Records Management, Retention, and Disposal Policy

Effective Date
August 15, 2018

Revised Date

Contact

Phone: 607-431-4315
[email protected]

Purpose
Policy #6.20: This policy establishes guidelines for record management guidelines and compliance with the European Union General Data Protection Regulation (the “GDPR”).

Policy Scope
This policy applies to all employees, regardless of employment type.

Responsible Office
Human Resources

This policy seeks: to establish record management guidelines and a system of accountability to help ensure that the College can meet the legal requirements pertaining to records management; to ensure the authenticity and reliability of official records of the College; to protect the confidentiality of records and the privacy of constituents; to prevent the misuse, misplacement, damage, untimely destruction, or theft of records; to ensure that records which have enduring historical value are retained; and to ensure that the College and the College’s employees are working toward compliance with the European Union General Data Protection Regulation (the “GDPR”).

The GDPR applies to the Processing of a Data Subject’s Personal Data (as such terms are defined below). Under the GDPR, the College may be considered a Controller (as defined below) of Personal Data, and, as such, likely is subject to numerous requirements under the GDPR.
This policy addresses the management, retention, and disposal of all records received, created, generated, or maintained by the College and applies to all departments of the College. This policy covers all types of records, regardless of physical characteristics, that are created, generated, and received; recorded as evidence of the organization, its functions, policies, decisions, procedures, operations, or activities; or documents legally filed during business or legal obligations.

Since no one individual or department can be directly responsible for all campus records and files, users throughout the College share a collective responsibility to manage records appropriately and adhere to the retention and disposal guidelines outlined in this policy. Access, maintenance, retention, and disposal procedures for college records must be followed by all employees.

This Policy applies to, and will be provided to, all employees and staff of the College, except when they are acting in a private or external capacity unrelated to the College. For clarity, the term “employees and staff,” for this purpose means anyone working in any context for the College at any level or grade (whether permanent, full-time, part-time, adjunct or temporary), and including employees, retired but active former employees, faculty members, staff, visiting fellows, workers, trainees, interns, seconded staff, agency staff, agents, volunteers, external members of committees, and Trustees.

This policy addresses international, federal, and state laws and regulations, and College policies such as, but not limited to, Family Education Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPPA), General Data Privacy Regulation (GDPR), Fair Credit Reporting Act (FCRA), Federal Trade Commission (FTC), Department of Labor, Payment Card Industry Security Standards (PCI-DSS), and New York State General Business Law Section 399-h.

Any questions regarding the implementation of this policy, including its applicability to any document, should be addressed to Hartwick College Compliance Coordinator.

Archivist: Responsible for assessing the long-term value of a record and making the determination on whether or not a record will be considered an Archival Record. The Archivist will be responsible for collecting, organizing, preserving, maintaining control over, and providing access to records in the Hartwick College Archives and The Record Storage Center.

Compliance Coordinator: Responsible for the coordination of the record management, retention, and disposal program.
Department Record Coordinator: Responsible for the proper management and disposal of records for a designated department and shall be the primary contact for records management, retention and disposal for their designated department.

Information Technology: Responsible for the day-to-day maintenance of the network and electronic systems owned or managed by the College that store data and records, to ensure that electronic records remain accessible and recoverable. IT Services is available to assist College offices and departments with the IT aspects of records management, retention and the secure digital disposal of records.

Data Protection Officer: Responsible for: (a) monitoring and auditing the College’s compliance with its obligations under the GDPR; advising the College on all aspects of its compliance with the GDPR; acting as the College’s point of contact with the applicable Supervisory Authority(ies) with regard to the GDPR, including in the case of Personal Data Breaches; and acting as an available point of contact for complaints from Data Subjects.

Accountability Obligations: the obligation(s) under Article 5 and Recital 29 of the GDPR to: (A) comply with the GDPR and retain records demonstrating compliance; (B) implement policies, procedures, processes, and training to promote data protection “by design and by default”; (C) have appropriate contracts in place when outsourcing functions that involve the Processing of Personal Data; (D) maintain records of the data Processing that is carried out; (E) record and report Personal Data Breaches; (F) carry out, where relevant, a Data Protection Impact Assessment on high risk Processing activities; (G) cooperate with the applicable regulator(s) of the GDPR; and (H) respond to regulatory/court action, including, in certain instances, the payment of administrative fines levied by the applicable regulator(s) of the GDPR.

Administrative Safeguards: administrative actions, and policies and procedures, intended/used to manage the selection, development, implementation, and maintenance of Security Measures to protect Personal Data and to manage the conduct of a Controller’s workforce in relation to the protection of Personal Data.

Archival Record: A record whose long term value justifies its permanent retention either to meet the fiscal, legal or administrative needs of the College, or because it contains historically significant information.

College Record: Any form of recorded information, regardless of physical characteristics, that are created, generated, received, and/or recorded as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities, or documents legally filed in the course of college business or in the College’s legal obligations. All Records, regardless of physical characteristics, received, created, generated, or maintained by the College or its employees in connection with the conduct of College business are the sole property of the College.

Confidential Information: Information that must be protected from unauthorized access or public release based on state or federal law. Examples of confidential information include but are not limited to personal information, personal identification numbers, personal identifying information, financial account numbers, medical records, passwords, and student education records.

Confidential Record: A record that contains one or more pieces of personal information or contains information protected from disclosure by law or College policy, including but not limited to, the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability Accountability Act (HIPAA), the New York State General Business Law §399-h, and the New York State Disposal of Personal Records Law.

Controller: the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.1.
_________________________________

1. Unfortunately, the Commission did not update the definitions of Controller and Processor to reflect current Processing practices and new technological developments. When Processing was limited to basic situations (e.g., the College asks company X to send an email to alumni on its behalf), the concepts were useful because the roles were more clear (in the example, the College is the Controller and X is the Processor). However, in complex situations involving new technologies such as the blockchain, the Internet of Things (IoT), big data, etc., commentators have suggested Processing be considered subject to joint control.
__________________________________

Data Protection Principle(s): the principles set forth in Article 5 of the GDPR that state that Personal Data shall be: (A) Processed fairly, lawfully, and transparently; (B) Processed only for specified, explicit, and legitimate purposes; (C) adequate, relevant, and limited; (D) accurate (and rectified if incomplete or inaccurate); (E) not kept for longer than necessary; and (F) Processed securely.

Data Subject: an identifiable natural person, i.e., one who can be identified, directly or indirectly, by reference to Personal Data.

Data Subject Rights: the rights set forth in Articles 15-22 of the GDPR, all of which are qualified in different ways, including the Data Subject’s right: (A) to be informed of how his/her Personal Data is being used; 2. (B) of access to his/her Personal Data; (C) to have his/her inaccurate Personal Data rectified; (D) to have his/her Personal Data erased (right to be forgotten); (E) to restrict the Processing of his/her Personal Data pending its verification or correction; (F) to receive copies of his/her Personal Data in a machine-readable and commonly-used format (right of data portability); (G) to object to: (i) Processing (including Profiling) of his/her Personal Data under particular Legal Bases, (ii) direct marketing, and (iii) Processing of Personal Data for research purposes where that research is not in the public interest; and (H) not to be subject to a decision based solely on automated decision-making using Personal Data.
_______________________________

2. This right is usually fulfilled by the provision of “privacy notices” (also referred to as “data protection statements” or, especially in the context of websites, “privacy policies”) which set out how an organization plans to use Personal Data, who it will be shared with, the Legal Bases for Processing, ways to complain, and who to contact in order to exercise Data Subject Rights.
________________________________

Digital Record: A record created, generated, converted, sent, communicated, received, or stored by electronic means. Digital record formats include, but are not limited to, word processing documents, spreadsheets, e-mails, instant messages, text messages, web sites, databases, and scanned images, as well as multimedia files such as audio, graphics, and video. These records, although electronic in format, are treated the same as records in other formats and are subject to the same retention and disposition schedules as similar paper records.
Duplicate Records: A duplicate is an exact replica of the Official Record.

Encryption: A method of hiding electronic information by encoding it into a format that renders it unreadable without access to the encryption key. Encryption is most often used to transmit records or data that contain personal information, personal identification numbers or personally identifying information.

Encryption Key: A password that is required to encrypt and decrypt information, essentially locking and unlocking the data.
General Administrative Records: Records created and maintained by departments as part of routine operations. General Administrative Records are of short-term interest and are not required to be retained. Examples include but are not limited to: daily activity schedules, calendars, appointment books, tickler files, extra copies of correspondence, temporary drafts or personal notes that were not circulated, reviewed, or used to make decisions or complete transactions; temporary files used solely to change the arrangement or format of electronic records; copies of files or extracts of databases created solely to transfer data between systems.

General Data Protection Regulation (GDPR): Regulation adopted by the European Union (EU) in April 2016, with an effective date of May 25, 2018, that protects the personal privacy of residents of the EU and European Economic Area.

Hartwick College Archives: The Archives provide a permanent repository for official records of the College, as well as historical artifacts and records. The Archives are overseen and managed by the college Archivist.

Health Information: Any information, whether oral or recorded in any form or medium, that relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
Inactive Records: Records which no longer required in the day to day operations of an organization, but which must be kept to meet fiscal, legal, or administrative needs of the College.

Information System: an interconnected set of information resources under the same direct management control that shares common functionality. An information system normally includes hardware, software, information, data, applications, communications, and people.

International Organization: an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

International Recipient: any Recipient of Personal Data in any country outside of the EEA, other than an International Organization.

Legal Bases or Legal Basis: there is a lawful basis for Processing Personal Data where: (A) there is clear Consent for a specific purpose; (B) the Processing is necessary to comply with the terms of a contract; (C) the Processing is necessary to comply with a Legal Obligation; (D) the Processing is necessary to protect vital interests (e.g., to protect a Data Subject’s life or safety); (E) the Processing is done in the performance of a public task (which has a clear basis in EU law); and/or (F) the Controller’s legitimate interests require the Processing of Personal Data, and this legitimate interest outweighs the Data Subjects’ interests in the privacy of their Personal Data.3.
______________________________
3. This Legal Basis appears broad; however, it generally is meant to be read narrowly, and to serve as a balancing test in which the College’s interests are balanced against a Data Subject’s interest in protecting his/her Personal Data.
______________________________
Legal Hold: Suspends the normal disposition of records due to a pending or anticipated audit, litigation, claim, agency charge, investigation, enforcement action, or an administrative review.
Member State(s): Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.

Official Record: An original record that must be kept for a specific period of time to meet fiscal, legal, or administrative needs of the College. Official records must be stored in hard copy.
Originating Department/Office: The department/office in which an original document or Official Record was created, generated or received.

Personal Data: any information relating to an identified or identifiable Data Subject; specifically including, but not limited to, name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that Data Subject. For clarity, the term Personal Data refers to data that is in either paper or electronic form.

Personal Data Breach: a breach of Security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or Access to, Personal Data.4.
_________________________________
4. The WP29 has identified three categories of Personal Data Breaches: (1) a Confidentiality breach where there is an unauthorized or accidental disclosure of, or Access to, Personal Data; (2) an Availability breach where there is an accidental or unauthorized Loss of Access to, or Destruction of, Personal Data; and (3) an Integrity breach where there is an unauthorized or accidental alteration of Personal Data.
_________________________________
Personal Information: Any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify the person.

Personal Identification Number: Any number or code which may be used alone or in conjunction with any other information to assume the identity of another person or access to financial resources or credit of another person.

Personal Identifying Information: Personal identifying information consisting of any information in combination with any one or more data elements of personal information that can be used to determine the identity of an individual. Data elements include but may not be limited to: name, birth date, social security number, driver’s license number, non-driver identification number, account numbers, or mother’s maiden name.

Physical Safeguards: physical measures, policies, and procedures intended/used to protect a Controller’s electronic information systems and related buildings and equipment from natural and environmental hazards, and from unauthorized intrusion.

Policy Suspension: This Policy may be suspended for any record due to a Legal Hold.

Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. “Process” and “Processed” have a corresponding meaning.
Processor: a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.

Protected Health Information: Any information that is a subset of Health Information and includes Personal Identifying Information collected from an individual.

Recipient: a natural or legal person, public authority, agency, or another body, to which Personal Data is disclosed, whether a Third Party or within an entity, corporation, or affiliated group. Public authorities receiving Personal Data in the context of a particular inquiry in accordance with EU or Member State law are not regarded as Recipients. For this purpose, “public authorities” generally means tax and customs authorities and financial market authorities, receiving Personal Data necessary to carry out a particular inquiry in the general interest, in accordance with EU or Member State law.

Record Retention and Disposition Schedule: A schedule that identifies various records, the medium in which they exist, where the records are stored, and a minimum length of time that a record must be retained.

Record Series: A group of related records that result from the same activity and are kept together as a unit and can be evaluated together for disposition and/or other management purposes.

Representative: a natural or legal person established in the EU who is designated by the Controller or Processor in writing pursuant to Article 27 of the GDPR, and who represents the Controller or Processor with regard to their respective obligations under the GDPR.

Security or Security Measures: all of the Administrative Safeguards, Physical Safeguards, and Technical Safeguards in an Information System.

Secure Digital Destruction: The disposal method for sensitive, confidential, personal information, personal identification numbers or personally identifying information or data from a computer or other electronic storage media.

Supervisory Authority(ies): an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR.

The Records Center: A storage area for inactive records which need to be retained for a certain period of time for legal and administrative purposes. In collaboration with the archivist, the department record coordinator and the compliance coordinator will determine what records are stored in the Center.

Some records may be needed for administrative review, audits, or as evidence in legal actions. In the event of a pending or anticipated audit, litigation, claim, agency charge, investigation, enforcement action, or administrative review, a Legal Hold will be placed on all pertinent records regardless of physical format, including e-mails. These records must be preserved, safeguarded, and retained for the entire period of the action or proceeding and the time for all appeals has expired even if the record’s retention period has expired.

If the retention period has expired by the time the legal action ends, the records must be retained for at least one additional year after the end of the legal action to resolve any need for the records in an appeal. If the retention period has not expired, the records must be retained for the remainder of the retention period, but not less than one year after the legal action ends.
Premature destruction or disposal of any records with a Legal Hold is expressly prohibited, and if intentional, may result in disciplinary action, up to and including termination of employment and possible civil or criminal penalty.

All employees are responsible for applying administrative, technical, and physical safeguards to appropriately secure all records, paper or digital, from unauthorized access and disclosure, and also to protect the authenticity, accuracy, and completeness of information, to prevent information from being destroyed, to protect the privacy and confidentiality of individuals, and to ensure that records are available when needed.

Hartwick College’s User Responsibilities and Appropriate Use Policy outline the steps employees must take to maintain the integrity of College information.

Some of these responsibilities pertain to the security and access to records and include:

Complying with College, local, state, federal, and/or international laws or regulations regarding access to and use of information.
Taking appropriate action to back up computer systems.
Exercising due diligence in protecting any computers that connect to the Hartwick network from viruses, worms, and security vulnerabilities by regularly using anti-virus software.
Keeping technology accounts secure by not sharing privileges (passwords) with others.

In addition to complying with the College’s User Responsibilities and Appropriate Use Policy, all employees must also comply with the Family Educational Rights and Privacy Act (FERPA), The Health Insurance Portability and Accountability Act of 1996 (HIPAA), and Section 203-d of the New York Labor Law to ensure that records and/or access to records containing personal information, personal identification numbers, or a combination thereof are protected from unauthorized access and disclosure.

The level of security and access to a record will vary depending on the content of the record.

To secure and control access to records, employees should:

Control who has access to the record.

Store records, both paper and digital copies, in a secure manner.
Take measures to prevent accidental or malicious destruction.

Create a backup or secondary copy of all digital records, including email messages that meet the criteria of an Official Record.

Protect the transmission of records information by encryption.
In order to assure compliance with FERPA, HIPAA, or any other state, federal, and/or international laws or regulations, the following minimum procedures must be followed for all student, employee, and constituent records:

Any records, data, or files containing health information, protected health information, personal information, personal identification numbers, or personally identifying information or data must be kept in locked file cabinets except when an employee is working on the file. Digital files of the same nature should only be accessible to appropriate personnel.

Any records, data, or files containing health information, protected health information, personal information, personal identification numbers, or personal identifying information transmitted electronically to other appropriate recipients must be protected by encryption.

Any records, data, or files containing health information, protected health information, personal information, personal identification numbers, or personal identifying information transferred by mail or other courier to other appropriate recipients must be sent by traceable means (tracking number). A detailed record of the information transferred must also be maintained.

The College will, to the extent applicable and administratively practicable, comply with the GDPR as part of everyday working practices, by: ensuring Personal Data is managed appropriately through this Policy; understanding, and applying as necessary, the Data Protection Principles when Processing Personal Data; understanding, and fulfilling as necessary, the Data Subject Rights; understanding, and implementing as necessary, the College’s Accountability Obligations; and the publication of data privacy notices outlining the details of how the College will collect and Process Personal Data in a clear and transparent manner.

Individual employees and staff are responsible for: completing relevant GDPR compliance training as advised by the College; following relevant the College policies and procedures including, but not limited to, this Policy; only accessing and using the minimum amount of Personal Data necessary for their contractual duties and/or other the College roles; ensuring Personal Data they have access to is not disclosed unnecessarily or inappropriately; where identified, reporting any Personal Data Breaches, and cooperating with the College to address them; and only deleting, copying, or removing Personal Data when leaving the employ of the College, as agreed with the College, and as appropriate.

The obligations set forth above in this Policy do not waive any personal liability for individual criminal offenses 5. for the willful misuse of Personal Data under applicable data privacy and security laws, including, but not limited to, the GDPR.
_______________________________

5. The College should note that Germany imposes criminal penalties under the FDPA for certain violations, including a “custodial sentence” of up to three years. Our understanding (as of the Compliance Date) is that criminal penalties under the FDPA generally apply to unauthorized transfers of Personal Data that are “commercial” in nature (e.g., where individuals are profiting from illegally selling Personal Data), and are not intended to encompass inadvertent data breaches.

The College and its employees must take security precautions to protect any and all records containing personal information, personal identification numbers or personally identifying information or data that needs to be sent to a third party or other location, either within or outside the College.

Any record that contains personal information, personal identification numbers or personally identifying information that needs to be sent to a third party or other location outside of the College, must be transmitted via encrypted communication or stored on a device that is encrypted during transfer.

The encryption key for accessing the information must be transmitted in a separate communication or provided separately, apart from the encrypted device.

An encryption matrix outlining what types of information should be subject to different levels of encryption will be provided by the Office of the Compliance Coordinator.

Official Records should be retained and managed by the department that has primary responsibility for the record and only for the time period established in the Record Retention Schedule.

Records, data, and information that are the property of Hartwick College and that which contains any personal information, personal identification numbers, or personally identifying information shall not be stored on personally-owned portable computing devices.

Physical Storage: When storing records in boxes or filing cabinets, consideration must be given to adequate space and accessibility, security, and damage prevention. Record storage boxes and file drawers should be clearly marked with a description that is sufficiently effective to retrieve the information later. Paper records that contain sensitive or confidential information, personal information, personal identification numbers or personally identifying information must be kept in lockable cabinets or drawers when not in use.

The Record Center: Secure storage with restricted access for paper records is available on campus in the Record Center. The Record Center serves as a temporary storage area for non-permanent records, generally with retention periods of five, seven, or ten years from the date of creation. Each year, the College Archivist, who functions as the records manager, receives written permission from department record coordinators to dispose of records scheduled for destruction. If department record coordinators choose to store files in the Record Center, they should contact the Archivist and follow established guidelines for delivery, retrieval, and eventual disposition. The amount of storage capacity in the Records Center is limited and the archivist, department record coordinator, and the compliance coordinator will collaborate to determine which records will be stored there. Access to the Record Center is restricted to the archivist, and in his/her absence, to the Library Director’s Office staff. The archivist will retrieve records from the Record Center for department record coordinators or their representatives on request. Permission from a department record coordinator is required for any person from a department other than that in which the records originated to access records stored in the center.

Digital Storage: When storing records in a digital format, consideration must be given to accessibility, security, and loss prevention. A digital backup or paper copy of an Official Record must be maintained throughout the retention period, such that hardware, software, human error, or other failures will not abridge the required or suggested retention period of the record. If the only official copy of a record is an electronic copy, a duplicate copy of the record must be stored in an alternative location or medium.

Digital records, although electronic in format, are subject to the same rules and retention periods as those which govern the management of paper records. Backup procedures are necessary to protect and ensure that digital records remain secure and accessible for as long as they are required. Therefore, any Digital Record that is necessary to meet fiscal, legal, or administrative needs of the College, or that contains historically significant information must be secured in one or more of the following ways to protect against information loss or corruption: a paper copy of the Digital Record must be printed; a copy of the Digital Record must be stored on the College’s secure shared network.

Email: Email messages, sent and received, from a @hartwick.edu email address are evidence of the College’s business transactions and activities, are the sole property of the College, and are considered the College’s Records which are subject to the same rules and regulations as those which govern the management of paper and/or digital records. The content of the email message will determine whether or not it is an Official Record or a General Administrative Record.

Email messages should be treated as an Official Record if the email message meets one or more of the following criteria:

  • Proves a business-related event or activity that did or did not occur.
  • Demonstrates a transaction.
  • Supports facts the College claims to be true.
  • Has legal or compliance value.
  • Meets a legal or compliance responsibility covered by law or regulation.

 

Policy, program, and/or procedural directives issued by members of the senior administration team or by directors or supervisors if email is the only mean of communicating this information.
Records created within email systems, which meet the legal or regulatory requirements of the College, are subject to the same retention periods as the paper or hard-copy versions and must be secured in one or more of the following ways to protect against information loss or corruption: a paper copy of the email must be printed, which includes all the header information (To; From; Date; Subject Line, etc.); a copy of the email and any attachments must be stored on the College’s secure shared network.

The College and, where applicable, its Representative, is required to maintain a record of its Processing activities containing all of the following information: the name and contact details of the Controller, and, where applicable, the (i) joint Controller, (ii) Controller’s Representative, and (iii) Data Protection Officer; the purposes for Processing; a description of the categories of Data Subjects and of the categories of Personal Data; the categories of Recipients to whom the Personal Data has been or will be disclosed, including International Recipients or International Organizations; where applicable, transfers of Personal Data to an International Recipient or International Organization, including the identification of that International Recipient or International Organization and, the methodology permitting International Transfer under Article 49(1) of the GDPR, the documentation of suitable safeguards; where possible, the retention schedule of the different categories of Personal Data; and where possible, a general description of the technical and organizational Security Measures utilized, such as those referred to in Article 32(1) of the GDPR.

All policies, procedures, and other documents relating to the privacy and security of Personal Data will be maintained for at least six years following the effective date of the document. When a policy, procedure, or other document is updated or revised, the previous version of the document should be archived for at least six years following the date the policy, procedure, or other document ceased to be effective.

Any communication that is required to be made in writing under the GDPR should be maintained for at least six years following the date the communication was made or was in effect, whichever is later.

If an action, activity, or designation is required to be documented under the College’s “GDPR Privacy Notice,” then the documentation should be maintained for at least six years following the date it was created or was in effect, whichever is later.

Documentation may be maintained in written or electronic format.

The College will keep records that are sufficient in detail to provide the required information by which the document may be checked.

For electronic recordkeeping, the College may apply any reasonable document retention requirements, including, but not limited to, the rules for electronic document retention otherwise contained in this Policy.

Disposing of records is an important element of the records management lifecycle. Keeping records past their retention period may cause confusion and expose the College to unnecessary risk. Records kept beyond their expected disposal date can be requested or subpoenaed and cannot be disposed of once requested, which may increase the College’s exposure during litigation. Therefore, records that have outlived their purpose, have no historical value, or for which there is no legally specified period for retention nor the subject of a Legal Hold, should be disposed of in accordance to this policy and the Record Retention and Disposition Schedules.

When the required retention period for a record has passed, a determination of whether to preserve the record as an Archival Record or to dispose of the record must be made. The department record coordinator should consult with the archivist to make a determination as to whether or not a record will be placed into archives as a permanent, historical record of the College.

If a record is to become part of the archives, the archivist will assume responsibility for preserving and maintaining control over the record.

If the record is not of archival value, the department record coordinator will authorize the disposal of the record according to one of the approved methods for disposal outlined below.

The following are approved methods for the disposal of records:

Recycling/Trash: the standard disposal method for records that do not contain sensitive or confidential information.

Shredding: the disposal method for records that contain sensitive, confidential, health information, protected health information, personal information, personal identification numbers or personally identifying information.

Erasing/Deleting: the disposal method for destroying electronic records that do not contain sensitive or confidential information.

Secure Digital Destruction: the disposal method for sensitive, confidential, health information, protected health information, personal information, personal identification numbers or personally identifying information or data from a computer or other electronic storage media before the devices are recycled, reused, disposed of, or discarded. This method should be carried out in collaboration with the Information Technology department.

Imaging: converting paper records to digital images, microfilm, or other media and then disposing of the paper record by recycling or shredding according to the sensitivity and confidential nature of the paper record.

No records shall be destroyed prior to the expiration of the retention period specified in the applicable Record Retention and Disposition Schedules.

Draft records or documents should be disposed of as soon as they have been superseded by the official version of the record or document.

Duplicate records or documents should be disposed of when they are no longer useful and should never be kept longer that the official copy of the record.

Records that contain Sensitive, Confidential, Health Information, Protected Health Information, Personal Information, Personal Identification Numbers or Personally Identifying Information
In accordance with New York State General Business Law Section 399-h, records that contain sensitive, confidential, health information, protected health information, personal information, personal identification numbers or personally identifying information, must be disposed of by someone who has approved access to the records.

In accordance with the U.S. Department of Health and Human Services HIPAA Privacy and Security Rules, if the College hires an outside entity to dispose of records that contain health information and/or protected health information, the College must enter into a contract or other agreement with the business entity that requires the business entity to agree to appropriately safeguard the records and information contained in the records through disposal.

Concerning individuals protected by the European Union’s GDPR, whether related to the processing, management, correction, and/or disposal of individual information, refer to the Hartwick College Privacy Notice.

The College will retain records in accordance with approved Record Retention and Disposition Schedules available from the Office of the Compliance Coordinator. These schedules describe the official retention period for each type of record, which may change from time to time for various reasons. Department record coordinators in collaboration with the compliance coordinator must do their best to stay abreast of changing requirements so that Record Retention Schedules can be updated accordingly.
Under Article 30 of the GDPR, the College must maintain policies, procedures, and other documentation related to the privacy and Security of Personal Data. Although no specific retention period is stated in the GDPR, the College should maintain documentation for six years following the date the document was created or the date the document was in effect, whichever is later. No particular form of record retention is mandated for paper or electronic records.

Records not listed in the schedule that are substantially similar to those listed should be retained for the length of time required for the substantially similar record.

The Record Retention and Disposal Schedules articulate the definition of various records, the medium in which they exist, where the records are stored, and a timetable for the disposition of records. The purpose of a Record Retention and Disposition Schedule is: to ensure that records are maintained securely, readily available, and retained for administrative, legal, and fiscal purposes for the appropriate amount of time; to ensure that legal requirements for record retention are met; to ensure that records with enduring historical and other research value are identified and retained permanently; and to encourage and facilitate the systematic disposal of unneeded records.