some of the basic information that you need to know, thus saving you and the department valuable time by being able to skip ahead to the questions about the records not yet asked.

Use your IT resources to keep your retention schedules evergreen!

Maintaining Digital Records: Permanent vs. Short Retention Periods

by

If you are effectively maintaining digital records, can you dispose of the original, hard copy documents?

Public entities have the authority to decide in which medium they will maintain their records and can create schedules that divide a records series’ retention period based on storage location or media type. For example, a public entity’s record retention schedule could require it to “maintain the paper version of a record until it is scanned and quality control checked, then dispose; retain electronic version for 10 years.” 

However, if records are required to be maintained permanently, public entities are discouraged from maintaining solely in a digital format. The Ohio History Connection has issued a statement on maintaining digitally imaged records permanently which states its recommendation that any digitally imaged records of permanent value also be maintained in either paper or microfilm format. There are several reasons for this recommendation because the technology surrounding electronic records are in a continuous state of change. Any record in electronic format cannot be considered stable and capable of remaining reliable, authentic, and accessible over any long-term or permanent retention period.

The Ohio Electronic Records Committee has also put together several resources that provide information on the requirements, guidelines, and best practices for digital document imaging projects. You can view these resources here: Document Imaging – Ohio Electronic Records Committee (ohioerc.org).

Data as Record: Managing Data within Information Systems

by

There is so much talk these days about data. Data security. Data privacy. Data classification. Big data. But there isn’t much consideration about data as records. How does “data” fit into the Ohio public records laws and records retention and disposition processes? Are records and data really separate and distinct from one another?

After struggling with these questions in regards to the retention and disposition all of the data sitting in countless information systems, I set out to logically work my way through the questions. First, is data a record? Using the definition of “record” in Ohio Revised Code 149.011 (G) I determined that:
• Data is stored on a fixed medium
• Data is created, sent or received by a public institution
• Data documents functions and activities of the public office
My conclusion is that data, when grouped together and used for a purpose, make records. Data collected for the same purposes, therefore, can be grouped into record series for the application of retention and disposition.

The Ohio Electronic Records Committee [ohioerc.org] recently posted a tip-sheet on Database Records Retention and Disposition [ohioerc.org], created to walk through the concept of records within databases / information systems, which includes the following sections:
• How are database or information systems records defined?
• How long must database or information system records be kept?
• Is it acceptable to keep database or information systems records indefinitely?
• Changing or decommissioning database or information system software
• Procuring new database or information system

This tip sheet will not only give an overview of these concepts, but it can be used to justify including the records manager in conversations throughout the lifecycle of the information system due to their vital role as manager of the records therein. For assistance in responding to public records requests when the requested public records are contained in a database, please see Guidelines for Databases as Public Records.

Pari J. Swift, University Records Manager, The Ohio State University