4-OP-F-6 Destruction/Shredding of Confidential Documents and Records

Responsible Executive: Finance and Administration

Approving Official: Vice President of Finance and Administration

Effective Date: January 1, 2014

Last Revision Date: Unrevised at this time.


SPECIFIC AUTHORITY

  • Chapters 119 and 257, Florida Statutes
  • Chapters 1B-24, 1B-26, Florida Administrative Code
  • Policy No. 0P-F-3, FSU Policies and Procedures

OBJECTIVE

  • To specify the methods and responsibilities for the destruction/shredding of confidential documents and records that, if not securely maintained and destroyed/shredded in accordance with this policy, can cause irreparable harm to individuals and the University.

OVERVIEW

  • Florida State University generates, receives, and stores many documents and records of a confidential nature. If confidential documents and records are not securely maintained and periodically destroyed/shredded, there is potential danger that individuals' confidential information can be obtained and misused for illicit purposes such as identity theft; fraud; and wrongful access to facilities, materials, and information. Therefore, for the protection of all members of the University community-faculty, staff, students, donors, etc.-and for the protection of the University as an institution of higher education, this policy is hereby enacted immediately, and is applicable to all executive offices, divisions, colleges, schools, departments, centers, and institutes.
    1. DEFINITIONS
      1. Confidential Documents and Records
        1. Any document, paper, letter, map, book, tape, photograph, film, sound recordings, data processing software, or other material, regardless of the physical form, characteristics, or means of transmission that contain any or all of the following information:
          • Social security number.
          • Name and a date of birth.
          • Credit card number or FSUCard number.
          • Academic information regarding students identified by name and/or social security number. This includes, but is not limited to: graded exams, term papers, transcripts, class rosters, and student/team projects.
          • Other information regarding students, including, but not limited to: records of disciplinary proceedings, housing records, membership in student organizations if social security numbers are used.
          • Faculty, A&P, USPS, or OPS personnel records.
          • Medical records.
          • Any other information considered confidential in accordance with the provisions of the Federal Educational Right to Privacy Act (Buckley Amendment), 20 USC, Section 1232, and above-referenced Florida Statutes and Florida Administrative Code.
      2. Records Management Liaison Officer
        1. The individual is responsible for developing the agency's records management program and for providing communication and procedural coordination between the agency and the Bureau of Archives and Records Management. The Records Management Liaison Officer may be contacted through the Office of the Vice President for Finance Administration.
      3. Confidential Records Coordinator
        1. It is recommended that each academic and administrative unit of the University, including executive offices, divisions, colleges, schools, departments, centers, and institutes, have a Confidential Records Coordinator. The Confidential Records Coordinator shall be delegated the responsibility for collecting, storing, and destroying/shredding confidential documents and records.
      4. Retention
        1. The minimum time period necessary to retain records before they have met their administrative, legal, fiscal or historical usefulness.
      5. Records Retention Schedule
        1. A standard approved by the Department of State, Bureau of Archives and Records Management for the agency's orderly retention, transfer or disposal of public records taking into consideration their legal, fiscal, administrative and historical value.
    2. PROCEDURES
      1. Notwithstanding the procedures discussed with FSU Policy OP-F-3, the Confidential Records Coordinator or other designated individual in each University unit should:
        1. Collect and store all documents and records containing confidential information, as defined above, in a secure location within the unit's facility. A secure location shall be any storage area, i.e., closet, that can be securely locked, is supervised throughout the business day, and which is not readily accessible to persons not authorized to move about freely within the unit's facility.

          However, as discussed within the section entitled, "Storage of Records," FSU Policy OP-F-3, no confidential documents or records shall be stored within any unit's secure storage facility if such documents or records are required to be stored in the State Records Management Center in accordance with the provisions of the Florida Statutes, Florida Administrative Code, and/or Rules of the Florida Department of State.
        2. If any unit does not have a suitable location within its facility, and receives and/or produces a relatively small amount of confidential documents or records, units may coordinate with other units in their building to identify and utilize a shared location suitable for the secure storage of confidential documents and records.
        3. At the discretion of the unit head, confidential documents and records may be destroyed by shredding by the Confidential Records Coordinator or other designated individual, without first being securely stored, if:
          1. A shredding machine is available in the facility.
          2. The records/documents have met the retention requirements set forth by the Records Retention Schedule and proper documentation approved by the FSU Records Management Liaison Officer (RMLO); they are not involved in any on-going audit, litigation or academic or administrative process and/or if the document(s) or record(s) are no longer needed after having been reviewed, read or otherwise processed within a short period of time (i.e. less than one (1) eight-hour work day).
          3. The Confidential Records Coordinator or other designated individual is responsible for ensure that no records are shredded prior to their retention period has been met.
        4. At the discretion of the unit head, he or she may require the Confidential Records Coordinator or other designated individual to maintain a log of confidential documents and records that are stored within a secure location and/or which are shredded. If such a log is required, it may contain the following:
          1. Nature of confidential documents or records (i.e. "Fall Semester, 2001, Class Rosters/Names and SSNs of Students Taking MAN3109).
          2. Form of confidential documents or records (i.e. computer print-out, report, letter, memorandum, etc.).
          3. Date that Confidential Records Coordinator or other designated individual placed confidential documents or records in the secure location.
          4. Duration of time (to exact date) that records must or should be stored.
          5. Date and method of destruction/shredding after proper documentation and approval is received from the FSU RMLO.
        5. In lieu of a log, an appropriate matrix sheet may be designed containing spaces for the information discussed in Section 4 a - e, above. Such matrix sheet should be affixed to the storage container and filled in at the time confidential documents and records are placed in the storage container and destroyed/shredded (after proper documentation and approval is received from the FSU RMLO).
        6. Confidential documents and records shall be destroyed/shredded according to the following:
          1. They shall be shredded "in-house," provided a shredder is available within the unit or building facility, and all retention requirements, as discussed previously in Sections 3 a - c above, have been met (as approved by the FSU RMLO).
          2. They shall be shredded by an authorized vendor in accordance with the contract provisions between the Purchasing Department and the vendor. If an authorized vendor is utilized, the vendor shall be contacted by the Confidential Records Coordinator or other designated individual, who shall arrange to have the storage containers picked up. In turn, the vendor shall either shred the records or documents on campus by use of a shredding machine within its truck, or transport the documents and records via secure truck to the vendor's off-campus shredding location. When using an authorized vendor, the Confidential Records Coordinator or other designated individual shall be responsible for complying with the contract provisions in terms of vendor pick-up schedules, required storage containers, and required volume of records and documents to be shredded.
          3. If destruction/shredding is completed to meet records retention requirements, the Records Disposition Document must be completed with the destruction method and date, authorized signature and witness signature. The original form is to be returned to the FSU RMLO.
          4. If these documents do not fall under the requirements of the Records Management Program, then if deemed necessary by the unit head, documentation of destruction/shredding shall be accomplished by completing the log or matrix sheet as discussed in Section 4 e, above, or by obtaining a Certificate of Destruction from the vendor.
        7. Confidential records, found by any employee in a location other than where they are to be properly stored, such as in trash receptacles, recycle bins or other locations, should be brought to the attention of the employee's supervisor for further action consistent with this policy.
    3. NON-SUPERSEDURE OVER EXISTING DEPARTMENTAL POLICIES AND PROCEDURES
      1. It is the purpose of this policy to enact procedures for the secure storage and destruction/shredding of documents and records containing confidential information for those University units that have no policies and procedures in place.
      2. However, this policy recognizes that certain University units deal continuously with confidential information, and already have enacted specific security and destruction/shredding policies (i.e. Police Department, University Health Services, Human Resources, Registrar's Office, Office of Inspector General Services, Office of the General Counsel, etc.)
      3. Therefore, this policy shall not be construed to supersede the policies and procedures of the above-cited or other University units that have developed and implemented their own specific policies for the storage and destruction of confidential documents and records.