Each administrative office and academic department that maintains offcial records must develop and implement documented records management practices consistent with the university Records and Retention Policy and the Commonwealth of Massachusetts requirements for retention, disposal and proper handling of records.
All administrative offices, academic departments and third party service providers will collect the minimum quantity of PI reasonably needed to accomplish the legitimate purpose for which the information is being collected and shall protect all PI they obtain and use (not just electronic forms) by assigning ongoing responsiblity for:
1. Inventory and classification if paper and electronic records that contain PI requiring protection
2. Identifying the location of paper and electronic files used to stire records that contain PI
3. Determinin the necessity, purpose and use of the PI
4. Documenting handling of PI withr egard to chain of custody and storage of files and documents
5. Setting retention schedule and disposing/destroying records according to regulatory and legal requirements
6. Identifying potential security vulnerabilities with current information management practices
7. Revising current information management practices ass needed to address vulnerabilities and demonstrate compliance
8. Taking appropriate action to address unresolved issues and concerns
As soon as records containing PI are no longer needed, they will be securely disposed of in accordance with standards. Any records that relate to pending litigation should be maintained until that action is brought to closure.