How safe are your digital documents?

Electronic document management systems make it easier to comply with digital content regulations, but complacency can threaten effectiveness

Around 4,000 boxes of paper records fill the shelves in Central New Mexico Community College’s storage area. And many of these boxes—those containing employee personnel files, for example—must remain in storage for up to 55 years before they can be destroyed.

It’s a big reason why CNMCC has embraced electronic records management, says Rebecca Turner, records and property control manager for the Albuquerque college.

It was a somewhat lengthy process that started in 2007 with a proposal submitted to the state and ended in 2009 with the rollout of the OnBase system from Hyland Software. At present, seven departments have implemented the system, says Joe Gieri, executive director of IT.

Included in the proposal were guidelines on how the departments would handle document imaging (the state requires scanning at 300 dpi. The college also had to specify how document preparation and organization prior to scanning, as well as file retention and security, would be managed, he says.

Electronic documents/records management and imaging solutions offer huge advantages to higher education institutions, enabling them to significantly reduce paper flow, freeing up filing and storage space. Retention times for paper documents and records are also shorter.

For example, when a document is scanned into CNMCC’s system, the paper goes into a standard-size storage box. Once full, the department brings it to Turner. If the record series has been approved by the state as part of the imaging plan, the box can be destroyed, although Turner must obtain permission from the state to do so. The key is that the box won’t end up taking up storage space.

Digitized documents and records are far more secure than paper that can be lost, damaged or misfiled—or fall into the wrong hands. Electronic systems enable users to grant or restrict access, set document retention alerts, create audit trails and easily retrieve documents. The systems make it easier to comply with regulations regarding security, access and retention as well as to meet audit or legal discovery requests.

Still, to ensure compliance to these regulations, colleges and universities must remain vigilant. The downside to these tools is that they’re so efficient, complacency can become an issue.

“I think this is a risk with any technology,” says Alisa Buck, director of information systems for Columbia College in Missouri. “Once a system is fully automated, it’s easy to forget it’s running in the background. But there’s always a human element in the system. It won’t know something has changed, it needs to be told.”

Here are answers to three questions that are essential to managing the major human elements necessary for ensuring the digitized documents on your campus are safe and secure—and in compliance with regulations.

1. Has verification been built into the process?

Accurate image capture is a compliance essential. Although scanning tools are designed for this, a systematic verification process is still necessary. Jeremiah Shifflett, a systems integration analyst for institutional computing at Shenandoah University in Virginia, says this is their primary focus at the moment.

In 2012, Lexmark/Perceptive Software’s ECM system, ImageNow, was implemented, using Blackboard as a portal. Before departments can implement ImageNow, they must fill out a template with the image capturing processes that work for them, and then Shifflett’s department will authorize the templates. This protects the university while allowing for flexibility to address each department’s needs, he says.

Take the registrar’s office and the storage of transcripts, for example.

Transcripts “are very elaborate,” says Shifflett. “When they’re run through a scanner, a lot of background stuff gets picked up. People need to spend time reviewing the image before shredding the physical document. This is where the templates come in; we provide these to show people how to document the process.”

The templates serve as a checklist, ensuring that the required process for scanning has been followed. It’s recommended that two people look at the scanned document before the paper document is destroyed, he says.

A tactic used by smaller departments where two people may not be available is putting the document into a holding queue for review within a few months.

Palm Beach State College in Florida, which is using a DocFinity system, expedites the verification process a bit. Among the 15 departments using DocFinity is Student Services, says Julie Reiman, system analyst-IT. Although many forms related to student services are online, there’s still a fair amount of paper, especially concerning financial aid.

“Generally, students will hand a paper document to a staff member, who will scan it in. The image shows up on the computer screen, the staff member confirms accuracy and then hands the paper document back to the student,” says Reiman, adding that this process was adopted to avoid paper storage and the related security issues.

2. Have rights to access been assigned?

Determining who has the right to do what to which document is critical for meeting compliance objectives. The problem is, access can be quite fluid. Consider Tulane University in New Orleans. A Xerox DocuShare electronic records repository includes data related to FEMA claims over damages sustained in Hurricane Katrina, says Mike Britt, assistant vice president for University Services.

With FEMA changing its rules fairly often, this can be challenging, says Britt. “We have to meet the moving government requirements, while maintaining security and, ideally, providing access to the correct government agency.”

Tulane’s rights management strategy grants access to groups based on function, location or government agency. People aren’t assigned individual rights—when they leave a group, they leave their access rights to the electronic collection behind, says Britt. When people exit or enter a group, he is informed.

FERPA compliance is another concern. Because records and the right to access them can change as students move through their academic careers, constant updating is required. The FERPA forms are still paper, and are filled out, signed and scanned in just three or four locations on Tulane’s campus.

Access is granted based on user and function. If students need to change something, they go back to where they submitted the original form to fill out a new one that gets scanned in. The form and the process is the university’s tool for ensuring compliance to FERPA, says Britt.

Shifflett, at Shenandoah, relies on “power users” in each department to manage access to records. He sends these power users reports detailing who is accessing data. If changes are required, a form gets submits to Shifflett.

“If there are no changes, they have to verify this. This holds them accountable and keeps compliance in their forebrains,” Shifflett says.

3. Has minimum retention time been met?

States typically set minimum requirements for how long paper and electronic documents must be retained. While electronic records systems can automate the retention and purging of documents—making it less likely colleges and universities will fall out of compliance—mistakes can still happen.

Bob Hensz at Texas A&M University says that categorizing documents in accordance with the institution’s system’s records retention schedule is a big challenge. Other challenges include assisting unit records coordinators in classifying their documents and the need to be knowledgeable of the various requirements for records management, adds Hensz, a risk and compliance manager, HR specialist and records officer at the institution.

Ensuring the correct formats for records retention—having documents in the most unalterable format—is also key, explains Hensz, whose department uses the Laserfiche electronic document management system. Electronic records “may easily be destroyed without anyone noticing until it may be too late,” he says, and policies help reduce the chance of unauthorized destruction.

Only trained system administrators are assigned the right to delete documents.

“Ensure that a person has a hand in the destruction and can verify it was done so that only those documents that are approved for destruction are destroyed,” Hensz advises.

Buck says her team at Columbia College will speak with every department at Columbia that wants to implement the OnBase solution to ensure they know their retention needs. Before purging documents, some departments do a “human review” and destroy them manually.

Others opt for automatic purging; it depends on the department, Buck explains.

Columbia has made retention compliance easier by clearly identifying the document, the department that owns it, its purpose and related keywords. This allows administrators to determine quickly which regulations have to be met.

Keywords may include a person’s name or ID number or admit term, Buck says. “Student record retention is based on the time the student was admitted, not the date scanned. You must be aware that lifecycle doesn’t always start when scanned but sometimes on other criteria and this needs to be included in the keywords used to search.”

At Lake Washington Institute of Technology, in Kirkland, Wash., record retention extends to email. The institution is using ArcMail Defender to archive all incoming and outgoing student and employee email, says CIO Mike Potter. Email records are not destroyed. This provides the ability to respond to litigation hold notices, among other queries, regardless of how far back officials may be asked to search.

“The public has a reasonable expectation that we can obtain these records,” Potter says. “I think when you look at compliance, the real issue is how do you take the service further, such as going beyond the state-established minimums for retention. Technology allows you not only to comply, but to offer a completely new service from your department.”

Pamela Mills-Senn is a Long Beach, Calif.-based writer.


Most Popular