Frequently Asked Questions
- What is information management?
A comprehensive approach to information management ensures that information is kept secure and is available when you need it.
- Why is information management important?
Everyday at KU we create and use information in our research, teaching, classes and service to the State of Kansas. Stewardship of the University’s information assets is a shared responsibility across KU. Each of us plays a vital role. Information management will improve our handling and securing of private information, our management of university records, and will ensure the preservation of KU’s institutional memory for today’s decision-makers and tomorrow’s scholars.
- How secure does my information need to be?
An assessment of the information in question will help determine how private and/or secure it needs to be. The protection of certain kinds of information is regulated by law. You will also need to consider the business impact if the information is lost, stolen or becomes irretrievable.
- Are other universities doing this?
Many universities have developed or are beginning to develop strategies for information management, including The University of Notre Dame, Stanford, University of Texas, Purdue, Indiana University, and MIT.
- What is a record?
Generally, a record is information that either results from the conduct of an official activity, or that is employed in the course of planning and/or decision making prior to such activity. As an agency of the State of Kansas, KU creates and utilizes state government records. Consequently, the University is required to develop and to maintain a records management program that ensures the preservation of state government records.
- Are paper records handled any differently than electronic records?
Paper records and electronic records are basically the same but exist in different formats that require different methods of maintenance and preservation. Electronic records require that decisions are made during the entire life cycle of the record from its creation through disposition in order to ensure that the record is available for continued access and use.
The intended outcome for handling records (no matter what format) should always be the same: keep what you need for as long as you need it; once it is no longer needed, check the University records retention schedule.
The KU Records Retention and Disposition schedule outlines the recommended periods for retaining certain types of records and appropriate methods for disposing of them once the retention period has expired.
Depending on the format your records are in (paper, electronic, etc.), you may need to use different tools or methods to appropriately handle them to achieve the intended outcome stated above. (For example, paper records may require locked file cabinets; whereas electronic mail archives may need to be encrypted.)
- How long do I need to keep it?
As a rule of thumb, never dispose of anything that is involved in a pending or threatened litigation. Retain all records from a closed grant for at least 3 years from the close (or as directed by the Granting agency). Retain employment records for the period of employment plus 5 years. For additional guidance, refer to the KU Record Retention schedule.
- How do I dispose of paper records? How do I dispose of electronic records?
First, check the KU Record Retention schedule for information on how long to retain certain types of records. This information will be periodically updated and expanded, so please check back to find out more on Record Retention at KU.
Disposal of Confidential Information:
Currently, there are two methods recommended to securely dispose of confidential, paper documents (or CD's, DVD's, etc.) including:
- shredding (cross cut or diamond cut shredder recommended) or pulverizing materials; or
- disposal in secure, locked shredding consoles (contract is currently available from Shred-it on the purchasing website or you may individually contract with another vendor for these services—please check with the purchasing department).
More on disposal of confidential electronic files can be found at the IT Security website (www.security.ku.edu).
More on effective shredding options can be found at the Privacy website.
- How do I transfer records to the University Archives?
Contact Archives by calling this 785-864-4334. A staff member will assist you.
- Can I give my old records to the historical society or public library?
Before you offer any record to a historical society, public library, or any other entity, you must contact your University Records Officer or Archivist. Permanent records must be kept either in your offices, in your University Archives, or in an authorized space designated for the storage of permanently valuable records.
Security and Confidentiality:
- How do I report a data security breach (paper or electronic)?
If you suspect a breach of private information or systems, immediately contact the KU Customer Service Center at 864-8080 and tell them you suspect a breach. They will assist you appropriately. Then report the incident to your Chair or Unit Director.
- How do I report a lost or stolen device with private information on it?
- Who in my department is responsible for reporting a breach or loss of equipment?
The person who discovers the loss or breach should immediately report the incident as described above. Additionally, the Chair or Unit Director should be notified of the incident.
- What does FERPA cover?
The Family Educational Rights and Privacy Act (FERPA) provides higher education students the right to have access to their education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. More information on the University’s FERPA-related policies is found at:
- What does HIPAA cover?
The Health Insurance Portability and Accountability Act (HIPAA) places significant privacy and security requirements on health care practitioners and researchers that handle individually identifiable health information.
More information and resources can be found at the KU Privacy Office website.
- What does GLB cover?
The Gramm-Leach-Bliley Act (GLB) regulates the disclosure of non-public personal information by financial institutions. Institutions of higher education are covered by the law's definition of "financial institutions" as they participate in financial activities, (e.g. offering Federal Perkins Loans).
- What is PCI DSS?
The Payment Card Industry (PCI) Data Security Standard (DSS) places stringent requirements on the storage, processing and transmission of data elements found on payment cards. Data elements include: Primary Account Number (PAN), cardholder name, service code, expiration date, CVC2/CVV2/CID, and PIN/PIN block.
The standards were developed by a group of companies including American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. The PCI standards include requirements for security management, policies, procedures, network architecture, software design and other protective measures.
- Which of these laws trumps or preempts the other ones?
It depends. If you are adhering to the most stringent privacy and security standards (HIPAA), then you may already be in compliance with the other laws. An assessment of the information in question will help determine how private and/or secure it needs to be. You will also need to consider the business impact if the information is lost, stolen, or becomes irretrievable. Please contact the Privacy Office or Office of General Counsel for more information on these laws and their interactions.
Contacts for Assistance:
- Who do I call for help?
As the information management program develops, additional resources (tools, services, people, policies, etc.) will become available to you. For now, to ensure your question gets in the right hands, please contact the Office of the Vice Provost for Information Services, 864-4999, or firstname.lastname@example.org.
- How do I report inappropriate email?
For information on spam and other email that may seem inappropriate, what KU is doing about it, how to move tagged messages out of your inbox, and how to report spam and other email abuses visit the IT Security Office website.
Faculty / Staff Training:
- What is the Information Management training module?
The Information Management training module is a program of systematic training in handling protected and private or sensitive information that has been created for the use of KU employees (faculty and staff).
The initial general awareness module (in two parts) is a non-technical tutorial that is required of all employees. It requires approximately 20-30 minutes, with notification of successful completion forwarded to the employee’s HR/EO personnel file.
- Why is the Information Management training module important?
The Information Management training module is important because it promotes the security and management of protected information at the KU campus.
- Who created the Information Management training module?
The Information Management training module is a joint effort of KU’s Privacy Office, IT Security Office, and Provost Office in conjunction with campus-wide stakeholder representatives. It is a component of the larger Information Management program.
- Who must complete the Information Management training module?
All KU faculty and staff will eventually be expected to complete the Information Management training module.
Initially, this training program will engage new employees of the Lawrence and Edwards campuses (those starting employment in January 2009). Pre-existing employees will begin participation in the mandatory training program starting the following fall or early winter.
- How will I know when it is my turn to complete the Information Management training module?
You will receive an email notifying you that it is your time to complete the Information Management training module. This email will carefully outline instructions for accessing and completing the program.
- What is considered a passing grade for completing the training modules?
Each module requires 100% to be considered passing. You will be provided the correct answers for missed questions and then prompted to retake the quiz until 100% correct is achieved.
- How many times will I be expected to complete the Information Management training module?
After three years, you will be prompted to complete the module once again, to ensure that you are up-to-date on the information.
- How do I access the Information Management training module?
The training is delivered using the Blackboard course management system.
- Do I need an existing Blackboard account and Blackboard training in order to complete the Information Management training module?
You do not need an existing Blackboard account or Blackboard training in order to complete the Information Management training module. When you are invited to take the tutorial, you will be routed to Blackboard from a link. Blackboard will function as a window (like a web site) and you will already have been granted permission to access the site.
- How long do I have to complete the Information Management training module after I receive my notification?
The training must be completed within 60 days of notification for all employees.
- Does the Information Management training module take into account the specialized records that I handle?
Specialized training for employees handling student records, medical information, and/or financial/payment card information has also been developed and will also be delivered using Blackboard. Employees to which this is applicable will be notified by email when it is necessary to take the tutorial.