John Hay Library, Brown University Archives
Brown University Records Policy
The following policy establishes institutional-wide principles for the responsible management of University records.
This policy, in accordance with other established University policies and procedures, applies to all records created or received by an office or department of the University in transaction of its proper business or in pursuance of its legal obligations. For the purposes of this policy, records are defined as information in any tangible format used to conduct the affairs of the University or which must be maintained or stored for some period of time due to government regulation, generally accepted standards, or university mandate. The tangible formats include but are not limited to hard copies, such as paper and photographs, and electronically stored information (ESI), such as email and audio files. All such records are the property of Brown University and subject to the following University-designated security classifications:
- Public: information that can be shared with anyone without damage to the University.
- Regulated: information that is not only confidential but subject to regulatory compliance (e.g., FERPA, GLBA, FACTA, and data collected from human subjects) and audits.
- Brown Confidential: includes all other information.
The implementation of an institutional records policy incorporates sound management practices and procedures and provides the following benefits: guidelines for selecting and preserving critical and historically significant records, adherence to industry standards, compliance with legal mandates, reduced costs by eliminating storage of obsolete records, improved access to records, improved data security, increased accountability, and reduced risks.
While there may be instances where records or portions of records are shared by several departments or offices, a primary steward will be identified who will be responsible for decisions related to the maintenance, access, and retention of the records.
Establishing and operating effective recordkeeping systems and practices requires a multi-pronged approach. It is essential for University departments and offices to make effective use of industry standards and the necessary range of expertise available throughout the University. This includes standards and expertise in archives and records management, information technology, data and information management, information security, business system analysis and design, auditing, risk management, and law.
1. Appropriate measures and standards will be applied to ensure that University records remain authentic, secure, and confidential.
- Use appropriate physical and logical methods to protect records from accidental or intentional alteration and/or destruction.
- Only the primary steward or his/her authorized representative will be permitted to create, capture, duplicate, or destroy University records.
- University employees who have access to confidential information have a responsibility to maintain and safeguard that information, to access and only use that information that is minimally necessary to perform their job duties, to become informed about applicable legal mandates and industry standards for protecting that information, and to use the information with consideration and ethical regard for others.
2. The collection, processing, maintenance, disclosure, storage, retention and disposal of Personally Identifiable Information (PII) will be conducted in accordance with applicable laws, regulations, and University policy.
- PII is information which when linked can be used to distinguish or trace an individual's identity. The University is obligated to keep PII elements (whether in electronic or hard copy format) confidential and secure during collection, processing, maintenance, disclosure, storage, retention, and disposal.
- PII elements include but are not limited to: name, address, SSN, driver’s license, account/financial information, date of birth, phone numbers, email addresses and personal health information. For more examples of PII, please refer to Appendix C.
- Access to, use, collection, and retention of PII will be limited to the minimum amount necessary to conduct University business. The categories of PII will be reviewed periodically. If the PII serves no current business purpose, the PII will not be collected.
- PII will only be collected by authorized individuals based upon the minimum needs of their job responsibilities. Authorized individuals with access to PII are responsible for the proper handling, disclosure, storage, retention, and the proper disposal of the information they collect.
3. University records will be preserved in reliable recordkeeping systems for as long as required by law and University policy.
- Store records in controlled environments that preserve the record for as long as required.
- Ensure the future usability of records through the application of evolving reformatting or conversion strategies, copying records to a stable medium and/or updating hardware, software, and storage media as appropriate.
- Departments and offices will maintain (create) unit-specific policies and practices that account for the reliable management of their records. The most effective decisions, made in consultation with the appropriate administrative offices, come from those closest to the actual work.
- Recordkeeping systems will include adequate system controls as appropriate, such as guidelines for classifying and filing records, security and protection of confidential or regulated information, and practices and procedures for measuring the accuracy of data input and output audit trails.
4. Records will be accessible and retrievable in a timely manner throughout their retention period.
- Ensure that records are easily accessible and retrievable in the normal course of all business processes.
- The University will provide training and user support programs to ensure that authorized users can access and retrieve records.
5. Access to University records will be controlled according to well-defined criteria.
- Construct recordkeeping systems so as to ensure that records are protected from unauthorized access.
- University departments and offices will take measures to prevent unauthorized access to regulated and confidential records by adequately identifying such records and by defining the rules governing access to these records.
6. The creation and management of University records will be an integral part of work processes and associated business procedures of University departments and offices.
- Departments and offices will create records that accurately document their core activities.
- Department and offices will designate a person (or persons) responsible for the department’s/office’s records management;
- Departments and offices will know and comply with applicable Brown policies and external laws, regulations, and standards that concern the management of their records.
- Consult the Office of the Vice President and General Counsel for assistance regarding laws and regulations that impact the management of records.
- Build recordkeeping into the defined business processes and the work environment, thereby ensuring that records are captured, understandable, and usable.
- Whenever possible, departments and offices will set up models of business processes to determine where and when records should be created and used in the course of University business.
- Departments and offices will create and maintain local record management policies and procedures that fully and accurately document their department’s or office’s needs.
7. Records will be retained and disposed of in accordance with records retention schedules and destruction procedures/plans.
- Include an approved disposition plan for all recordkeeping systems. The method of destruction of records will depend on their security classification.
- Shred sensitive or confidential paper documents that are no longer needed, and secure such documents until shredding occurs. If a shredding service is employed, ensure that the service provider has clearly defined procedures in the contractual agreement that protects discarded information and that the provider is legally accountable for those procedures, with penalties in place for breach of contract.
- When confidential or sensitive information is stored on the hard drive of a machine that is to be discarded, sent to surplus, or transferred to another individual or department, take extra measures to wipe clean the hard drive before the computer leaves the area of responsibility. University Purchasing should be contacted for the approved list of service providers whose contracts adhere to this policy.
- Transfer inactive records of permanent historical value to the University Archives. Archival records preserved in the University Archives are in the official custody of the University Archivist.
- Consult the University Archivist if there is a question of whether records should be transferred to the Archives instead of being destroyed.
RESOURCES AND GUIDELINES
Departments, units, and administrative offices designing or modifying recordkeeping systems will consult with the appropriate office (such as the University Archives, Office of Sponsored Projects, the Controller’s Office, Office of General Counsel, Office of Internal Audit Services, Computing and Information Systems, or the Registrar) at the start of these projects to discuss archival and records management requirements.
Related Policies, Guidelines and Best Practices
- For more information about the management of the following types of records, please contact the University office indicated:
- Administrative Records (Departments; University Archives)
- Advancement Records
(University Advancement; Medical School)
- Alumni Records
(Alumni Relations; University Archives)
- Corporation Records
(Secretary of the University; University Archives)
- Electronic Records Security
(Chief Information Security Officer)
- Environmental Health and Safety Records
(Environmental Health and Safety)
- Facilities and Grounds Records
- Faculty Records
(Dean of Faculty)
- Financial/Budget Records
(Office of the Controller)
- Intellectual Property Records
(Office of the Vice President for Research)
- Legal and Regulatory Compliance Records
(General Counsel; Office of the Vice President for Research)
- Personnel Records
(Human Resources; Medical School; Dean of the Faculty)
- Research Records
(Office of the Vice President for Research; Office of Sponsored Projects)
- Student Academic Records
(Office of the Registrar; Dean of the College; Dean of the Graduate School; Medical School)
- Student Life Records – including medical
(Office of Student Life)
- Student Statistics
(Office of Institutional Research; Medical School; Graduate School)
- University Archives – historical records
- University Research Data and Compliance
(Office of the Vice President for Research)
Examples of Personally Identifiable Information (PII) *
The following list contains examples of information that may be considered PII:
- Name, such as full name, maiden name, mother’s maiden name, or alias.
- Personal identification number, such as SSN, passport number, driver’s license number, taxpayer identification number, patient identification number, and financial account or credit card number.
- Address information, such as street address or email address.
- Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people.
- Telephone numbers, including mobile, business, and personal numbers.
- Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scans, voice signature, facial geometry).
- Information identifying personally owned property, such as vehicle registration or identification number, and title numbers and related information.
- Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, or employment, medical, education, or financial information).
* Source – NIST U.S. Department of Commerce
The definition of what constitutes a PII will change as the NIST definition is modified.
» Return to University Archives
» Return to Library Collections