Step 3: Organize & Safeguard Your Records: Records Classification & the Information Privacy/Confidentiality Classification
The WatClass retention schedules also document the information privacy & confidentiality classification (public, confidential, restricted, or highly restricted) of records, as defined in Policy 46. The privacy/confidentiality classification is the basis for determining the security safeguards required for your records.
- Public records are documents and other information intended for public release and distribution, approved by the Information Stewart or delegate. For example, academic calendars, social media content, and University press releases are public records.
- All records which are not public are confidential:only those individuals requiring the information for a legitimate purpose should have access to confidential records, as approved by the responsible Information Custodian.
- Restricted records are the subset of confidential records whose protection from unauthorized disclosure or use is required by law. Records containing personal information - e.g., student and HR records - which must be protected under FIPPA, are the most common type of restricted records.
- Highly restricted records are restricted records presenting a higher risk to the University if compromised, and are therefore subject to heightened security measures and restrictions on use. Records containing information that can be used to perpetrate identity theft - such as Social Insurance, credit card, or bank account numbers - are the most common examples of highly restricted records.
Guidance on measures for protecting confidential, restricted, and highly restricted records is available on the Information & Privacy website (Guidelines for confidential records) and from IST Information Security Services (Guidelines for secure data exchange). Please contact the University Records Manager if you have further questions concerning appropriate security safeguards for records.
Your information inventory is used primarily as an overview of all of your records and to manage their retention, but the categories in your inventory can also be used to name the folders/directories in which records are stored on shared drives, in SharePoint, and in hard-copy filing systems.
The twelve WatClass functions and the records class titles (or the related function codes and records class numbers) can be used as a two-level structure of folders/directories or divisions within a hard-copy filing system. You can alter the terminology to suit your office’s needs, but you should always keep track of the relationship between the categories you use and the relevant retention schedules for the records. Your classification structure shouldn't be any more complicated than is required to accomplish your unit’s work, it should be sustainable with your available resources, and also easy to understand by new employees or staff from other areas of the university who might in the future require access to, or copies of, some of your unit’s records.
If you would like some assistance in developing a system for your records, contact the University Records Manager. The following are some additional rules-of-thumb to keep in mind when developing for your record-keeping system:
- Don’t name or organize your unit’s folders/directories on a shared drive by the individuals doing the work (e.g., “Jane’s-files”) but by the activity or subject matter of the files/documents.
- Organizing records by individuals’ names makes it difficult or impossible to manage the information over time as a University resource & asset.
- Using the WatClass classification scheme as a starting point for your system is a good way to avoid this.
- For hard-copy filing systems, use a spreadsheet to maintain a list of all of your file titles and the records class for each file (your information inventory doesn't require this level of detail).
- You can then use this spreadsheet to print folder labels, with MS Word’s mail-merge & labels features.
- In electronic directory/folder systems:
- Avoid too many nested sub-levels or else you will quickly lose track of your older records. If possible, use no more than 3 levels of folders & sub-folders.
- Keep the file names short & relevant, but still intelligible to anyone who might need the document in the future: avoid idiosyncratic abbreviations whose meaning is unclear.
- File names of documents relating to recurring events (e.g., meeting minutes, regular periodic reports, budget planning documents) should include both the date and the event name.
- If you are including dates in the names of electronic folders or files, record the dates in the YYYY-MM-DD (or YYYYMMDD) format, so the folder & file names will be sorted chronologically by default when they are viewed in most applications.
- Use leading 0s to facilitate sorting in numerical order if you use a numeric naming scheme “001, 002, …010, 011 … 100, 101, etc.” instead of “1, 2, …10, 11 … 100, 101, etc.”
- Avoid using version numbers to distinguish successive versions of documents, such as procedures and guidelines, if the document date (used in the document and in its file name) is sufficient for this purpose. In many cases, keeping track of major and minor changes to documents through version numbering is less important than knowing what the current approved version is, based on the date of approval.