Record Management Resources
Protecting Mines’ data should occur throughout the complete data life cycle, which includes disposal of such information. Personal data, should be securely disposed of upon expiration of the retention period. Personal data should not be kept longer than necessary, as defined within University policy. Failure to manage these privacy risks when personal data is involved, can have a negative impact for both individuals as well as for Mines’ reputation and bottom line.
- State of Colorado Retention Schedules – The State of Colorado provides retention requirements for certain types of data. These should be adhered to unless there is another regulation governing the same documents.
- Higher Education Compliance Alliance – This site provides the references and links to applicable laws and regulations for higher education. It can be used to identify additional retention requirements that apply to certain types of data.
Conflicts between the state retention schedule and regulatory compliance requirements will default to the longest retention period.
Any university record containing personal data, shall be destroyed using an appropriate method to render the content irretrievable and indecipherable. [C.R.S. 24-73-101] The application of effective disposal is critical to ensure that sensitive data is protected against unauthorized disclosure.
Records should not be destroyed if there is a legal hold, a request under the Colorado Open Records Act, or you have been advised otherwise by the Office of the General Counsel.
Resources to Securely Dispose of Confidential Data
- Paper documents containing confidential data, should be secured shredded. This can be accomplished through an office shredder or through Facilities Management, who provides free shredding services to University departments. Submit a work order in FAMIS (accessed through Trailhead) for pick up and secure shredding of paper documents.
- NIST guidelines for media sanitation can be accessed here.
- Best practices for secured data destruction of FERPA-protected data can be accessed here.
According to the Colorado Revised Statute [C.R.S. 24-73-101], entities are required to destroy or arrange for the destruction of paper and electronic data that contains personally identifiable information by shredding, erasing, or otherwise modifying the personally identifiable information to make it unreadable or indecipherable through any means.
Contracted vendors are to be held to the same standard as the University. It is the data steward’s responsibility to ensure vendors meet the retention requirements as well as delete the records after the retention is met. Management of this risk primarily occurs through contract language requiring the vendor to handle personal data with care and dispose of through secure methods upon expiration of the agreed-upon retention period. Risks should be assessed and a business decision made to move forward (or not move forward) with a vendor if these agreements cannot be made.
- Mines Work Order System – Submit a work order in ‘FAMIS’ (accessed through Trailhead) for secure shredding services.
- Office of Policy and Compliance – This office maintains Mines’ policies and can assist with compliance questions.
- Research Data Management – The Arthur Lakes Library provides data management tools for each phase of the research data lifecycle.
- Mines’ data policies are accessible here.
- Colorado Records Management Documents are accessible here.