Guidelines for the Destruction of Confidential Records

Office of Audit & Compliance, Office of the General Counsel, and the University Archives and Records Center (Effective January 2, 2001)

Formally Adopted by the President’s Advisory Committee on the University Archives and Records Center (April 11, 2002)

Formally Adopted by Resolution of the Trustees of the University of Pennsylvania (June 17, 2011)

Revisions as Reviewed and Approved by Office of General Counsel, Office of Audit, Compliance, and Privacy, and the Office of the Secretary (September 2022)

Introduction

The University of Pennsylvania and the University of Pennsylvania Health System are committed to protecting the security and confidentiality of certain types of records and information created or obtained in the fulfillment of their missions of higher education and health care. Recognizing the need to codify this intention, the Trustees of the University, on 22 June 1990, adopted an institutional archival and records management policy, established an administrative mandate for its implementation and maintenance, and designated the University Archives and Records Center as the single office within the University responsible for the administration of the policy. The full text of the “Protocols for the University of Pennsylvania Archives and Records Center” – including its Mission, Administrative Mandate, Collections Policy, and Access Policy – may be viewed at the web site of the University Archives and Records Center: Protocols

In accordance with the “Protocols,” the University Records Center provides records retention and retrieval services that assist faculty and administrative staff in the ongoing operation of the University and the Health System. The Records Center provides secure storage facilities for academic, administrative, employment, financial, historical, and health care records in all formats including but not limited to paper, electronic and machine-readable records, still and motion picture film, microfilm, audio and video tape, photographs and prints. For a full discussion of the Records Center and the services it offers to the University and the Health System, visit its web page at Records Center

In May 1997 the University Archives and Records Center formed a partnership with the Office of Audit and Compliance and the Office of General Counsel in order to develop comprehensive records retention schedules for the University and the Health System. A task force was formed, outside counsel was engaged, an extraordinary research effort undertaken, and in January 2001, after careful review by all parties, Penn’s first, comprehensive set of records retention schedules was published online at Retention Schedules

The “Guidelines for Destruction of Confidential Records” which follow below build upon and represent a predictable extension of existing archival and records management policy and practice at Penn. They are the work of the continuing partnership of the Office of Audit and Compliance, the Office of General Counsel, and the University Archives and Records Center.

Statement of Purpose

• To strengthen safeguards against the unauthorized or accidental disclosure of confidential records and information at the University of Pennsylvania and the University of Pennsylvania Health System.
• To define confidential records and clarify that definition as needed.
• To define appropriate measures for reasonable care in the disposal of confidential information, including its protection during storage, transportation, handling and destruction.

Confidential Records

1. In accordance with the “Protocols,” the following types of records will be absolutely confidential:
   1. Individual education records of living students or living former students, as defined by the Family Educational Rights and Privacy Act of 1974, as amended, unless the student or former student grants access in writing (in accordance with the University “Confidentiality of Student Records” as published in the PennBook and Almanac).
   2. Individual employment records of living current or former faculty members, administrators or other staff members, including records which concern hiring, appointment, promotion, tenure, salary, performance, termination or other circumstances of employment, unless the faculty member, administrator, or staff member grants access in writing (in accordance with University Confidentiality of Records Policy No. 201).
   3. Records that include “protected health information” as the same is defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. 1171 et seq. and regulations promulgated thereunder.
   4. Other records where usage might constitute an invasion of privacy
   5. Records the use of which has been restricted by contract.
2. In accordance with the “Protocols,” the following types of records generally will be treated as confidential:
   1. All administrative records of the University for twenty-five years from the date of their creation, with certain exceptions, such as those which must be open in conformance with law
   2. Records of a sitting administration
   3. Records the disclosure of which might expose the University to legal liability.

   Recommended Procedures for Confidential Destruction

   1. Retention Period
      Only those records retained for a period of time greater than the applicable retention schedule may be disposed of in accordance with these guidelines. Penn’s institutional records retention schedules may be viewed online at the web site of the University Records Center.
      Examples of specific classes of confidential records and their respective retention schedules include the following:
      • University administration records may be viewed at:
        University Administration Records
      • Health System administration records may be viewed at:
        Health System Administration Records
      • Academic and student records may be viewed at:
        Academic and Student Records
      • Financial records may be viewed at:
        Financial Records
      • Human resources records may be viewed at:
        Human Resources Records
      • Research administration records may be viewed at:
        Research Administration Records
      • Health System treatment records may be viewed at:
        Health System Treatment Records
      • Physical Plant and equipment records, including those relating to occupational health and safety, may be viewed at:
        Physical Plant and Equipment Records
   2. Suspension of Record Destruction in the Event of a Claim, Lawsuit, Government Investigation, Subpoena, Summons or Other Ongoing Matters
      Upon services of legal process (subpoena, summons or the like), or upon learning of an investigation or audit, or if a claim is made, whether formal or informal, or a dispute arises, the records retention schedules reference above shall be suspended and records related to the legal process, claim, dispute, investigation or audit should not be destroyed.
   3. Destruction Authorization
      The destruction of University and Health System records should be authorized jointly by the senior officer of each administrative or academic office of origin and by the Director of the University Archives and Records Center. Should these individuals be unable to agree, destruction will be stayed pending review and final determination by the Advisory Committee on the University Archives and Records Center.
   4. Safe and Secure Disposal
      Under Penn’s archival and records management policy, it is anticipated that most confidential records destruction will be arranged and directed by the University Archives and Records Center. University and Health System records which have passed through the active phase of their life cycle and are no longer needed in their office of origin for the day-to-day operation of that office, should be identified by office staff, transferred to the University Records Center, and placed on a records retention schedule. When those records have reached the conclusion of their retention period, the office of origin will authorize their destruction. Records Center staff then implement all destruction authorizations.It is therefore recommended that all University and Health System offices contact the University Records Center to arrange for safe and secure destruction of confidential records. The Records Center knows the destruction policies and procedures thoroughly and has extensive experience in managing these transactions. The Records Center may be reached by telephone at 215.898.9432; by fax at 215.573.2035; or by e-mail at uarc@lists.isc.upenn.edu

      It is nevertheless important for University and Health System officers and staff responsible for confidential records to be familiar with methods which do not permit recovery, reconstruction and future use of confidential information. An overview of these methods follows below:

      Paper records containing confidential information should be shredded and/or pulped, not simply thrown out with other classes of records or with miscellaneous trash. It is recommended that confidential destruction services, including shredding and pulping, be arranged through the University Records Center.

      Electronic or machine-readable records containing confidential information require a two-step process for assured, confidential destruction. Deletion of the contents of digital files and emptying of the desktop “trash” or “waste basket” is the first step. It must be kept in mind, however, that reconstruction and restoration of “deleted” files are quite possible in the hands of computer specialists. With regard to records stored on a “hard drive,” it is recommended that commercially available software applications be utilized to remove all data from the storage device. When properly applied, these tools prevent the reconstruction of any data formerly stored on the hard drive. With regard to floppy disks and back-up tapes, it is recommended that these storage devices be physically destroyed. These recommended methods of confidential destruction may be arranged through the University Records Center.

      Film, audio and videotapes containing confidential information should also be physically destroyed, not simply thrown away. It is possible to overwrite audio and videotapes with other, non-confidential sound and images, but if this is done, it is recommended that it be done by an authorized member of the staff in the office of origin. Confidential destruction of film, audio and videotapes may also be arranged through the University Records Center.

   5. Confidential Destruction by commercial or non-profit vendor
      Confidential destruction performed by approved commercial or non-profit vendors shall be subject to such contractual obligations as required by the Office of Audit and Compliance, the Office of General Counsel, and the University Archives and Records Center. In no case shall such contractual arrangements introduce standards, policy, or procedures less protective of confidential records than those rules which are described in these guidelines and which apply to all University and Health System officers and staff.
   6. Destruction Record
      A destruction record is an inventory describing and documenting those records, in all formats, authorized for destruction, as well as the date, agent, and method of destruction. The destruction record itself shall not contain confidential information. It is anticipated that in most cases two copies of the destruction record shall be retained: one at the Records Center and one in the office of origin. The destruction record may be retained in paper, electronic, or other formats.