President's Directive No. 20
University Records/Information Retention and Disposition
I. Directive
In light of the importance of securely and properly retaining or disposing of records/information generated through campus operations, CSU Executive Order 1031 requires campuses to develop and implement procedures for (a) designating custodians of records/information, (b) identifying records/information that have historic or vital value and/or are necessary for business continuity/disaster recovery, (c) adding unique campus records/information to the CSU retention and disposition schedules (“CSU Schedules”) and (d) ensuring the timely disposal of records/information in any media. This Directive fulfills these requirements.
II. Authority
CSU Executive Order 1031.
III. Scope
This Directive applies to the retention and disposition of University records/information in any media. University auxiliary and affiliate organizations are responsible for applying similar practices to the retention and disposition of their respective records/information.
IV. Definitions
This Directive incorporates the definitions found in CSU Executive Order 1031 for the following terms:
- Business Continuity/Disaster Recovery
- Custodian
- Disposition
- Media
- Records/Information
- Retention Authority
- Retention Period
- Schedule
- Value
V. Implementation
A. Division Heads
Each Division Head is responsible for the implementation and coordination of this Directive within their respective Division.
B. Information Security Officer
The University’s Information Security Officer is responsible for developing, implementing and managing (a) a process/communication plan to ensure records/information are maintained/secured in accordance with CSU and University policies, and (b) guidelines to ensure appropriate and timely disposal of records/information. The process and guidelines noted above will be posted and updated as needed on the Information Security Office and Risk Management websites.
C. Executive Director, Risk Management and Compliance
The University’s Executive Director, Risk Management and Compliance, is responsible for developing, implementing and managing procedures to (a) designate custodians and review designations, (b) assess the value of records/information (including historic or vital) or the necessity for business continuity, and (c) modify as necessary the CSU Schedules to incorporate records unique to the University. The process and guidelines noted above will be posted and updated as needed on the Information Security Office and Risk Management websites.
D. Records/Information Retention and Disposition Committee
Co-chaired by the Information Security Officer and the Executive Director, Risk Management and Compliance, the committee’s primary responsibility is to review and provide feedback concerning the procedures/communication plans noted in paragraphs V.B. and V.C. above. Its members will include representatives from:
E. Custodians
Custodians of records/information responsibilities include:
- Ensuring administrative areas are operating in compliance with the CSU Schedules.
- Identifying records/information that have value or support business continuity.
- Identifying records/information within their control not addressed in the CSU Schedule.
- Ensuring timely and documented disposal of records/information within their control.
VI. Accountability
A. The University will dispose of or archive annually records/information that, after reviewing all applicable retention authority and retention periods as well as assessing value and necessity for business continuity, it determines may be destroyed or archived.
B. Individuals who violate this Directive are subject to appropriate disciplinary action pursuant to the applicable collective bargaining agreement and/or administrative policies or procedures.
C. The contacts for questions concerning this Directive are the University’s Information Security Officer and Executive Director, Risk Management and Compliance.
Mildred García,
President
December 20, 2017