PURPOSE OF THIS POLICY
The purpose of this policy is to provide clarity, consistency and guidance to the institution for retention of student records, including retention periods, digitization, and disposition of such records.
APPLICATION OF THIS POLICY
This policy applies to all student records stored in any format at CSU and to employees of CSU who create, receive or store student records for any purpose.
EXEMPTIONS FROM THIS POLICY
This policy does not apply to business and financial records of the university, or to other types of records that do not pertain to students.
DEFINITIONS USED IN THIS POLICY
Record Custodian: An individual assigned responsibility for management or maintenance of records for a department or unit.
Retention Period: The length of time a record needs to be maintained to satisfy the purposes for which it was created and to fulfill the legal, fiscal, and administrative requirements of the University and external agencies. The retention periods for specific records are defined in the Student Records Retention Schedule.
Student Records: Records, files, documents, and other materials which contain information directly related to a student and are maintained by CSU (or by anyone acting for CSU). Student records encompass students in credit bearing as well as non-credit bearing courses. Student records as defined herein may include records that are exempt from the definition of “education record” under the university’s FERPA policy (for example, admissions records for prospective students who never enrolled).
Records that are “de-identified” are not covered in this policy. De-identifed records are those where information such as student name, identification number, address and other data that could be used to identify a specific student have been removed. These “rolled up” or aggregate information reports, containing information about students that are de-identified and cannot be linked back to specific students, are considered reports. Retention requirements of departmental reports is left to the respective department. In some cases, aggregated information that results from small numbers of records can be used to identify specific students. Those records are covered within the scope of this policy.
Student Records Retention Schedule: A categorical listing of proper retention periods for student records that is approved and maintained by the Office of the Registrar. The schedule is Appendix A to this policy.
System of Record: An information storage and retrieval system that is the authoritative source for a particular data element related to a student. To ensure data integrity, there must be one--and only one--system of record for a given piece of information. For example, the University’s current system of record for the transcripted academic history of each student is Banner.
Many university departments and offices maintain student records in physical and digital forms. A large number of systems and databases across campus contain student records. The university is committed to the proper retention, storage, retrieval, and disposal of such records in order to meet legal requirements, optimize use of space, minimize cost, and secure sensitive information. This policy provides retention requirements and guidance for the handling of student records.
Information about individual students should be retained only so long as it is valid and useful for legitimate University business and educational purposes, or as specified in the Student Records Retention Schedule (whichever is longer). Those responsible for student records must dispose of them in accordance with this policy when the specified retention period has expired.
Important note regarding records related to pending audit, inspection, or litigation:
Records whose retention period has expired must nevertheless be retained if related to any pending or reasonably expected audit, inspection, governmental investigation, claim, lawsuit, or other official process. This is referred to as a “records hold.” Failure to hold and preserve records under such circumstances is a serious matter that may expose a person to CSU discipline, and/or civil or criminal liability. For further guidance and instruction on disposition of such records, contact the Office of General Counsel.
Records Subject to this Policy
All student records are covered by this policy. This includes records containing information from which a student or students could be individually identified through any means. Not covered under this policy are general records of the university, financial records, and other records that are not student records. Retention periods for these other records may be found in the State of Colorado’s Records Management Manual, Schedule 8 (Higher Education), and the Records Retention section of the CSU Financial Rules.
Student records are considered “sensitive information” under the CSU Information Technology Security Policy.
Student Records Retention Schedule
The University maintains a Student Records Retention Schedule (the “Schedule”), Appendix A to this policy, to be used in determining the proper retention period for all student records. The Registrar is charged with the responsibility of maintaining the Schedule, and questions about retention of student records should be directed to the Office of the Registrar (email@example.com or 970-491-4860). Changes to the Schedule may be made by the Registrar as needed. The current Schedule is published on the Registrar’s website.
Secure Storage of Records
Student records in physical form that contain sensitive, confidential information must be protected. Reasonable measures must be taken to prevent unauthorized access to these records. Such methods may include locked file cabinets, locked office doors, and other security systems provided by the University.
Student records in digital form should be stored on secure University servers and devices in accordance with the requirements for sensitive information under the IT Security Policy. Student records must not be stored on portable media (such as CDs and portable drives), as defined in the IT Security Policy. If a record is stored in Banner, it should not also be stored locally.
Digitization of Records
Most paper records can be converted to an electronic format for purposes of storage, access, and subsequent destruction. Once digitized, a paper record no longer need be retained, and must be destroyed in accordance with this policy, after assuring that the digitized records are complete and there is no longer a need for the paper record (see Disposition of Records, below).
Digitizing a record does not alter its retention period. As paper records, digital records must be disposed of in accordance with this policy when their retention period has expired.
Digitizing student records can be a challenging process. In order to assure that records are properly digitized, and before disposing of the paper records, the responsible departmental Records Custodian should develop a plan to assure that digitization is done properly before disposition is made of paper records. A sample plan is available from the Central Receiving website. Central Receiving offers scanning services to the campus community.
Some student records have or may have enduring historical value and should be transferred to the University Archives once they have served their useful life as dictated by the Student Records Retention Schedule. Contact the Archives and Special Collections Department in CSU Libraries for assistance with archiving records.
Responding to Requests for Disclosure of Records
Requests for disclosure of student records must be handled in accordance with the CSU FERPA policy and the CSU Colorado Open Records Act policy. If you are unsure whether or how to respond to such a request, contact the Office of the Registrar.
Disposition of Records
Records disposition is the final phase in a record's lifecycle. It normally involves destruction but on rare occasions, the disposition may be to transfer the record to another state or federal agency. Known requirements are listed on the Schedule (Appendix A). If you know of any additional requirements for retention or disposition of student records, please notify the Office of the Registrar so the information may be added to the Schedule.
Units are strongly encouraged to conduct an audit of student records at least annually to determine whether any such records have reached the end of their retention period and should be disposed of in accordance with this policy. Records must be destroyed promptly after the end of their retention period. The approved method of destroying records is by shredding to the current security standard for sensitive data, rendering the records permanently irretrievable and illegible. Typically, office shredders do not meet the acceptable security standard.
On-campus secure shredding services are provided by the Department of Central Receiving, Shredding Services. Paper records will be picked up by Central Receiving upon request. Business units of the University are required by the CSU Procurement Code to utilize on-campus services or obtain a waiver before retaining services of an outside contractor. An exception is paper records that are maintained in a location other than the CSU Fort Collins area campuses, and cannot be transferred to Central Receiving. Please see the shredding information page at shredding.colostate.edu or contact Shredding Services (firstname.lastname@example.org or 970-491-6006) for more information and assistance before retaining an outside contractor.
If the records approved for disposal are maintained in digital format, they must be permanently deleted. Physical media, such as CD-ROM disks, tapes, optical disks, memory sticks, memory cards, etc., should not be used for student records, but all those containing student records must be transferred to CSU Surplus Property for proper disposal in accordance with the IT Security Policy. This includes computer hard drives (including servers) being removed from service at the University. Units utilizing cloud-based storage must first have a security review and approval from CSU’s IT Security Manager, and then work with the vendor to arrange for data to be purged after the expiration of the retention period in accordance with the IT Security Policy, and receive documentation that this has been done.
COMPLIANCE WITH THIS POLICY
Compliance with this policy is required. Assistance with compliance may be obtained by contacting the Office of the Registrar for records retention and Central Receiving for records destruction.
Appendix A, Student Records Retention Schedule
CSU Information Technology Security Policy
CSU Financial Rules
CSU FERPA Policy
State of Colorado’s Records Management Manual
Approved by Anthony A. Frank, President, May 5, 2016