MINES POLICY LIBRARY

Records Retention Policy

POLICY PROFILE

Responsible Administrative Unit: Information & Technology Solutions

Policy Contact: Chief Information Officer, Monique Sendze (msendze@mines.edu)

1.0 BACKGROUND AND PURPOSE

Colorado School of Mines (“Mines”) is committed to retaining its records in a manner that supports business needs, optimizes efficient use of resources, protects privacy, meets legal requirements, and ensures the appropriate destruction of outdated and useless records.

As part of this commitment, Mines has promulgated this policy to establishes principles and procedures for the retention and disposal of University Records consistent with C.R.S. §24-80-101 et seq. and §24-73-101.

2.0 POLICY STATEMENT(S)

All University Records must be retained and destroyed in accordance with the applicable Record Retention Schedule.

University Records are the property of Mines regardless of their form or physical location, even when they are in the possession of employees, volunteer, students, contractors, or agents of Mines. University Records shall not be destroyed except as required by this policy.

University Records shall be maintained in a medium owned or controlled by Mines unless the use of an outsourced service provider has been approved by ITS.

3.0 RESPONSIBILITIES

All individuals with access to University Records must adhere to the requirements of this policy and procedures.

Data Stewards must maintain University Records under their direct operational responsibility in compliance with the policy and the procedures in Exhibit I.

Information and Technology Solutions (ITS) is responsible for providing and maintaining an electronic infrastructure that supports the compliance and business practices of document retention and destruction.

The Office of General Counsel will coordinate retention and production of University Records needed to respond to a CORA request, subpoena, litigation discovery request, or court order.

The Institutional Research and Strategic Analytics Office will provide guidance on the retention of data that is needed for longitudinal studies, analytics, and external reporting needs.

4.0 COMPLIANCE/ENFORCEMENT

Failure to comply with this policy may expose Mines to multiple risks, including sanctions, unexpected costs, and adverse inferences.

  • Failing to properly retain University Records according to this policy may result in Mines being unable to support ongoing transactions or claims.
  • Destroying University Records prior to their required retention period may result in financial penalties.
  • Keeping University Records beyond their retention period may result in penalties for failure to protect certain types of information, potential breach notification requirements, etc.
  • Penalties to Mines can range from basic violation fines to significantly higher penalties for willful violations.

Violations of this policy will be reviewed on a case by case basis and will be addressed as deemed appropriate by the Office of the Chief Information Officer. Intentional violations of this policy may result in disciplinary action, up to and including immediate termination.

5.0 EXCLUSIONS

Retention and preservation of information system backups will follow Mines Disaster Recovery Procedures, as maintained and separately defined by ITS.

6.0 DEFINITIONS

CORA (Colorado Open Records Act) means the Colorado state law that requires all public records (defined as all writings made, maintained, or kept by a state institution) be open to inspection by the public. Public records include but are not limited to all books, papers, photographs, tapes, recordings, digitally stored data and electronic mail.

Data Steward means an individual with direct operational responsibility for a broad segment of university data. See Data Classification and Roles Definitions.

Non-Records means informational material that does not meet the definition of a record; e.g., extra copies of documents kept for convenience; reference stocks of publications; blank forms, formats, or form letters; documents that do not contain unique information or that were not circulated for formal approval, comment, or action; or documents that provide no evidence of agency functions and activities. Non-records may also include duplicates that are maintained for convenience by a person or office who is not the originator or recipient of the record.

University Records means any and all written or recorded data produced or acquired in the course of Mines operations, including without limitation all papers, documents, e-mail messages, electronic materials, machine-readable materials (e.g., Word, PDF, Excel documents), and any other written or recorded data, regardless of physical form or characteristics.

University Records do not include:

  • Items defined as Non-Records.
  • Academic instruction materials or traditional scholarly works that are owned by the author pursuant to Mines’ Intellectual Property Policy.
7.0 RESOURCES or ATTACHMENTS

KEY WORDS
Archives, storage, documents, retention, disposal, data, destruction

8.0 HISTORY AND REVIEW CYCLE

The policy will be reviewed at least annually or as needed by the Responsible Administrative Unit.

Issued: March 24, 2021

EXHIBIT I - 1.0 PROCEDURES PURPOSE

These procedures establish the parameters and processes for the retention and disposal of University Records consistent with C.R.S. §24-80-101 et seq.

EXHIBIT I - 2.0 PROCEDURES

2.1 Retention of University Records. University Records shall be maintained in accordance with the applicable State Retention Schedules (Schedules 7 and 8) and regulatory compliance requirements (including any applicable state or federal law). Data Stewards are responsible for determining, with appropriate consultations, if a record fits into the categories outlined in the State Retention Schedules. Regulatory compliance requirements can be identified by reviewing the Higher Education Compliance Alliance matrix to identify applicable regulations, clicking on the links to the regulations, and reviewing to determine applicable retention/disposal requirements. For questions regarding the Higher Education Compliance Alliance matrix contact compliance@mines.edu.

Conflicts between the State Retention Schedule and regulatory compliance requirements should default to the longest retention period.

If no retention period is established by the State Retention Schedule or applicable regulations, departments and offices may create their own schedules in accordance with their operational needs and in consultation to those listed in this policy.

Once the retention period has expired, University Records should be archived or destroyed, unless, for example:

a. The Office of the General Counsel has advised that applicable law or other statutory or regulatory provisions require the University Record be retained for a longer period than set forth in the retention schedule;
b. The University Record is subject to a pending request under the Colorado Open Records Act;
c. The University Record is subject to a legal hold, has been requested in any legal proceeding, or is identified by the Office of the General Counsel as likely to be requested in any legal proceeding; or
d. The University Record is needed to perform current or future activities in support of functions for which a department or office is responsible (i.e., it serves a current business or operational need.)

The retention of Non-Records is at the discretion of the Data Steward.

2.2 Disposal. When the prescribed retention period for a University Record has passed, the University Record should be archived or destroyed. If there is no prescribed retention period, the University Record shall be archived or destroyed when it has outlived its usefulness as determined by the Data Steward.

The means of disposal may be determined by the unit in possession of the University Record but must consider the nature of the record’s contents.

a. University Records (non-confidential or personal) that are not in electronic form (i.e., paper, hard copy) must be destroyed by shredding or recycling.
b. University Records (non-confidential or personal) that are in electronic form must be appropriately deleted/destroyed by rendering the data unrecoverable. Methods of destruction include, but are not limited to, simply deleting or overwriting data, degaussing using strong magnetic fields to fully erase all data on a storage drive or physical destruction of the storage device via shredding or incineration.
c. Confidential or personal records, (e.g., records containing personally identifiable information, trade secrets, personal or sensitive financial information, research results, or records subject to any privilege, such as attorney-client), must be rendered irretrievable and illegible by shredding or by other means that renders the confidential or personal record unreadable, indecipherable, and/or unrecoverable.
d. Secured shredding services may be requested from Facilities Management by submit a work order in Famis within Trailhead.