School records management 101: Deciding the what, when and how

Stack of binders full of paperwork

School districts generate a variety of paper and electronic records on a daily basis that must be managed on a routine basis. Office administrators and other personnel have the responsibility to safeguard records and to maintain them in appropriate filing structures and locations. This ensures easy retrieval, in addition to meeting state requirements for document retention for both public and confidential records.

The benefits of having a good record-keeping process are:

  • The school district is able to fulfill its mission and obligation to its students, families and employees by having appropriate documentation of all public school business.
  • Cost-effective use of organizational resources required to generate, maintain and retain vast amounts of information.
  • Promoting open and accountable public services.
  • Student Educational and Health Records are safeguarded in accordance with applicable laws.

All public records generated during the normal course of school business are property of the State of Washington under (RCW 40.14.020).

For the purpose of determining whether to keep or to shred a record that falls under the scope of a public record, two criteria must be met (RCW 40.14.010):

  1. The record must be made or received in connection with the transaction of public business.
  2. Regardless of what format it is in (paper, digital, tape, disc, film, microfiche, email, etc.).

If you use your personal computer, phone or other device to conduct school district business, you are accessing and may be creating a public record.

Improper destruction, alteration, or falsification of public records can result in a $5,000 fine and is considered a Class B Felony punishable by imprisonment up to ten years, or both. (RCW 40.16.020).

How do I know what to keep?
State school districts and Educational Service Districts (ESD) in Washington typically utilize two retention schedules that the state publishes and updates on a frequent basis:

Local Government Retention Schedule (CORE) which covers typical “bucket” retention items generated by most all governmental agencies related to: Business transactions, HR, Payroll, Worker’s Compensation, Benefits and Health;

And

Public Schools (K-12) Retention Schedule which covers retention items that are specific or unique to public schools such as student records containing transcripts, grades, assessments, employee and student misconduct, permanent records and cumulative folders.

Retention schedules contain groups of records by subject that are assigned a specific number, a description and a retention timeframe. Records are also classified as “Essential for Disaster Recovery” or “Archival” indicating that the record may have longer retention or require special handling and preservation.

Federal Retention Schedules may apply for specific grant funded programs and projects or to support expenditures for certain district operations.

Things to consider when managing your school or department’s records
There are basically two options and one exception for managing your records from creation to the end-of-life cycle. When it comes time to purge your files, consider the following:

1.  Destroy records once the retention period has been met

(Washington State records retention schedules; Chapter 40.14 RCW Preservation and Destruction of Public Records; Chapter 434-662 WAC Preservation of Electronic Records; and Chapter 434-663 WAC Imaging Systems, Standards for Accuracy and Durability).

  • Electronic records created in a system must be maintained in that system throughout the retention period before they can be deleted.
  • Printing out and retaining a copy of the electronic record is NOT a substitute for the electronic record (WAC434.662.040).
  • Paper records can be scanned and uploaded to a digital records format in place of the paper format using the Scan & Toss approach.  To be eligible for Scan & Toss the following must be true:

A. You must determine whether the records are designated as “Archival” or “Non-Archival.”
B. “Archival” records must be appraised by the state before the district can destroy them; “Non-Archival” records may be destroyed after verification of successful scanning and upload to a digital format.

2.  Transfer the records for review and archiving at the district or state level

  • Some records with long retention periods such as student permanent records relating to attendance histories, academic summaries, and final transcripts which are maintained in various formats including cards, paper, microfiche and digital format.
  • Records with historical value that tell a story about a school or district are retained for special events and reference.
  • Records that contain information that would be essential in the event of a disaster.
  • Records of a legal nature or that document certain benefits, injury claims, or mitigate dangerous situations.

3. Legal Holds

  • There are times when even though a record has met its retention period, that it may need to be kept longer in situations where there has been litigation hold requiring the district to keep certain records until a resolution has been made.
  • In cases of an open public records request where documents exist that are beyond their retention period but have been the subject of a public records request and cannot be destroyed until a period of time after the request has been fulfilled

Best Practice when it comes to shredding documents
Never destroy any record without pointing to a retention number authorizing you to do so. When in doubt, consult your district’s Vital Records Manager first.

For helpful tips, guidance, and information consult the District’s new website at Records Management & Retention or contact David LaGarde, Digital Records Supervisor at dlagarde@osd.wednet.edu, or submit a help request to help-records@osd.wednet.edu.

Managing your piece of the Pii

Computer keyboard with red caution cone resting on keyboard

This is the next in a series of monthly articles about digital records management from Digital Records Supervisor David LaGarde.

Personally Identifiable Information (Pii) 2CFR 200.79 is an integral part of all business operations, especially public schools whose records incorporate student files, financial documents, transportation records, health records and more.

Information that would disclose the personal identity of an individual to whom the information applies, or that could be reasonably inferred by either direct or indirect means, falls under the scope of (Pii).

Records containing (Pii) are generated everyday during the normal course of business in the district through paper and electronic records. Desktop files, Emails, Skyward, Alchemy, TreeNo and dozens of other programs and applications are all mediums used to generate and house data that must be managed and stored on a daily routine basis.

What constitutes Personally Identifiable Information?

Pii is defined as information:

(a) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or

(b) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator and other descriptors).

Additionally, information that would permit the physical or online contact of a specific individual is the same as personally identifiable information(Pii). This information can be maintained in paper, electronic or other media.

School employees who come in contact with data containing (Pii) are considered stewards of these records when conducting school business. It is the collective responsibility of all school employees to protect data that may contain sensitive information during the course of conducting school business or activities whether it be in paper, electronic or other district provided technology mediums. The important factor with all data is to remember that only individuals who have a “need to know” in their official duties capacity should have access to sensitive student or employee information not subject to The Washington State Public Records Act or other laws governing the disclosure of Public Information.

Consequences of inappropriate access or sharing of Pii

The loss of (Pii) can result in substantial harm to individuals, including identity theft or other fraudulent use of the information. Because regular school employees and contracted staff may have access to personally identifiable information concerning individuals and other sensitive data, we have a responsibility to protect that information from loss and misuse. There have been an increasing number of lawsuits over data breaches and sharing of (Pii) in recent years and interestingly enough, the legal landscape has focused on organizations keeping too much data which can lead to greater opportunities for records to be compromised.

Best Practices:

5 ways to protect (Pii) in daily records management

  1. Simply take inventory

Identify the documents that you create in your daily workflow that contain Pii (these can be paper or electronic). Know what records are housed in other systems or locations and avoid reproducing paper copies if you can manage your work electronically. Printing out documents creates additional opportunities to open the door to improper disclosure issues and also creates additional storage concerns in determining how a paper copy is to be managed and whether it must be saved or archived.

2. Downsize

Let’s face it. Paper costs a lot to purchase, as does the process to copy, store and dispose of. Paperwork is slowly becoming obsolete. Keeping too many records poses a higher risk of a data breach and can complicate the process of retrieval when records are needed.

Knowing the records retention policies for your assigned workflow, and getting yourself in the habit of managing only those documents you need to keep is part of a “Best Practice” of daily task management philosophy.  Identifying documents that you can easily manage and file electronically, as opposed to printing out, scanning and resaving will greatly reduce generating unnecessary paperwork and your need to manage it a second or subsequent time. The less times a document is handled, the less opportunity for improper disclosure of (Pii). A good place to start is to ask yourself, “Is there a value in printing this document?”

3. Protect

Take precautions to secure paper and electronic records containing Pii by restricting access. When you leave your work area, be sure to lock your computer and close files in use. Manage your emails to delete those without a direct business relevance. Create folders to sort and store emails and documents for business reference and learn to redact information when forwarding items to other parties where sensitive information is not pertinent. Keep sensitive information locked waiting for shredding so it is not left out for others to see. Shred bins should not be left open or be kept in areas where sensitive information can readily be accessed.

4. Don’t hoard

Learn to save your records to labeled folders on your computer to move routinely to archival records as you create them or get in the habit of filing records electronically during your processes. Process paper documents regularly that need to be shredded according to established OSD procedures. This is done by shredding documents if they contain any (Pii), recycling or discarding/recycling if there is no (Pii). This can be done on your own terms but should be routinely managed to avoid accumulating records under your desk for shredding.

5. Map your files

Are you prepared to reproduce a document if needed? The reality is that nearly 90% of stored records are never referenced again once they are filed. However, the 10% that are needed should be readily accessible. If you have a sound records management procedure and workflow in place, this should never be an issue. Consistency and continuity is key, and knowing what gets saved, where it should be filed, how to properly label the file for search and retrieval are all essential.

If you have questions about Pii (Personally Identifiable Information) in regard to student records, please contact Chief Information Officer, Marc Elliott, at Ext. 6172.

For additional information on records management, please contact Digital Records Supervisor David LaGarde at help-records@osd.wednet.edu.

New records management supervisor launches first monthly blog post

This is the first in a series of monthly articles planned by new OSD Records Management Supervisor David LaGarde. David can be reached at Ext. 8570 or dlagarde@osd.wednet.edu. Welcome David!

MISSed Information Tip

What is FERPA?

Family Educational Rights to Privacy Act

FERPA is a Federal law that is administered by the Family Policy Compliance Office (Office) in the U.S. Department of Education (Department). 20 U.S.C. § 1232g; 34 CFR Part 99.

FERPA applies to all educational agencies and institutions (e.g., schools) that receive funding under any program administered by the U.S. Department of Education.

Parochial and private schools at the elementary and secondary levels generally do not receive such funding and are, therefore, not subject to FERPA. Private postsecondary schools, however, generally do receive such funding and are subject to FERPA. Additionally, general information that a school official obtains through personal knowledge or observation, or heard orally from others, is not protected under FERPA. Olympia School District receives federal funding, and all grades and schools in our district are subject to FERPA.

FERPA is intended to protect a student’s right to privacy with regard to personally identifiable information (Pii) contained within educational records. Such records may not be released without the student or parent/legal guardian consent when a student is under the age of 18 years of age.  Such records include but are not limited to grades, transcripts, class lists, student schedules, health records, and student discipline records.

School employees usually have the best intentions when it comes to protecting student information.  There are occasions when violations occur and it was done without the knowledge that the employee did anything wrong.  Restricted information such as grades, GPA, or personally identifiable information (Pii) such as Social Security numbers should never be sent through email. Take care not to forward or reply to emails which are sent to you containing sensitive data without removing such data prior to transmission. Here is one such example:

Example:  Group email from teachers to multiple students

The Blind Carbon Copy  (BCC) feature is a frequently misunderstood and often misused function of an email system.

BCC sends a single email to a group without the recipient email addresses being visible. It is easy to forget to use the BCC field or to misuse this technology which can quickly lead to a teacher or school employee inadvertently sharing protected information among multiple students.

For example, there could be a case in which a teacher sends an email to students who are in danger of failing the class.  For ease of distribution, the teacher creates one email and sends it to a list of students who are failing.  Without realizing, the teacher has disclosed the list of failing students to everyone on the list by using Carbon Copy (CC).  If the teacher used the BCC feature, the students would never know who else received the email.  This is a simple error, but would be a violation under FERPA.

Note: If staff have questions about FERPA Personally Identifiable Information in regards to student records, please contact Chief Information Officer Marc Elliott at Ext. 6172 or melliott@osd.wednet.edu.