Step 3: Organize & Safeguard Your Records
Safeguard Your Records from Unauthorized Disclosure or Use
The WatClass retention schedules include the information confidentiality classification – public, confidential, restricted, or highly restricted – of records, as defined in Policy 46. The confidentiality classification guides you in setting security safeguards for your records (including transitory records).
- Public records are intended for public release and distribution, as approved by the Information Steward or delegate. For example, academic calendars, social media content, and University press releases are public records.
- Records that haven’t been explicitly identified as public are confidential: only employees requiring the information for an approved administrative purpose have access to confidential records, as approved by the responsible Information Custodian.
- Restricted records are the subset of confidential records whose protection from unauthorized disclosure or use is required by law. Records containing personal information – e.g., student and HR records – must be protected under FIPPA, and are the most common type of restricted records.
- Highly restricted records are restricted records presenting a higher risk to the University if compromised, and are therefore subject to heightened security measures and restrictions on use. Records containing information that can be used to perpetrate identity theft – such as Social Insurance, credit card, or bank account numbers – are the most common examples of highly restricted records.
For more information on the information confidentiality classification, see Guidance on Information Confidentiality Classification in the Policy 46 guide.
Guidance on measures to protect confidential, restricted, and highly restricted records is available on the Information & Privacy website (Guidelines for confidential records) and from IST Information Security Services (Guidelines for secure data exchange). The information confidentiality classification and associated security requirements apply to transitory copies of records as well as official records.
Contact the University Records Manager if you have further questions concerning security safeguards for records.
Organize Your Records
Your information inventory categories can be used to name the folders in which records are stored on shared drives, in SharePoint, and in hard-copy filing systems.
The twelve WatClass functional categories and the records class titles within each function (or their ID codes) can be used to name folders and sub-folders, or sections of a hard-copy filing system. You can alter the terminology to suit your needs, but you should also document the connection between your terminology and the relevant records retention schedules.
Use the simplest approach possible to organize your records – just good enough to support your unit’s work. Your records classification should be sustainable with your available resources and easy to explain to new employees or others who might need access to the information in the future.
If you need assistance in developing a system for your records, contact the University Records Manager. The following are rules-of-thumb to keep in mind when developing a record-keeping system:
- Use folder names on shared drives that describe the activity or subject matter of the files/documents, not the person currently responsible for the activity (e.g., “Jane’s-files”). Organizing records by individuals’ names makes it impossible to manage them over time as a University resource & asset.
- For hard-copy files, keep a spreadsheet of all file titles and the records class for each file. Your information inventory doesn't require this level of detail, but it’s a useful file management tool and the spreadsheet can be used to print folder labels with MS Word’s mail-merge features.
- In electronic folder systems:
- Try to avoid having more than 3 levels of folders & sub-folders, or you’ll quickly lose track of your older records.
- At the end of the year, move files which are no longer needed for current work to a sub-folder named for the year just ended. You’ll then be able to delete files when their retention period has ended according to those sub-folder names.
- Keep file names short & relevant, but still intelligible to anyone who might need the file in the future. Avoid abbreviations & acronyms whose meaning is unclear or might be forgotten in the future.
- File names of documents relating to recurring events (e.g., meeting minutes, regular periodic reports, budget planning documents) should include both the date and the event name.
- If you are including dates in the names of electronic folders or files, record the dates in the YYYYMMDD format, so the folder & file names will sort chronologically by default when they are viewed in most applications.
- Use leading 0's to facilitate sorting in numerical order if you use a numeric naming scheme “001, 002, …010, 011 … 100, 101, etc.” instead of “1, 2, …10, 11 … 100, 101, etc.”
- Avoid version numbers to distinguish successive versions of documents (e.g., procedures), if a document date in the document contents and in its file-name is sufficient. Keeping track of major and minor changes to documents through version numbering is often less important than knowing what the current approved version is, based on the date of approval.