Help Guides and Training

According to the definition of a public record outlined in law, public records are any records created or received during the performance of Western's business, regardless of format. This means that email must be retained and managed just as any other record at Western.

University policy also outlines the appropriate use of email in POL-U3000.02, Using Electronic Methods for University Communication. Be sure that your use of university email follows this policy. 

• No, just like other records, not all email has to be retained. Emails that do not document an action taken or a decision made can be disposed of once no longer needed. Examples include (but are not limited to): 
  • Automatic notifications, such as: "Your e-sign form has been completed"
  • FYI-only emails, for example: "I'll be using the conference room to meet with someone this afternoon" 
  • Copies of records where the official copy is held by someone else (e.g., copies of annual reports circulated via email, when the report is saved elsewhere)
• Emails that document decisions or actions, however, must be kept for the retention period outlined in the applicable retention schedule. Retention schedules can be found online:
  • University General Records Retention Schedule
  • Unique office-level retention schedules (also referred to as "file plans")
  • Contact UARM with any questions or for copies in alternative formats

• Email can be stored in your email inbox; however, only you will have access to those emails. You will also be responsible for managing, retaining, and properly disposing of the records.
• Email that is part of a larger process or that others may need access to should be stored (when appropriate) in a centralized location, along with other pieces of the record. 
  • When this is impractical or inappropriate, you should manage your email in such away as to facilitate discovery and disposition, even if you leave Western or move to a new position.
  • Another option, when relevant, is to forward or cc selected emails to a shared program inbox.
• Email that has long-term retention or historical value needs to be preserved in a manner that is independent of the individual employee's user account. This will likely involve moving the emails into a dedicated content management system or digital archives system. Care should be taken to preserve original metadata in addition to the email contents.

An applicable retention schedule can be used as a map to create folders based on records series in your inbox or other filing locations. Records within those folders should then be stored by date or, if the retention period is based on an event rather than a specific date, then by "case" (e.g., an individual or project). When the cut-off date or event has occurred, these folders can be moved to another folder for the year they are eligible for destruction. 

By law, digital records must be retained in digital format for the entirety of their retention periods. A printout of an email does not contain all of the metadata and context of the original file that preserves the record's authenticity. While it is sometimes appropriate to place a printout of an email into a paper file as a reference copy, the original electronic version will still need to be retained for the appropriate retention period. 

Do not use your personal email account to send work-related email, unless there are no other options. If you do send an email using your personal account that is related to your work as a Western employee, remember that the email is still a public record; it can be subject to disclosure in relation to a public records request or other legal action and is subject to all of the same recordkeeping requirements as other public records. If there is no other option than to send an email using your personal account, cc your Western email and forward any replies to the email to your Western account as well. The email is then captured in the Western system, and you can delete the copy on your personal account. 

Contact UARM for further information or with questions.

Many financial records are created and maintained in university-wide electronic systems. However, there may still be times when financial records are found outside of systems – in reports, paper records, or emails. So what all needs to be kept? And who is responsible for what?

University-wide systems, such as Banner, SAP Concur, and Marketplace, are centrally managed and maintained at the university level. The transactions occur and are documented within these systems, so the responsibility for maintaining and retaining these records is with the business owners of these systems, rather than with individuals who enter information into them. This alleviates the need for retaining many financial records in individual offices.

Additionally, downloads from these systems, or information/documents uploaded to these systems, are considered duplicate copies of the official record, and do not need to be kept. This includes invoices and packing lists uploaded to Marketplace; receipts uploaded into SAP Concur; and documentation uploaded into the journal vouchering system. It does not include purchasing card receipts uploaded into PaymentNet at this time (see the Purchasing card records section below for more information).

Types of financial records held in system:

Various records, including: Accounts set up and requests, some purchasing requests.

System manager/owner:

Eforms are managed by EAS, but individual eforms are “owned” by the offices who requested them. When the time comes to delete eform records, owning offices should be contacted to determine what entries can be deleted.

Types of financial records held in system:

Purchasing records, including financial transaction data; receipts/invoices; and packing slips.

System manager/owner:

Business Services

Types of financial records held in system:

Various records: financial transactions, payroll, budget information, etc.

System manager/owner:

EAS and EIS maintain Banner, various units own data in Banner.

Types of financial records held in system:

Various records, such as journal vouchers.

System manager/owner:

EAS and EIS maintain OnBase, but individual divisions or offices own data in the system. Business Services maintains journal vouchers, for example. University Archives and Records Management assists with applying retention and disposition rules within OnBase.

Types of financial records held in system:

Travel records

System manager/owner:

Business Services: Travel Services

Types of financial records held in system:

Data warehouse for information in Banner, including budget, financial, and  payroll data.

System manager/owner:

EAS and EIS maintain Millenium FAST, but various units own data in Millenium, which is pulled from Banner.

Types of financial records held in system:

Financial transactions (accounts receivable)

System manager/owner:

Treasury Services manages the system, but individual units own the data.

Other systems on campus that manage financial data exist in more localized or unit-specific contexts. These systems will have more clearly-defined ownership. As with other examples in this guide, the data in the system is usually considered to be the official record (as opposed to printed copies or exported datasets used for reference, for example) and is the responsibility of the unit whose functions the system supports. 

Purchasing card records must be kept for 6 years, just as with any other financial record. Purchasing card transactions are documented in PaymentNet, which allows you to upload scanned receipts and attach them to transactions. Unfortunately, the vendor deletes these scans after 3 years, which is only half of the required retention period. The original receipts therefore  need to be retained in their original format.  Card holders can also upload receipts to OnBase, where they will be retained according to the required retention policy. Contact Treasury Services for information about using OnBase for storing these receipts.

A lot of time, effort, and documentation goes into creating budgets. Once the budget is uploaded into Banner/Millennium, however, that becomes the official record of your budget. The preparation documentation is considered draft material and has no retention requirements beyond your immediate operational needs. These records are covered by the Budget and Funding Requests Preparation Materials records series.

Budget tracking and reconciliation materials, such as tracking spreadsheets, downloaded reports from Banner/Millennium, and/or copies of financial documents, are transitory records (because they are either copies or drafts). These are covered by Financial Records -- Duplicate Copies, UNLESS original purchasing card receipts are interfiled with them. If purchasing card records are interfiled with these other records, then the files as a whole should be kept for the 6-year retention period for purchasing card records to ensure that the P card records are retained appropriately. Budget Reconciliation and Monitoring Records cover these records that contain original financial documentation, such as original purchasing card documentation.

Chat and instant messages, if they relate to your work as a Western employee, are public records, and therefore subject to public records requests, disposition holds, and records retention requirements. It’s important, then, to use chat and IM appropriately, and to manage what is generated in those formats.

Like email, there is no blanket retention rule for instant messages and chats. Retention requirements depend on the content and subject of the message, meaning that each message has to be analyzed individually for what retention requirements it may have. Because of this, we recommend that you limit your use of chat messaging to information that is of transitory importance – sharing information that can be found elsewhere, or for information/decisions that will be more formally documented in other systems. That way, you don’t need to worry about retaining or managing the messages long-term. In general, most chats/IMs only contain transitory information anyway, such as checking in with a colleague on the status of a project or requesting information that can be found elsewhere. However, if you are using chat messages for important work, that may need to be referred back to at a later time, you should find ways to document the work outside of the chat environment, such as following up with an email.

Below is further information about how specific IM/chat environments in use at the university handle chat records and recommendations for using them.

Teams does not allow you to delete or download chat messages en masse at the individual account level (though it is possible at a high level by campus IT). This means that chat messages must be managed individually by the people creating them.

Because of this, Teams should only be used for transitory information. Important decisions should be documented in other formats – like email or more formal documents, where the information can be retained and managed more easily.

Additionally, Teams chat should not be used to send protected information types, unless the chat can be deleted immediately by the sender (only the sender of a message can delete it). Protected information should not be retained longer than is necessary, as over-retaining information increases the potential of inadvertent and/or malicious unauthorized access to the information. If you do need to send protected information via a chat message, you should only do so for information of a transitory nature and then delete the individual chat messages as soon as possible.

When using Teams as your desk phone, you may receive audio files of your voicemails in both Teams and your email. The retention of these also depends on the content and purpose of the message. If the nature of the message requires you to retain the message for longer than the Teams system-wide auto-deletion policy, you should save the audio file or a transcript outside of Teams to avoid automatic deletion. Voicemails that do not have retention requirements should be deleted as soon as they are no longer needed to avoid clutter and over-retention.

Unlike Team chats, Zoom meeting chats automatically disappear once a meeting has ended. If important information is shared in the chat, the host can save the chat either automatically (for all meetings) or during the meeting. For more information, see Zoom's Saving in-meeting chat help page. In most cases, however, chat should still be used for transitory, non-confidential information to avoid the need to worry about saving he information or what might happen to it in Zoom (for confidential information).

Slack can be set to retain messages and files for various lengths of time; however, the default is permanently. The retention rules can be set to govern all messages and files or at the conversation-level. Slack also allows for exporting of conversations; however, its capabilities may be limited by what plan you have. If you anticipate using instant messages for substantial communications, or for communications that may need to be retained for an extended period of time, Slack may be the best option because it does allow for retention setting and exporting conversations. For more information see Slack's Customize message and file retention help page.

Meeting online creates many collaborative opportunities, but along with that come potential records management obligations. People may be relieved to know that many meeting types do not require ongoing retention of records. The dividing line is essentially whether business is conducted in a meeting, and if so, the nature of the business.

As you engage in online meetings, and before you opt to record them, take a moment to consider the different categories of meetings and their associated retention and disposition requirements. Audio/visual recordings of meetings are considered part of the meeting record and must be kept as part of the record for the duration of the applicable retention policy. (You should also ask the questions we have below before making an audio/visual recording of your meeting.)

The following table provides a matrix for identifying whether your meeting records have retention obligations and what they are if so (you can also check your office file plan):

• Can the information be saved in another format, such as meeting minutes or notes? Consider doing so, rather than recording the meeting. 
• Are you just recording to record, or is there a particular reason to do so? If there’s no real reason to record it, consider not recording it.
• How else are you documenting the meeting? Does the recording facilitate that or is it redundant? If it's redundant, you probably do not need to record the meeting.

If any of the following are true, strongly consider not recording the meeting to avoid retaining private and confidential information longer than necessary:

• Are you discussing private or confidential issues, such as personnel issues or students/student work? 
• Are you discussing candidates during a search committee meeting? 
• Are students or student work featured in the meeting? 

Depending on the nature of your meeting, recording it could create a retention obligation for the recording that is longer than default retention rules in the platform you are using. In such cases, you will need to develop a strategy for preserving the recording in an alternate storage environment for the duration of the required retention period. In the panels further down in this guide, we list the various kinds of meetings and their related retention requirements.

Recording is easy, retention and disposition are relatively difficult. When you make a recording, you are obligating the use of university resources to store and access that recording. You should develop internal procedures for reminding yourself and others responsible for the recording to delete the recording as soon as it is eligible to be deleted. If there is no retention requirement for the recording, you could set a 30-day reminder using your method of choice. Some platforms have an automatic deletion policy after a certain period of time--but we advise that you do not rely upon that for your own retention and disposition plan. Automatic deletion policies are designed to restrain costs and protect the efficient use of university resources; they are not designed to accommodate various retention policies outlined on retention schedules. 

• Retention requirements will vary depending on the purpose, content, and context of the meeting. Some types of meetings have permanent retention (governing body, executive management team and other policy-setting/decision-making boards, committees, commissions, councils, task forces, etc.), whereas others may have relatively short or even no retention requirement. Use the following entries in this guide to determine the likely retention requirement for your meeting records.
• Be aware that you will need to figure out how to preserve the recordings if they do have retention requirements – whereas recordings that don’t exist don’t need to be kept!
  • This returns us to the question above:
    • Do you really need to record the meeting?

The following kinds of meeting records, when they exist, can be kept only until no longer needed, then destroyed:

• Check-in/standup meeting (information-sharing, no business conducted)
• Meeting arrangement records (agenda calls, calendar invites, etc.)
• Meeting materials - attendee copies (handouts, notes, copies of minutes, etc.)

The following kinds of meeting records, when they exist, have retention requirements ranging from 3 months to three years, respectively, before they can be destroyed:

• Course recordings (3 months after final grades for the course is recorded and any academic grievances have been resolved; in courses involving incomplete grades or grievances, the final recording of a grade for the course could be extended up to possibly two years)
• Meeting records - staff and internal working groups (2 years, then destroy)
• Curriculum committee meeting records (3 years after fiscal year, then destroy; relevant material forwarded to ACC)
• Search committee records (3 years after close of search, then destroy)

The following kinds of meeting records have permanent archival value and must be sent to University Archives for long-term preservation*:

Meeting records - governing/executive/policy-setting bodies (including committees thereof)

*Formal meeting records (such as official minutes) are strongly recommended, and in many cases required, for governing/executive/policy-setting bodies. Additional legal rules apply to meetings of the Board of Trustees (and related committees acting on their behalf) and AS Board of Directors (and related committees acting on their behalf) under the terms of Washington State’s Open Public Meetings Act (RCW 42.30). Other bodies have internal rules regarding the conduct of meetings and the creation of meeting records.

Chats/instant messages should be considered transitory records that do not have very long lives. Do not use chats to document formal decisions – if something is decided in chat, document it elsewhere or find a way to save or download the chat where they can be saved long term (currently, there is no easy way to do this in Microsoft Teams, so it's best not to use Teams chat for anything long-term).

Microsoft Teams must be renewed yearly. If you have files stored in your Teams site that have retention requirements beyond that period, you will need to either continue to renew the Team (even if no longer active) or ensure that the files are removed from the Team site to somewhere more permanent. (As with all records, the retention requirements of Team files will depend on the content and context of the records.)

According to RCW 40.14.060, public records can only be destroyed according to approved retention schedules, and only if they are not designated as "archival" or "permanent." This law applies to records in all forms, digital or paper, textual or audiovisual.

Destroying records without applying an approved retention schedule is not only bad practice, it can put the university at risk of legal action and fines, damage institutional credibility, and jeopardize university compliance with regard to sensitive records and funding sources.

Many records we interact with each day are transitory records, and are already approved for routine deletion or destruction. However, our obligation to manage and even document destruction increases with more formal, official records that are identified on university retention schedules. This guide gives an overview of those obligations.

Records that are historical in nature or that have an "archival" or "permanent" designation on a retention schedule must remain intact. University policy and state law require that archival records undergo review and selection for preservation in the University Archives.  Contact University Archives for disposition of historical/archival records and for help with the preservation of permanent records. 

Destruction of paper records or digital records held by offices themselves is the responsibility of the respective offices of record. University Archives and Records Management no longer provides destruction services for records not held in the University Records Center.

In some university systems, deletion of digital records will follow more or less formalized processes involving both system administrators and affected offices. For example OnBase has a formal records management module that will facilitate structured disposition of records according to university retention schedules.

For records that are eligible for destruction and managed by offices, we strongly recommend a process involving Confirm, Document, and Destroy.

Confirming the records' eligibility for destruction may require a review by multiple people; it includes ensuring that:

• the correct retention schedule is being applied;
• there is no legal action (lawsuit, grievance, dispute, or other proceeding) that requires the records remain intact beyond the retention period;
• there is no impending audit or review that will require the records;
• there is no unresolved public records request that requires the records;
• the records are not also classified as “archival” (which requires their ongoing preservation per University policy);
• if you are wiping a disk, you have taken appropriate steps not to wipe any records that must remain active and accessible.

Note: it is illegal to destroy records that are subject to ongoing or anticipated legal, audit, investigative, or public records request actions.

• In order to ensure accountability, compliance with recordkeeping laws, and corporate memory regarding records disposition, we strongly encourage that individual program units use a records destruction log to document all formal  records destruction.  Please use or extend the University Archives and Records Management Destruction Log template for this purpose.  The authenticity of this log must be safeguarded, and each program unit should retain the destruction log indefinitely.
• You do not need to list every single item that will be deleted; rather you can identify the records in aggregate form per the examples in the spreadsheet.

• For paper records, we strongly recommend shredding.  If you have a large volume, contact Purchasing to set up service with one of the vendors on campus.
• For digital records, you should delete all relevant copies of the records with the goal that they will be irretrievable.
• If you need to wipe a disk, consult IT for options, but keep in mind that you will need to ensure that there are no active records on the disk being wiped. Prior to wiping a disk, you must ensure that any records still subject to retention schedules, or to other legal actions mandating ongoing retention, are transferred to active, accessible storage.  Backup tapes are not considered active, accessible storage.

University Archives and Records Management initiates a formal, quarterly process of carrying out records disposition for records in the University Records Center. This process always involves the offices whose records are eligible for destruction, and only occurs after review and consent of those offices. For more details, please contact University Archives and Records Management. 

Working from home has its own set of challenges for records management. As we work remotely and try to find ways to collaborate and share information, there’s a myriad of places records end up being created and stored – which means there’s a myriad of places where we need to manage records. This page contains recommendations for the best places to create and manage records when working remotely. There are also brief sections discussing the use of personal devices and dealing with paper records when working remotely.

Working from home means that most of what we do is done digitally: meetings, messages, and collaboration. In some cases, this may not be a huge change from how things operated previously. However, even if your office has been “paperless” for a while, working remotely may require a reevaluation of your practices as you shift to systems that are accessible off-campus. As you transition to new processes and systems, keep the following things in mind:

• Records, with a few exceptions, must be maintained in their original format (whether that’s digital or paper)
• Records need to be managed throughout their life and disposed of appropriately at the end of it
• Storage locations must be secure. They should only be accessible to authorized users
• Storage locations must also be accessible to anyone who may need access to the records and accessible even if there is a staffing changeover
• Records need to be stored somewhere with long-term stability – records may have long-term retention requirements and must be kept somewhere where they will be maintained for whatever period of time that is. If a system or storage location reaches its end of life before the retention period is up, the records must be migrated out of the system or storage location to somewhere new

The following information takes the basic requirements listed above and analyzes common storage locations in use at Western that work well remotely. There is also a chart of common records or work and the best storage options for each.

(See the ATUS webpage: File Storage, File Sharing, and Backups) for more information about each option listed below, as well as other potential options)

• C: drives
  • Pro: These are secure (as long as your computer is kept secure)
  • Con: They do not allow for access by others and will be deleted when you leave the university.
  • Con: C: drives are not backed up by IT, so if your PC crashes, your documents will be lost.
  • These do not satisfy the requirements for good storage for records with any long-term value or value to others.
• External media
  • External media should not be used for the long-term storage of information. Media like thumb drives, CDs/DVDs, and external hard drives are fragile and information can disappear without warning.
  • External media can easily fall into the wrong hands. If you use a thumb drive or other external media device to transfer information to and from devices, the media should be password protected and wiped once the information is saved to your university computer or storage location.
• Network drives
  • Pro: These provide secure storage that can be made accessible to others.
  • Pro: They are tied to a unit, rather than an individual, so if an individual leaves the university, the records remain intact and accessible.
  • Pro: Drives are regularly backed up by university IT. If the drive crashes, most documents stored on it can be recovered.
  • Con: These kinds of drives are becoming less common and some are being deprecated.
• Google Drive/Google Workspace
  • Pro: Google Workspace allows for collaboration and easy remote access to records.
  • Pro: Google Workspace is a cloud-based service, and backup is built into its structure.
  • Con: Western does not currently have an agreement with Google to protect sensitive data within our instance of Google Workspace. Therefore, Western's current Google Workspace should not be used to store records covered by FERPA or HIPAA privacy requirements.
  • Con: Western does not have an agreement in place that allows for a high level of technical support, which puts the long-term stability of records in Google Workspace at risk.
• OneDrive
  • Pro: OneDrive allows files to be shared with others, as well as allows for security/access controls.
  • Pro: Western has an agreement with Microsoft that covers the protection of sensitive data, meaning FERPA and HIPAA protected data can be stored in OneDrive.
  • Pro: Because Western has an agreement with Microsoft, we have robust technical support for the platform.
  • Pro: OneDrive is a cloud-based platform with backup built into its structure.
  • Con: OneDrive content is assigned to individual employees and will be deleted after the creating/owning employee leaves Western, even if the content is shared with others. This makes it a poor choice for records with long-term value.
• SharePoint
  • Pro: SharePoint allows files to be shared with others and allows for security/access controls.
  • Pro: Western has an agreement with Microsoft that covers the protection of sensitive data, meaning FERPA and HIPAA protected data can be stored in SharePoint.
  • Pro: Because Western has an agreement with Microsoft, we have robust technical support for the platform.
  • Pro: SharePoint is a cloud-based platform with backup built into its structure.
  • Pro: SharePoint sites are not inherently tied to individuals (although it is important to assign responsibilities to site owners), so sites and records will remain in place and intact even if the creator leaves Western. 
  • Con: SharePoint and related Teams sites take thought and planning to prevent them from becoming disorganized and overwhelming.
• For other locations on campus and their pros and cons, check out ATUS’s webpage: File Storage, File Sharing, and Backups.

Storage location options

OneDrive, C: drive, Google Workspace (with restrictions)

Notes

These types of records are transitory in nature – they have no retention requirements beyond their immediate usefulness. OneDrive and your C: drive (if they don’t need to be shared) are good locations to store these types of records since there is little to no ramifications if they are lost or deleted. Google Workspace may also be a good option, for similar reasons, unless the information in the records is sensitive in any way (for example, contains personal information, health information, or student data).

Due to the transitory nature of these records, they are often easily forgotten and can end up being retained far beyond their need. It is important to develop strategies to assist you in routinely cleaning out these kinds of files.

Examples

Official record versions of student files, purchasing card receipts, reports, manuals, policies and procedures.

Storage location options

SharePoint, network drive (if dedicated to your unit)

Notes

In general, when working with the official records of your unit, a SharePoint site/library is the ideal place to work in, as it allows files to be accessed by anyone with permission (and conversely allows permissions to be set to limit access as well). SharePoint is supported by the University, so there is long-term stability. Additionally, SharePoint sites are tied to a group or organizational unit, rather than to an individual, so even if the author of a document leaves the university, the documents will still remain.

Examples

• SAP Concur, OnBase, Banner, PageUp, Navigate, E-sign forms.
• Does not include PaymentNet

Storage location options

These records are managed in their originating systems.

For more information about financial records, see our guide on Financial Records Management

Notes

Reports or other information downloaded from systems like these have no retention requirements, as the official record is what is contained in the system. Downloaded information can be, and should be, deleted or destroyed as soon as no longer needed. If downloaded copies are needed for reference purposes or other workflows, they can be stored in whatever location works best for the process.

Storage location options

SharePoint/Teams

Notes

A standard SharePoint library or a Teams Library work best for these types of records, as they are assigned to groups or organizational units (rather than individuals) and allow for easy, real time sharing. Many of the meetings and group work may already be occurring within Teams, making it a logical location to store related documents. For more information see our guide relating to Online Meetings.

Storage location options

• OneDrive, SharePoint, Canvas, Teams, business-specific systems with communication features
• Not recommended: Google, Dropbox, etc.

Notes

When working with students (including student employees), avoid working in Google Workspace or Dropbox. While these tools may be convenient, their basic account offerings are generally not FERPA compliant. For example, Western does not currently have an agreement with Google to protect sensitive data within our instance of Google Workspace.

Additionally, records that student employees create and that need to be maintained long-term should be transferred to SharePoint, rather than stored in OneDrive. Student employee accounts in Office365 are combined with their personal student accounts. By having work related records in these accounts, they become open to litigation holds and legal and public records requests discovery processes. Additionally, students tend to be transitory employees, meaning that your office could lose access to the records before their usefulness and/or retention period is passed.

See our separate guide on managing chat and instant messages.

Storage location options

SharePoint/OneDrive, external media (with restrictions, see below)

Notes

Copies of records placed somewhere for transfer should be deleted once the transfer is complete. This prevents unnecessary copies of the records from existing, which are still subject to public records requests and legal holds/discovery. Unnecessary copies, especially when stored on external media, create extra potential for leaks and unauthorized access as well.

Records disposition is what happens to a record after the required retention period is complete. Disposition instructions can be found on the retention schedule or your office’s file plan, and generally are one of two things: “Destroy" or “Transfer to University Archives."

Most records are non-archival (i.e., those that say “Destroy”) and can be destroyed once the retention period has passed (as long as there is no ongoing legal, financial, or administrative need for them). If there are no disposition holds on the records, they can be deleted from wherever they are stored (see the Managing paper records while working remotely section for more information about paper records disposal). However, there are certain best practices that should be followed, whether on campus or working remotely, when destroying records. (Arguably, these practices are even more important as our work is decentralized as they promote accountability and communication about what is happening to records.) These can be found our separate guide to Records Destruction.

For more information about archival digital (and paper) records, contact the University Archivist. The University Archivist can answer questions about what records are archival or not, as well as arrange the transfer of archival records to the University Archives.

University records should not be stored on personal devices – not only does that prevent others who may need to from accessing the records, it can also seriously compromise your, and others’, security and privacy.

Public records created and stored on personal devices are still subject to disposition holds, public records requests, and records retention requirements. If there is a public records request involving records on your personal device(s), you will need to produce them, just the same as if they were in a university-owned location. Additionally, your personal devices may be subject to discovery or subpoena during litigation if there are public records stored on them. This may lead to your personal data being open to exposure during those processes.

University hardware and software have security measures in place that you may not have set up on your own device. University IT also provides automatic updates for security features for university hardware and software, which is key to ensuring ongoing protection.

If you do need to use a personal device during the course of your work, here are some tips to keep both your personal and the university’s information secure:

• Work directly in the online version of apps/software. For example, work in the online versions of Word and use OneDrive or SharePoint to save records.
  • If it's not possible to work directly in an online application, make sure any files you work on are immediately (or as soon as possible) uploaded into a university storage location (such as SharePoint or OneDrive). Delete any copies that may be on your personal device
  • If it’s not possible to upload the records to a university-owned location (for example, if you are using your personal phone to send texts as part of your work as an employee), attempt to cc a university account.
  • If it's not possible to work online or upload records to an online location, be prepared to manage those records for however long they must be kept. Delete the records immediately whenever possible

• Keep your personal device protected and secure. See the Information Security Office’s list of best practices on keeping your personal device secure: Secure your Devices and Protect Yourselves and Western

For processes that are still in paper, now is likely a good time to transition to a digital equivalent. In cases where that is not possible, or where you have older records that you need to reference from home, below are some best practices to ensure that your paper records stay safe and secure, as well as accessible to anyone who may need them.

Paper records present problems at the best of times because there is no easy way to secure them, other than to place them under lock and key. It’s also difficult to track paper and impossible to allow multiple people to access them at the same time, problems which are further exacerbated when working remotely. So, instead of bringing paper home, there are a couple of other options we recommend:

• Determine if the information is accessible online. If so, it may be that you don’t even need to access the paper files.
• Make scans of the files while on campus. You can email them to yourself or send them to a shared, university-owned/contracted storage location (like OneDrive or SharePoint). This prevents the records from becoming lost or damaged during transport or being accessed by unauthorized individuals (including household members). It also allows you to share the files and give others access to the information at the same time.
  • As you make the scans, be careful to keep the original documents in order and do not destroy the originals.
  • You will also want to make sure you delete the scans once you are done with them to lessen the chance of potential leaks or unauthorized access to the information. Scans won’t replace original paper copies unless your office has completed a digitization form with UARM. (For more information about the digitization form, contact UARM.)

If you still have certain documents that you absolutely must work on in paper and must be taken home, be careful about how you transport, store, and dispose of the materials:

• Paper documents should be transported from your office to home in a box or other closed container to avoid items falling out and getting lost, or information being visible to others during transport and storage in your home.
• We also strongly recommend that you document the items you bring home and let your supervisor (and/or other people who may need to know) know what you took. This ensures that if anyone else needs access to the materials in the future, they know where they are.
• When storing original paper records at home, make sure they are in a safe location, away potential water leaks or fire hazards. You’ll also want to secure them to prevent unauthorized access, which may include locking them in a filing cabinet or locking your office space when unattended
• Paper records should only be destroyed if they have met their retention requirements (see the retention schedules or your office’s file plan for more information), and we strongly recommend that you not dispose of paper records at home, especially not documents with protected or confidential information on them.
  • Records must be destroyed in a way that prevents them from being reconstructed (such as shredding), and papers containing protected or confidential information must be destroyed in a way that prevents anyone getting unauthorized access to them before they are completely destroyed. This is best done through the shredding bins and vendors on campus.

Voicemail that relates to your work at WWU is a university record and is subject to records retention and disposition requirements. 

This includes work-related voicemails received in any context, including:

• WWU Teams Voice
• Landline systems
• Personal phones

As a university record, voicemail is subject to public records requests as well as preservation and disclosure requirements that arise from legal actions, such as litigation.

Like email and chat messages, there is not one, single retention period for voicemail. The retention of each record depends on the business context in which it originates and the process it documents.

While many voicemails might be transitory and have no retention requirement, others will be subject to retention requirements based on the business being transacted.

Due to the nature of voicemail, many voicemail records end up being transitory and without retention requirements.

The following are common types of voicemail that can be deleted as soon as they are no longer needed:

• General external information: Information received from other agencies, commercial firms or private institutions, which requires no action and is no longer needed for agency business purposes.
• Basic information requests: Records communicating basic/routine short-term information (regardless of format or media used) that: do not document agency decisions/actions; are not used as the basis of agency decisions/actions; and are not covered by a more specific records series.
• Unsolicited information: information received by WWU that is not requested and not used in the course of business.
• Meeting arrangements: Records relating to arranging and scheduling meetings, such as agenda calls, meeting invitations, or location arrangements.
• Information documented as part of a more formalized record: Records where the evidence of the business transaction has been documented as part of another more formalized record of the agency which is retained in accordance with the current approved minimum retention period.
  • See the next item, "Voicemails with retention requirements," for more information.

Consult the WWU General Records Retention Schedule for a complete list of transitory record types.

If a voicemail provides evidence of a business transaction, consult an approved WWU retention schedule to determine its retention requirements. 

In these cases, the voicemail could be documented as part of a more formalized record of the business transaction. If so, you should be able to delete the initial voicemail once this has been verified.

Below are examples of ways that voicemail records can be either saved individually or memorialized as part of a more formalized record. These examples assume that the form of documentation described has been saved alongside other records documenting the same business process and/or retained according to the related retention rules:

• Saving a transcript of the voicemail (voice-to-text or other transcript).
• Sending a follow-up email confirming and summarizing the voicemail.
• Downloading and saving the voicemail recording.
• Forwarding the voicemail recording and/or transcript to an email inbox.