Policies of Colorado State University
University Policy
Policy Title: Records Retention | Category: Administration |
Owner: Vice President for University Operations | Policy ID#: 5-6001-005 |
Contact:
Registrar's Office
Web: http://registrar.colostate.edu/ Email: registrarsoffice@colostate.edu Phone: (970) 491-4860 Also Contact:
Business and Financial Services
Web: http://busfin.colostate.edu/ Email: BFS_Webmaster@mail.colostate.edu Phone: (970) 491-1429 |
Last Revision: 6/6/2024 |
PURPOSE OF THIS POLICY
The purpose of this policy is to provide clarity, consistency, and guidance to the institution for retention of University Records, including Retention Periods, digitization, and disposition of such records.
APPLICATION OF THIS POLICY
This policy applies to all University Records stored in any format at CSU and to all academic and business units, employees and agents of CSU who create, receive or store University Records for any purpose.
EXEMPTIONS FROM THIS POLICY
None.
DEFINITIONS USED IN THIS POLICY
University Record (Record): Any file, document, recorded sound, or image generated or held by the University and its employees while acting in the scope of their job duties, regardless of format (paper, digital, photographic, fiche, etc.). All University Records are the property of the institution except as otherwise provided in Section J of the Academic Faculty and Administrative Professional Manual, by law, or in a contract of the University. Types of records include:
- Active Record: a record that is currently serving a business or educational purpose.
- Archival Record: a record that has permanent or historic value, is inactive, and is not required to be maintained in the office in which it originated or was received. Archival Records are maintained and made available in the University Archives, within the University Libraries.
- De-Identified Record: De-identified records are those in which personally identifiable information such as name, identification number, address and any other data that could be used to identify a specific person have been permanently and irretrievably removed. Data that is de-identified is usually “rolled up” or aggregated for reporting purposes. Retention requirements of departmental reports is left to the respective department. Records that are “de-identified” are not covered in this policy. Caution must be taken; in some cases, aggregated information that results from small numbers of records can still be used to identify specific individuals.
- Electronic Record: a record kept in a digital format. These include, but are not limited to, word processor documents, spreadsheets, databases, HTML documents, scanned or imaged documents, audio and video recordings, and any other type of file held on an electronic storage medium or cloud storage service.
- Inactive Record: a record that is (i) not an Active Record, but still must be retained pursuant to the applicable Records Retention Schedule, law, rule, or policy provision; or (ii) is no longer required to be retained, but has not yet been destroyed or archived.
Personally Identifiable Information (PII): Information, excluding directory information, that, if disclosed alone or in combination with other available information, would make it possible to identify an individual to whom the information pertains. This includes items such as a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver's license or identification card number; a government passport number; biometric data, such as defined in C.R.S. § 24-73-103(1)(a); an employer, student, or military identification number; a financial transaction device as defined in C.R.S. § 18-5-701(3); grades, financial/account information; CSU ID photo; class and work schedules; residency status; class rank; age; birth date and place of birth; and all such sensitive personal information as defined further herein.
Records Custodian: An individual assigned responsibility for management or maintenance of University Records for a division, department, or other unit. To determine the Records Custodian, contact the appropriate office for the type of Record (see Appendix 1).
Records Retention Schedule: A categorical listing of proper Retention Periods for records.
Retention Period: The length of time a record needs to be maintained to satisfy the purposes for which it was created and to fulfill the legal, fiscal, and administrative requirements of the University and external agencies. The Retention Periods for specific Records are defined in the applicable Records Retention Schedule. All Retention Periods are based on the fiscal year, from July 1 through June 30, and are in addition to the current year. For example, a three-year Retention Period means a document created this year should be kept until June 30th and then three additional years.
Sensitive Information: Includes both University data that is not publicly available, and PII that through unauthorized disclosure may adversely affect an individual and/or the University. Examples include social security numbers, health information, financial information including credit card numbers, personnel and student performance information, proprietary research and academic information, student and staff ID photos, and personal location information including IP address.
Student Records: Records, files, documents, and other materials which contain information directly related to a student and are maintained by CSU (or by anyone acting for CSU). Student Records encompass students in credit-bearing as well as non-credit bearing courses. Student Records as defined herein includes both records that meet the definition of “education records” under the university’s FERPA policy, and those not covered under FERPA (for example, admissions records for prospective students who never enrolled).
System of Record: An information storage and retrieval system that is the authoritative source for a particular data element. For example, the University’s current System of Record for the transcripted academic history of each student is the student information system, Banner.
POLICY STATEMENT
All University departments and offices maintain Records in physical and digital forms, using any of a large number of systems and databases. The University is committed to the proper retention, storage, security, retrieval, and disposal of such Records in order to meet legal requirements, optimize use of space, minimize cost, and secure University data, including sensitive personal information. This policy provides retention requirements and guidance for the handling of University Records.
Unless otherwise specified in an applicable law, regulation, policy, or procedure, all CSU Records shall be retained in accordance with the applicable Records Retention Schedule, regardless of their format. For Records that are not addressed in a schedule, or for assistance with Retention Periods, please contact the Office of the Registrar for Student Records retention, Business & Financial Services for financial Records Retention, Sponsored Programs for Records related to 53-fund activities, or the University Policy Office and the Office of the General Counsel for other Records.
University Records should be retained only so long as they are valid and useful for legitimate University business and educational purposes (including archival purposes), or as specified in the applicable Records Retention Schedule (whichever is longer). Inactive Records should not occupy office, storage, or computer space. Those responsible for University Records must dispose of them in accordance with this policy when the specified Retention Period has expired.
Important rule regarding Records related to pending audit, inspection, or litigation:
Records whose Retention Period has expired must nevertheless be retained if related to any pending or reasonably expected audit, inspection, governmental investigation, claim, lawsuit, or other official process. This is referred to as a “Records hold” or “Litigation Hold” in the case of imminent or pending litigation. Failure to hold and preserve Records under such circumstances is a serious matter that may expose a person to CSU discipline, and/or civil or criminal liability. Any Record that is the subject of litigation or a known claim shall be retained, regardless of the expiration of its Retention Period, until disposition of the Record has been approved by the Office of the General Counsel. For further guidance and instruction on disposition of such Records, contact the Office of General Counsel at 970-491-6270.
POLICY PROVISIONS
- Records Subject to this Policy
- All University Records are covered by this policy except De-identified Records.
- Records Retention Schedules
- The Retention Periods for University Records are derived from several sources.
- In general: For most University Records, Retention Periods are defined in the Colorado Department of Personnel & Administration’s State Archives Records Management Manual, Schedule 7 – Financial Records, Schedule 8 – Higher Education, and Schedule 14 – Property Records (the “state schedules”). Questions about the state schedules should be directed to the University Policy Office.
- Records Retention Schedule: Retention periods for records other than Student Records are contained in the CSU Records Retention Schedule (the “schedule”), part of CSU Financial Procedure Instruction (FPI) 10. The schedule is subject to change as necessary for completeness and accuracy. Changes should be forwarded to the University Policy Office by the responsible Records Custodian as they are made.
- Student Records Retention Schedule: Student Records are governed by the Student Records Retention Schedule. The Registrar is charged with the responsibility of maintaining, updating and publishing the schedule, and questions about retention of Student Records should be directed to the Office of the Registrar (registrarsoffice@colostate.edu. Changes to the schedule may be made by the Registrar as needed. The current schedule is published on the Registrar’s Office website.
- Sponsored Programs Records:
- Records associated with federally sponsored grants and cooperative agreements must be retained for the latter of six (6) years following submission of the final financial report or until all existing audit questions have been resolved. See 2 C.F.R. § 200.333.
- Records associated with federal contracts must be retained for six (6) years after the final payment.
- Retention Period—Years: All Retention Periods are based on the fiscal year, from July 1 through June 30, and are in addition to the current year. For example, a three-year Retention Period means a document created in this fiscal year should be kept until June 30th and then three additional fiscal years.
- Retention periods apply to information regardless of the physical format (paper, microfilm, computer disk or tape, optical imaging, CD-ROM or other medium.)
- The Retention Periods for University Records are derived from several sources.
- Secure Storage of Records
- Records in physical form that contain Sensitive Information or PII must be protected. Reasonable measures must be taken to prevent unauthorized access to these Records. Such methods may include locked file cabinets, locked office doors, and other security systems provided by the University.
- Electronic Records should be stored on secure University servers and devices in accordance with the requirements for Sensitive Information under the IT Security Policy. All Records with Sensitive Information or PII, must not be stored on portable media (such as CDs and portable drives), as defined in the IT Security Policy. If a Record is stored in a System of Record, it should not also be stored locally, with exceptions for credit card transaction records and PCARD records.
- The file may be saved to a server directory or other medium that is password-protected to allow viewing only by appropriate personnel and that is regularly backed up to a server. Contact the Division of Information Technology if you need information on server storage, backup and retrieval.
- The Controller may specify backup methods and media at any time for any Records.
- Digitization of Records
- Most paper Records can be converted to an electronic format for purposes of storage, access, and subsequent destruction. With some exceptions, once digitized, a paper Record no longer needs to be retained, and should be destroyed in accordance with this policy, after assuring that the digitized Records are complete and there is no longer a need for the paper Record (see Disposition of Records, below). Exceptions include:
- Original real property Records, contract documents and other Records that, in the judgment of the Office of General Counsel, should be retained in their original form; and
- To comply with FAR 4.703(c)(3), which states, "the contractor or subcontractor retains the original Records for a minimum of one year after imaging to permit periodic validation of the imaging systems," original Records related to federal contracts are stored for one year after imaging.
- Digitizing a Record does not alter its Retention Period. Just like paper Records, digital Records must be disposed of in accordance with this policy when their Retention Period has expired. Once digitized, the Record becomes subject to the IT Security Policy
- Digitizing Records can be a challenging process. In order to assure that Records are properly digitized, and before disposing of the paper records, the responsible Records custodian should develop a plan to assure that digitization is done properly before disposition is made of paper Records. In addition, the department must ensure secure storage and metadata to support the files over the long-term. The Portable Document Format/Archival is a file format intended to be suitable for long-term preservation of page-oriented documents. For more information on proper digitizing of Records, see FPI 10-1 and the References section below. Central Receiving offers scanning services to the campus community.
- Acceptable digital formats for Records are Portable Document Format (PDF) file or Tag Image File Format (TIFF) File. PDF and TIFF were selected because the formats are projected to be compatible with future formats and are easily readable on most desktops, laptops and mobile devices.
- The Controller may specify backup methods and media at any time for any Records.
- Most paper Records can be converted to an electronic format for purposes of storage, access, and subsequent destruction. With some exceptions, once digitized, a paper Record no longer needs to be retained, and should be destroyed in accordance with this policy, after assuring that the digitized Records are complete and there is no longer a need for the paper Record (see Disposition of Records, below). Exceptions include:
- Archiving Records
- Some University Records have or may have enduring historical value and should be transferred to the University Archives once they have served their useful life as dictated by the applicable Records Retention Schedule. Contact the Archives and Special Collections Department in CSU Libraries for assistance with these Records. In accordance with governing board approval on June 20, 1975, the University Archivist in Morgan Library is the official custodian of archival Records.
- Responding to Requests for Disclosure of Records
- Requests for disclosure of University Records must be handled in accordance with the CSU FERPA policy and the CSU Colorado Open Records Act policy. All Records disclosure requests under the Colorado Open Records Act must be immediately forwarded to the responsible Records custodian and the Office of General Counsel. Subpoenas or similar court ordered record releases must also be immediately forwarded to the Office of General Counsel. Questions about the release of University Records may be directed to Office of General Counsel.
- Document and Email Review and Retention
- Document and Email Review and Retention: In limited circumstances, Colorado State University can review and retain documents and emails sent, received, or created through its IT systems. This may occur for litigation matters, open records requests, audits, investigations, and other legal issues. Only people given permission by the Office of the General Counsel are allowed to review and retain such information.
- Public Records: All employees should know that all records, including emails that they send, receive, or create in their official capacity, may be considered public records that must be disclosed according to C.R.S. § 24-72-203.
- Keeping Records: Documents or records that are subject to a request under the Colorado Open Records Act or responsive to threatened or actual litigation must be retained. Documents that do not fall in this category may be deleted in accordance with applicable records retention schedules, when they are not needed.
- Disposition of Records
- Records disposition is the final phase in a Record's lifecycle. It normally involves destruction, but, on rare occasions, the disposition may be to transfer the Record to another state or federal agency. Known requirements are listed on the applicable Records Retention Schedule. If you know of any additional requirements for retention or disposition of University Records, please notify the University Policy Office so the information may be added to the appropriate schedule.
Units are strongly encouraged to conduct an audit of their Records at least annually to determine whether any such Records have reached the end of their Retention Period and should be disposed of in accordance with this policy. Records should be destroyed promptly after the end of their Retention Period unless there is a continuing legitimate business need to retain them as established by the responsible Records Custodian. The approved method of destroying records is by shredding to the current security standard for sensitive data, rendering the records permanently irretrievable and illegible. Typically, office shredders do not meet the acceptable security standard.
On-campus secure shredding services are provided by the Department of Central Receiving, Shredding Services. Paper records will be picked up by Central Receiving upon request. Business units of the University are required to utilize on-campus services or obtain a waiver before retaining services of an outside contractor. An exception is paper records that are maintained in a location other than the CSU Fort Collins area campuses and cannot cost-effectively be transferred to Central Receiving. Contact Shredding Services (shredding@colostate.edu or 970-491-6006) for more information and assistance before retaining an outside contractor.
If the records approved for disposal are maintained in digital format, they must be permanently erased so that they cannot be recovered by any means or device. Portable physical media, such as CD-ROM disks, tapes, optical disks, memory sticks, memory cards, etc., should not be used for records containing Sensitive Information or PII, but, when they exist, they must be transferred to CSU Surplus Property for proper disposal in accordance with the IT Security Policy. This includes computer hard drives (including servers) being removed from service at the University. Such items should never be transferred to another entity, other than through Surplus Property, nor permitted to be converted to personal use. Units utilizing cloud-based storage must first have a security review and approval from CSU’s IT Security Manager, and then work with the vendor to arrange for data to be purged after the expiration of the Retention Period in accordance with the IT Security Policy, and receive documentation that this has been done.
- Records disposition is the final phase in a Record's lifecycle. It normally involves destruction, but, on rare occasions, the disposition may be to transfer the Record to another state or federal agency. Known requirements are listed on the applicable Records Retention Schedule. If you know of any additional requirements for retention or disposition of University Records, please notify the University Policy Office so the information may be added to the appropriate schedule.
COMPLIANCE WITH THIS POLICY
Assistance with compliance may be obtained by contacting the Office of the Registrar for Student Records retention, Business & Financial Services for financial records retention, the University Policy Office for other records, and Central Receiving for records destruction.
REFERENCES
- Records Retention Schedule
- Student Records Retention Schedule
- CSU Policy: Information Technology Security
- CSU Financial Rules
- CSU Policy: Family Educational Rights and Privacy Act (FERPA)
- State of Colorado’s Records Management Manual
- Colorado House Bill HB18-1128, Protections for Consumer Data Privacy
- Federal Agencies Digital Guidelines Initiatives (FADGI)
APPROVALS
Effective January 1, 2000
Revised May 17, 2016
Revision approved by Brendan Hanlon, Vice President for University Operations, on January 18, 2023
Revision approved by Brendan Hanlon, Vice President for University Operations, on June 6, 2024