University employees should be especially vigilant regarding the security of information and devices while working remotely. The best place to start is the Information Security Office’s Security guidance for working remotely.
In addition to protecting the security of information, you must also be vigilant in managing and retaining university records while working remotely.
University Records
A university record is any recorded information created or received in the course of conducting university business. Recorded information may be paper, electronic, video and audio recordings, microform, or other media. University business includes all university activities, operations, and interactions between the university and its internal and external constituents. University records may be located in many places – at your desk, on your computer, or in networked storage locations managed by your department or the university as departmental, enterprise, or third-party services.
You create university records throughout your work day when you email or respond to your customers or constituents, post information to the web or your department’s social media account, write a report, create a spreadsheet, take meeting notes, or record a class or training presentation.
Types of Records
Everything you create, write down, print, or record in the course of your work at the university is a record, and no university record may be destroyed or deleted without following the university’s disposition process that pertains to that record type. There are three types of university records:
Master Record
- One copy of every record created or received through university business processes, which is the master record
- Retained according to retention rules in the UTRRS, the university’s record retention schedule
- Requires a request to dispose of records and authorization by the Records Management Officer (RMO) to destroy or delete
Convenience Copy
- A copy of a master record created for convenience, reference, or research
- Retained until it is no longer needed but not longer than the master record
- Does not require a request to dispose of records
Transitory Information
- A record of temporary usefulness that:
- is transferred to a master record, e.g., meeting notes transferred to meeting minutes
- do not document, support, or arise from university business processes, e.g., limited personal use email
- cannot be classified as an integral part of any record series in the UTRRS other than UT Item AALL083 Transitory Information or another series that does not require request to dispose of records
- Retained until it has served its purpose and then should be routinely and systematically disposed
- Does not require a request to dispose of records
Remember, even though you may not have to request to dispose of a university record because it is not a master record, you must protect it, especially if it contains confidential or controlled information.
Protect your university records
It is essential that you put in place controls needed to protect, manage, and retain university records while working remotely. Many of the controls are the same controls needed for protecting the security of information and data, but the focus of these guidelines is university records.
Protect university records on any computer or device
- Lock the screen when your computer or device is unattended and require a username/password to log in.
- Shut down when you are done for the day.
- Do not shut down a work computer to which you connect via Remote Desktop. Your work computer must be in a secure location on campus and protected from unauthorized access.
- Do not share your login and password information with anyone, including family members.
- Do not let others in your household use your university-issued computer.
Using university records on your personal computer or devices
- University faculty and staff may use personal computers or devices to conduct university business if they handle moderate to low-risk university data following the security guidance for working remotely.
- You are not permitted to use your personal computer if you handle high-risk university data.
- An exception can be made if you arrange for your personal computer to be used to connect to a remote workstation residing on campus.
- Store university records on a university-managed networked location or service, e.g., SharePoint, Austin Disk, UTBox, OneDrive, University Wiki Service, etc.
- If university records must be copied to a personal device in order to work on a file, make certain to copy the final file to a university-managed location and to delete the file, and all copies of it, from the device when the work is complete.
- Do not store university records on personal jump drives, flash drives, external hard drives, or any other drive or device that you have at home unless it is a device vetted by the Information Security Office.
- Do not store university records on a non-managed university networked service, e.g., your personal Google Drive or Dropbox.
Sharing personal computers or devices
- If you are using your personal computer, and you share it with someone in your household:
- Create a separate account for each user on your personal computer.
- Password protect the account you use to connect to university resources.
- If you share a tablet or smart phone with someone, or must share a computer account:
- Log out of all university-managed services and applications, such as Outlook, Teams, VPN, etc., before others use the device.
- Do not store passwords for these services on the device; only you as a university employee can connect to university resources.
Protect printed records
- Paper records containing confidential or controlled information must be protected.
- Refrain from printing or having printed records/documents at home unless absolutely necessary. If you must have printed university records at home, follow the guidelines below for managing those securely.
- If you share a printer with someone in your home, remove printouts containing confidential or controlled information immediately.
- If the paper is the university master record, you must submit a request to dispose before you destroy or shred it.
- Retain paper documents in a secure place until you can:
- Return to the office and place in a secure shred bin.
- Shred on your personal shredder, according to the university’s shred-spec policy for level 3 or higher.
- Paper records containing confidential or controlled information must be removed from the desk and protected when the desk is unoccupied or at the end of your work day.
- Do not throw paper records that contain controlled or confidential data in your trash or recycle bin.
- Whiteboards containing confidential or controlled information should be erased or protected from view or access by others, even at home.
Do not use a personal email address for work email
- Use your official university email address to send any university emails and communications.
- Conducting university business using an official university email is required by UT System and is documented in UT Austin’s Information Resources Use & Security Policy.
- Don’t send or receive university email in your personal email. If university business is done on your personal email address, your personal emails become subject to Open Records requests.
- If someone accidentally sends an email to your personal email address, delete the email and let the person know to send the email to your correct work address.
- If you accidentally use your personal email address to send a work-related email, send the message again from your work email address and let the recipient know to delete the original email sent from your personal address. Delete the email you sent from your personal address.
- Ensure that student workers receive a university-sponsored email address to conduct business on behalf of your department.
- No student should have university records in their personal email. The department must maintain ownership of all university records, even for work conducted by student workers.
Protect your conversations
- Use a headset or earbuds so others in your home or remote work location cannot overhear others on the conversation.
- Try to find a place where others in your house or location cannot overhear you when you are discussing confidential or controlled information (or anything, for that matter: try to be courteous).
- Do not discuss confidential or controlled information where it can be heard by baby monitors, virtual assistants such as Alexa, Google, and Cortana, or other recording devices in your home.
Physical security
- Lock the doors and windows in your home.
- Use privacy screens for your computer to protect your information.
- Make certain no one can look over your shoulder or through a door or window at confidential or controlled information on your computer or device.
Relevant University Policies
Whether working on campus or remotely, all university records must be managed in accordance with records management policies and procedures.
- Handbook of Business Procedures Part 20. Records Management
- Handbook of Operating Procedures: 3-1410 Records Management
All use of UT Austin technology resources must comply with university employee policies:
- Information Resources Use & Security Policy
- Acceptable Use & Security Policy Agreement
- Minimum Security Standards for Data Stewardship
Questions
Please contact Records and Information Management Services at rims@austin.utexas.edu if you have any questions about managing records, whether working remotely or on campus.
Contact the Information Security Office at security@utexas.edu with any questions about securely performing remote or on-campus work.
Published April 21, 2020 by Records and Information Management Services
Updated April 1, 2022