PURPOSE:
Idaho College of Osteopathic Medicine (ICOM) generates a wide variety of written material in electronic and paper forms, and some must be retained for varying periods to meet legal, regulatory, accreditation, operational, and historical requirements. Records retention policies and regulations are identical regardless of the form. This document outlines the policy and procedures governing the retention and destruction of all Institutional Records at ICOM.
SCOPE:
This policy applies to all members of the ICOM community who manage, maintain, access, or use ICOM data, regardless of format (electronic or paper) or storage location. This includes faculty, staff, students, contractors, vendors, affiliates, and any other individuals acting on behalf of ICOM. This policy encompasses all Institutional Records residing on ICOM-owned or leased systems, personal devices used for ICOM business, and within cloud-based services, including Software as a Service (SaaS) applications.
DEFINITIONS:
- Institutional Records: Any recorded information, regardless of format or medium, created, received, maintained, or used during ICOM business. This includes, but is not limited to, documents, emails, electronic files, databases, images, audio and video recordings, and any other form of recorded data.
- Non-Records: Materials that do not need to be retained beyond their immediate use for administrative or operational purposes. These typically include preliminary drafts, convenience copies, personal emails unrelated to ICOM business, and readily available published materials.
- Data Retention Schedule: A document that specifies the length of time different types of Institutional Records must be retained to meet legal, regulatory, accreditation, fiscal, administrative, and historical requirements.
- Destruction: The process of securely eliminating or disposing of records beyond recovery in a manner that protects any confidential or sensitive information contained therein.
POLICY:
Record Retention Principles:
- ICOM retains vital records of the history of the College to guide current and future operations and to comply with its legal obligations, including federal and state laws, accreditation standards (e.g., COCA), and other applicable regulations.
- Two important categories of material that must be retained and disposed of with particular care are records of historic value and those governed by regulation. These records shall be retained for a period consistent with their purpose and as may be required by law, accreditation standards, or institutional needs.
- The Registrar shall be the official steward of student academic records and will oversee their retention and destruction in accordance with this policy and applicable regulations.
- All Institutional Records are the property of ICOM, regardless of their physical location, even when they are in the possession of individuals or stored within personal accounts or devices used for ICOM business. As such, these records shall not be permanently removed from the Institution nor destroyed except in accordance with this Policy and the established Data Retention Schedule.
Electronic Records:
- Any ICOM business conducted, or Institutional Records stored on institutional or outsourced IT services (including SaaS applications and other cloud providers), are subject to the provisions of the ICOM Information Security Policy and Acceptable Use Policy. This data may be subject to a litigation discovery request, subpoena, or court order and may constitute a public document subject to disclosure under applicable Federal and State laws.
- Email and other electronic communications relating to ICOM business are part of the Institution’s records and shall be retained depending on the nature of the document, consistent with the retention requirements outlined in the Data Retention Schedule for that type of record.
Litigation Hold:
- If ICOM is a party to a lawsuit, investigation, or anticipates such actions, faculty and/or staff must immediately preserve all relevant records (paper and electronic), regardless of the normal retention schedule, until ICOM’s legal counsel determines that the records are no longer needed.
- The Office of the President, in collaboration with Legal Counsel and Human Resources, will notify department heads to preserve specific categories of paper and electronic records in the event of litigation, investigation, audit, or other legal or regulatory proceedings. Upon notification, all affected individuals are responsible for ensuring the preservation of these records.
Reporting Improper Actions:
- Employees who become aware of the possible omission, falsification, or inaccuracy of information entered into Institutional Records, or become aware of the improper destruction of records, shall report this knowledge to the Chief Information Officer.
Non-Records:
- Non-records, as defined in this policy, are materials that do not need to be retained according to the Data Retention Schedule. These are typically maintained for as long as administratively necessary and may be discarded when business use is terminated, unless there is a legal hold or other legal or regulatory matter prohibiting destruction. Examples of non-records include drafts, convenience copies, and unsolicited commercial emails.
Official Record Storage:
- Official records stored on-site may be stored as hard copies with digitized backups or in a media suitable for the storage of the record (e.g., microfilm, electronic format). The chosen storage method should ensure the long-term readability and accessibility of the records.
Off-Site Storage and Disaster Recovery:
- Official records deemed critical for business continuity and disaster recovery shall be duplicated onto an approved cloud storage platform or appropriate media and stored in designated off-site storage facilities, for reconstructive use in the event of a natural or man-made disaster, aligning with the ICOM Business Continuity and Disaster Recovery Policy.
- Off-site storage facilities must be secure locations that safeguard the records from ordinary hazards such as water, mildew, rodents; man-made hazards such as theft, accidental loss, sabotage; disasters such as fire, flood, earthquakes, wind; and unauthorized use, disclosure, and destruction.
Compliance and Review:
Compliance with this Record Retention and Destruction Policy and the Data Retention Schedule shall be reviewed periodically (at least annually) by the IT Department and appropriate Data Stewards, and modified as mandated by changing legal requirements, accreditation standards, and Institutional policy.
Retention Schedule
A detailed Data Retention Schedule will be maintained as a separate document or appendix to this policy. This schedule will specify the required retention period for various categories of Institutional Records, considering legal, regulatory, accreditation, fiscal, administrative, and historical requirements. The schedule will include, but not be limited to, records such as:
- Student academic records
- Financial records
- Human resources records
- Research data
- Contracts and legal documents
- Meeting minutes
- Email communications
- Website content
- SaaS application data
The Data Retention Schedule will be reviewed and updated regularly by the IT Department and appropriate Data Stewards in consultation with relevant departments and Legal Counsel.
Data Destruction Procedures
All Institutional Records that have met their retention period as outlined in the Data Retention Schedule must be securely destroyed using appropriate methods to ensure the confidentiality of the information.
- Paper Records: Paper records containing confidential or sensitive information must be shredded using a cross-cut shredder.
- Electronic Records: Electronic records must be securely deleted or overwritten using industry-standard data sanitization methods. This includes data stored on hard drives, solid-state drives, USB drives, and other storage media.
- Cloud-Based Services (including SaaS): For data stored in cloud-based services, ICOM will utilize the data deletion or destruction methods provided by the vendor, ensuring these methods meet industry best practices and any relevant regulatory requirements. ICOM will also review vendor policies and certifications related to data destruction.
- Physical Media: Physical media such as CDs, DVDs, and USB drives containing confidential information must be physically destroyed (e.g., shredded, pulverized).
- Verification of Destruction: For high-risk or sensitive data, a record of destruction may be maintained, including the date of destruction, type of records destroyed, and the method of destruction used.
Data destruction should be performed by authorized personnel or approved third-party vendors who have demonstrated adherence to secure data destruction standards.
Responsible Officials
- ICOM Faculty, Staff, and Students: Responsible for managing and retaining Institutional Records in accordance with this policy and the Data Retention Schedule, and for ensuring the secure destruction of records when their retention period expires.
- Registrar: Official steward of student academic records, responsible for their retention and destruction.
- Chief Information Officer (CIO): Responsible for overseeing the retention and destruction of electronic records and ensuring appropriate data destruction methods are implemented for ICOM-owned systems and cloud services.
- Director of Compliance: Responsible for ensuring compliance with legal and regulatory requirements related to data retention and destruction.
- IT Department: Responsible for developing, maintaining, and updating the Data Retention Schedule and this policy.
ENFORCEMENT:
Failure to comply with this Policy may result in disciplinary action against the violating faculty or staff member, including warnings, suspension, or termination of employment. Students may face disciplinary action as outlined in the Student Handbook.
POLICY REVIEW AND UPDATES:
This Data Retention and Destruction Policy and the associated Data Retention Schedule will be reviewed and updated at least annually by the IT Department in consultation with Legal Counsel and relevant stakeholders.
POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 8/23/21
Last Reviewed: 7/8/25
Review Requirement: Annual