Universities and other higher education institutions pose a unique challenge to records and information management. They have complex organizational structures, massive numbers of individual records, and highly variable record lifecycles across multiple stakeholders. The record types managed by universities range from student records to architectural drawings and financial documents. Despite this, many universities do not have a dedicated records and information management team. In an age of growing information privacy, this opens universities up to significant risk and puts great strain on legal and IT departments that are not properly equipped to respond to requests for records access.
Recently, the importance of good records management has been made more evident by several prominent data breaches with wide-reaching implications. Data has become both extremely valuable and powerful. Data privacy, once something that was of limited concern to the average person, has become a prominent issue. Governments are racing to introduce legislation, such as the GDPR in Europe and the CCPA in California, to better regulate how records are handled by organizations. University records often contain Personally Identifiable Information (PII), which places them firmly at the center of these new regulations.
With limited dedicated records and information management, many universities are leaving themselves open to significant liability. The number of data breaches at higher education institutions is on the rise, with many universities having to pay out significant sums in lawsuits in recent years. As new regulations force universities to meet modern records and information management standards, higher education institutions need to take the issue more seriously or risk litigation.
Records Management Best Practices
It is vital that universities and other higher education institutions begin to build out robust, dedicated systems for proper records and information management. With multiple offices of records, varying record types, and retention and disposition schedules that can vary greatly across the organization, universities face a complex records management problem. Each department and office of record in a university will have different needs regarding access to, and management of, records. With that in mind, we have outlined some records and information management best practices to guide higher education institutions through the process.
1. Get Buy-In from Stakeholders
The first step is to get the buy-in from all stakeholders. This should include legal counsel, internal auditors, chief information officers, records managers, head of student affairs, head of academic affairs, privacy officers, information security officers, and all offices of record involved in the record lifecycle. Without the input of all these parties, the strategy that you develop will inevitably fall short when implemented across the entire organization.
2. Understand Regulations
Before any planning can begin, those involved need to have a clear understanding of all the regulations that will affect the organization. This will involve classifying all of the record types that the organization will collect, generate, and manage. That way, all the pertinent regulations can be properly identified and understood before embarking on developing a records and information management strategy. For universities, given the regular accommodation of both international students and faculty, this can often involve a large number of regulatory frameworks that need to be considered.
3. Develop a Strategy
The next step is to develop a strategy built on a foundation of the different departmental and regulatory needs. The strategy should begin with a comprehensive audit of existing systems and processes for areas of risk. An ideal strategy will involve a clear definition of what incoming information is considered a record, classification of different record types, and an auditable approach to assigning record responsibility to stakeholders. It should also include a set of rules for data management and document security that clearly dictates exactly how records of different types should be handled, along with a well-documented retention and disposition schedule for each record type.
4. Review and Adjust
Any strategy that your organization puts in place should be prepared for regulations, technologies, and departmental needs to change. The records and information management infrastructure should have a regular system of review built into it. You should also ensure that your records and information management systems and processes are designed in such a way as to not be inflexible, with unnecessary interdependencies. Otherwise, making adjustments to the system after a review may be more difficult than it needs to be.
5. Document Policies and Processes
The most essential part of the process is properly documenting all of your policies and processes. A system of records and information management is only as good as its documentation. Without being able to properly communicate schedules, requirements, and standard operating procedures to members of the organization, maintaining an effective university records management system is impossible at scale. Properly documented policies also ensure that your students and other data stakeholders are fully aware of how their records will be handled and what their options are for recourse if they are not handled in that way.
Ultimately, the complexity of implementing a university records management program can be made significantly more simple by taking the time to develop a proper strategy. By first getting all stakeholders on board with the importance of records and information management, you can ensure that the project gains the support and budget it needs. It also ensures that all the varying departmental needs are met properly by the system down the line. From there, a regular system of review and proper documentation will protect your strategy from becoming outdated or incompatible and ensure that it can be understood and implemented properly down the line.