University employees should be even more vigilant regarding the security of information and devices while working remotely. The best place to start is the Information Security Office’s Security guidance for working remotely.
In addition to protecting the security of information, you must also be vigilant in managing and retaining university records while working remotely.
A university record is any recorded information created or received in the course of conducting university business. Recorded information may be paper, electronic, video and audio recordings, microform, or other media. University business includes all university activities, operations, and interactions between the university and its internal and external constituents. University records may be located in many places – at your desk, on your computer, or in networked storage locations managed by your department or the university as departmental, enterprise, or third-party services.
You create university records throughout your work day when you email or respond to your customers or constituents, post information to the web or your department’s social media account, write a report, create a spreadsheet, take meeting notes, or record a class or training presentation.
Disposition of records
Everything you create, write down, print, or record in the course of your work at the university is a record, and no university record may be destroyed or deleted without following the university’s disposition process that pertains to that record type. There are three types of university records:
- One copy of every record created or received through university business processes, which is the master record
- Retained according to retention rules in the UTRRS, the university’s record retention schedule
- Require a request to dispose of records and authorization by the Records Management Officer (RMO) to destroy or delete
- Copies of master records created for convenience, reference, or research
- Retained until they are no longer needed but not longer than the master record
- Does not require a request to dispose of records
- Records of temporary usefulness that:
- do not document, support, or arise from university business processes, e.g., limited personal use email
- are transferred to a master record, e.g., notes transferred to an email
- cannot be classified as an integral part of any record series in the UTRRS other than UT Item AALL083 Transitory Information or another series that does not require request to dispose of records
- Retained until they have served their purpose and then should be routinely and systematically disposed
- Do not require a request to dispose of records
Remember, even though you may not have to request to dispose of a university record, you must protect it, especially if it contains confidential or controlled information.
Protect your University Records
It is essential that you put in place controls needed to protect, manage, and retain university records while working remotely. Many of the controls are the same controls needed for protecting the security of information and data, but the focus of these guidelines is university records.
Protect university records on any computer or device
- Lock the screen when your computer or device is unattended and require a username/password to log in.
- Shut down when you are done for the day.
- Do not shut down a work computer to which you connect via Remote Desktop. Your work computer must be in a secure location on campus and protected from unauthorized access.
- Do not share your login and password information with anyone, including family members.
- Do not let others in your household use your work computer.
Using university records on your personal computer or devices
- University faculty and staff may use personal computers or devices to conduct university business if they handle moderate to low-risk university data following the security guidance for working remotely.
- You are not permitted to use your personal computer if you handle high-risk university data.
- Store university records on a university-managed networked location or service, e.g., Austin Disk, UTBox, OneDrive, University Wiki Service, etc.
- If university records must be copied to a personal device in order to work on the file, make certain to copy the final file to a university-managed location and to delete the file from the device when the work is complete.
- Do not store university records on personal jump drives, flash drives, external hard drives, or any other drive or device that you have at home unless it is a device vetted by the Information Security Office.
- Do not store university records on a non-managed university networked service, e.g., your personal Google Drive or Dropbox.
Sharing personal computers or devices
- If you are using your personal computer, and you share it with someone in your household:
- Create a separate account for each user on your personal computer.
- Password protect the account you use to connect to university resources.
- If you share a tablet or smart phone with someone, or must share a computer account:
- Log out of all university-managed services and applications, such as Outlook, Teams, VPN, etc., before others use the device.
- Do not store passwords for these services on the device; only you can connect to university resources.
Protect printed records
- Paper records containing confidential or controlled information must be protected.
- Refrain from printing or having printed records/documents at home unless absolutely necessary. If you must have printed university records at home, follow the guidelines below for managing those securely.
- If you share a printer with someone in your home, remove printouts containing confidential or controlled information immediately.
- If the paper is the university master record, you must submit a request to dispose of the records before you destroy or shred it.
- Retain paper documents in a secure place until you can:
- Return to the office and place in a secure shred bin.
- Shred on your personal shredder, according to the university’s shred-spec policy for level 3 or higher.
- Paper records containing confidential or controlled information must be removed from the desk and protected when the desk is unoccupied or at the end of your work day.
- Do not throw paper records that contain controlled or confidential data in your trash or recycle bin.
- Whiteboards containing confidential or controlled information should be erased or protected from view or access by others, even at home.
Do not use a personal email address for work email
- Use your official university email address to send any university emails and communications.
- Conducting university business using an official university email is required by UT System and is documented in UT Austin’s Information Resources Use & Security Policy.
- Don’t send or receive university email in your personal email. If university business is done on your personal email address, your personal emails become subject to Open Records requests.
- If someone accidently sends an email to your personal email address delete the email and let the person know to send the email to your correct work address.
- If you accidently use your personal email address to send a work-related email, send the message again from your work email address and let the recipient know to delete the original email sent from your personal address. Delete the email you sent from your personal address.
- Ensure that student workers receive a university-sponsored email address to conduct business on behalf of your department.
- No student should have university records in their personal email. The department must maintain ownership of all university records, even for work conducted by student workers.
Protect your conversations
- Use a headset or earbuds so others in your home or remote work location cannot overhear others on the conversation.
- Try to find a place where others in your house or location cannot overhear you when you are discussing confidential or sensitive information (or anything, for that matter: try to be courteous).
- Do not discuss confidential or sensitive information where it can be heard by baby monitors, virtual assistants such as Alexa, Google, and Cortana, or other recording devices in your home.
- Lock the doors and windows in your home.
- Use privacy screens for your computer to protect your information.
- Make certain no one can look over your shoulder or through a door or window at confidential or sensitive information on your computer or device.
Relevant University Policies
Whether working on campus or remotely, all university records must be managed in accordance with records management policies and procedures.
- Handbook of Business Procedures Part 20. Records Management
- Handbook of Operating Procedures: 3-1410 Records Management
All use of UT Austin technology resources must comply with university employee policies:
- Information Resources Use & Security Policy
- Acceptable Use & Security Policy Agreement
- Minimum Security Standards for Data Stewardship
Published April 21, 2020 by Records and Information Management Services