Admitted Students – Make Your Deposit Today!

Congratulations to all our Fall 2024 admitted students! We can’t wait to welcome you to NYC this fall. Be sure to make your deposit today to secure your spot.

MMC Electronic Data Retention Policy

POLICY STATEMENT

In accordance with federal, state, local applicable laws, rules and regulations, Marymount Manhattan College (the College) requires that College electronic records be retained for specific periods of time, and be maintained in specific repositories. The electronic records will be properly and diligently upheld by following the rules and regulations of this document. This policy relates to electronic records.

 

REASON FOR POLICY

The College engages in numerous business activities in multiple locations that involves the generation of increasing volume of business records through electronic means. The Electronic Record Retention Policy is for the College to adopt rules for the creation, protection, maintenance, storage, dissemination and destruction of electronic records in a manner that is consistent and transparent with the accountability requirements of federal, state, and local laws, and other regulatory aspects that impacts file storage. In addition, this set of guidelines will be adopted to help determine the cost of record keeping, improve data security and record retrieval efficiency.

WHO SHOULD KNOW THE POLICY?

All College Faculty and Staff, Independent Contractors, and Board of Trustee members that are responsible for the accurate creation, placement or usage of any record for the College.

POLICY SCOPE

The policy covers the basic requirements for electronic records, and it covers the following:

  • Email accounts provided by the College and all email transmissions made over College networks and network services.
  • Removable magnetic media including external hard disk drives, external devices containing hard disk drives, floppy disks, and magnetic tape.
  • Removable flash-based media including thumb drives, digital media players, digital cameras, and smart phones or cell phones.
  • Optical media including DVDs and CDs, Backup and Disaster Site
  • Server and cloud data including e-mail, cloud storage, and sftp storage locations
  • Social Media and Workstation/Laptop local storage

The discussion of retention of records to be maintained as a result of contractual requirements, as well as the discussion of retention of physical records and documents are beyond the scope of this policy.

DEFINITIONS

Archival Records: An original College record that has permanent or historic value, is inactive, and is not required to be retained in the office which it is originated or was received. Archival records are retained and preserved indefinitely in the College Archives. The colleges record administrator will make all final decisions concerning whether records will be preserved in the college’s archives.

 

Electronic Records: Records which have been generated electronically or converted to an electronic format and is stored in some form an electronic storage medium or in a computer system. This type of record may include but not limited to e-mail, scanned documents, word processing document, etc.

 

Permanent Records: College records that have enduring legal or financial value that remain active in perpetuity.

 

Retention Period: A record’s life cycle that identified the duration of time for which the information should be maintained or retained.

 

Retention Schedule: A list of records maintained by all or part of an organization together with the period of time that records or group of records is to be kept. The electronic record retention schedule applies to records that are in an electronic format.

 

Retention Period: Records retained for a certain period or greater than the applicable retention schedule may be disposed of in accordance with these guidelines. Refer to the retention schedule for specifics on the length of time for types of electronic records.

 

Transitory/Disposal Records: Records that do not have any operational, informational evidential or historical value and can be destroyed as soon as the its retention period becomes effective.

 

Record Management: The act supervision and administration of electronic records irrespective of the records format. The practice includes the creation, maintenance, receipt, use and disposal of the records.

 

Disaster Recovery Site: The Information Technology (IT) Department replicates a copy of the production system to the disaster recovery site. The records at the disaster recovery site should only be used for recovering from a catastrophic production system loss only.

 

Backup: The IT Department performs backups on a regular schedule of the electronic files stored on central servers for disaster recovery. These backups are to be used for system restoration purposes only. The IT system administrator is not the legal custodian of messages or records which may be included in such backups.

 

DATA RETENTION POLICY

The College will:

  • Retain and safeguard electronic records necessary to effectively conduct its program activities, fulfill its mission and comply with applicable with federal, state, local laws, and other regulatory requirements.
  • Provide on-going service to the user community including students, employees, and vendors.
  • Preserve intellectual property and eliminate the onerous expense of storage of irrelevant and obsolete electronic records.
  • Improve the efficiency of its operations and reduce the time and cost expended retrieving records in response to business requests and management needs.
  • Prevent the improper alteration, destruction, mutilation or concealment of its records.

 

RETENTION REQUIREMENTS

  • All electronic information will adhere to the Record-Retention Schedule to comply with this policy. This policy is an integral component of the cyber security plan.
  • Purge information that is stored when the scheduled threshold defined for specific classification of information becomes effective using an appropriate disposal method as outlined in this policy.
  • Information system media containing information will be sanitized or destroyed before disposal or release for reuse.
  • Data will be stored for the shortest possible time, accounting for legal obligations for extended retention, and ensuring that business operation is not hindered.
  • Data must be kept accurate and up-to-date.
  • The Record-Retention Schedule will document the data that is stored and the duration of retention.

 

DERIVED DISPOSAL REQUIREMENTS

  • Upon expiration of the retention period for the data, the College will actively destroy the data covered by this policy.
  • Electronic records that are generated and maintained in the College’s information systems or equipment should be periodically reviewed to ensure that these requirements are met.

 

  • The College will create metadata of records and their locations to easily find the locations of records.
  • Where information is transferred to media, that media shall be stored in a cataloged structured that will help easily identify the expiration of the record.
  • A person who believes that legitimate business reasons why certain data should not be destroyed at the end of a retention period should identify this data and notify their supervisor; in addition, the reason why the data should be kept must accompany the record that is being stored for longer than the retention scheduled time.
  • Deletion of data shall be implemented to ensure the compliance of Personally Identifiable Information (PII) stored on digital media that is in a state of at rest and in transit, or digital media during transportation regardless of the protection provided by cryptographic algorithm or by alternative physical safeguards.
  • The College will control the use of removable media on information system components.
  • When content from the information system is output to some form of media, that content and media must be handled, stored, and cataloged in to adhere with storage procedures that will help enforce Data Retention Policy.
  • The College will keep an inventory of media containing PII and maintain accountability for media during transport outside of controlled areas. Further, all such transportation shall be documented.
  • The use of portable storage devices will be prohibited when such devices have no identifiable owner.
  • The College will protect the confidentiality of backup at storage locations, and backups will be deleted based on the set retention period.

RELEVANT PROCEDURES

Employees who wishes to ament the retention schedule governing certain records because of legal or contractual requirements or management needs, or who feels that the schedule should be modified to suit the needs of the College, should submit the following information to the Assistant Vice President for IT:

  • Department and location maintaining the records.
  • Name of record, or simply a brief description if it is a proposed new item on the schedule.
  • The proposed retention period.
  • Reason for the proposed retention, including and explanation of the need for the record, who uses it, and for what purpose.

Various retention periods have been set to ensure compliance with applicable regulatory requirements. Government record-keeping requirements may change and new government requirements bay be added which are not reflected in this policy. In addition, if specific contractual requirements are more stringent than those expressed in this policy, the affected records are to be retained for the minimum periods set forth in such contract or applicable law or regulations. This exception is important with respect to record retention relating to government contracts and subcontracts. In some instances, retention periods will be abbreviated with a letter. The Record-Retention Schedule provides a key to the abbreviations.

NON-COMPLIANCE

Violations of this policy will be treated like other allegations of wrongdoing at the College. Allegations of misconduct will be adjudicated according to established procedures. Sanctions for non-compliance may include, but are not limited to, one or more of the following:

 

  1. Disciplinary action according to applicable College
  2. Termination of employment.
  3. Legal action according to applicable laws and contractual agreements.

Contact