The URL can be used to link to this page

120213 attachRandolph County Electronic Records and Imaging Policy Adopted December 2, 2013 by the Randolph County Board of Commissioners Effective Date: January 1, 2014 Randolph County Electronic Records and Imaging Policy, November 2013 Page 1 Subject: Electronic records Policy Number: and document imaging Effective date: January 1. 2014 Modified date: Type of Government Office: County (X ) For Other, enter name of "parent" agency unless unassigned: Municipal ( ) State Agency ( ) *Other ( ) County/Municipality/Agency: Randolph County Name of Office: Information Technol Office Address: 725 McDowell Rd Phone: Fax - 336 -318-6314 Email: mtrowland@co.randolph.n c.us *Includes assigned and unassigned offices (authorities, boards, bureaus, commissions, councils, private/public hybrid entities, etc.) Randolph County Electronic Records and Imaging Policy, November 2013 Page 2 Table of Contents 1. Purpose....................................................................................................................4 2. Responsible Parties................................................................................................. 4 3. Availability of System and Records for Outside Inspection ...................................... 6 4. Maintenance of Trustworthy Electronic Records......................................................6 5. Components of Information Technology System......................................................8 6. Documentation of Information Technology System..................................................8 7. Digital Imaging Program Documentation and Procedures ....................................... 9 8. Request for Disposal of Original Records Duplicated by Electronic Means ........... 11 9. Other Electronic Records Management Practices .................................................. 13 10. Compliance and Electronic Records Self -Warranty ................................................ 15 Randolph County Electronic Records and Imaging Policy, November 2013 Page 3 1. Purpose The records covered by this policy are in the custody of Randolph County and are maintained for the benefit of county use in delivering services and in documenting county operations. This electronic records policy reflects guidelines set in the North Carolina Department of Cultural Resources publication, North Carolina Guidelines for Managing Public Records Produced by Information Technology Systems. Complying with this policy will increase the reliability and accuracy of records stored in information technology systems, and will ensure that they remain accessible over time. Exhibiting compliance with this policy will enhance records' admissibility and acceptance by the judicial system as being trustworthy. All public records as defined by North Carolina G.S. § 132-1 are covered by this policy. This includes permanent and non -permanent records, and confidential and nonconfidential records. These classifications may warrant different treatments when processing the records. This policy serves as basic documentation of the procedures followed by the department in imaging, indexing, auditing, backing up, and purging electronic records in accordance with the disposition schedule, and in handling the original paper record, if applicable. This policy also serves to protect those records digitized by the county's document imaging system, which reduces required storage space for original documents as the county transitions to a "paperless" digital system, and provides instant and simultaneous access to documents as needed. The form provided in Section 8 of this document, Request for Disposal of Original Records Duplicated by Electronic Means, is completed and submitted to the Department of Cultural Resources whenever the county wishes to dispose of a new series of paper records that have been digitized. This policy will supersede any electronic records system policy previously adopted. This policy will be reevaluated at a minimum of every five years, or upon the implementation of a new information technology system, and will be updated as required. A copy of this policy will remain on file at the Department of Cultural Resources. 2. Responsible Parties Department Head IT Department Records Creators Department Head Responsibilities include: 1. Determining access rights to the system 2. Approving system as configured by IT Randolph County Electronic Records and Imaging Policy, November 2013 Page 4 3. Performing quality assurance checks by sampling the department's imaged records before the original documents are destroyed IT Department Responsibilities include - 1 . nclude: 1. Installing and maintaining equipment and software 2. Configuring the system according to department needs, including creating and testing applications and indexes 3. Controlling access rights to the system 4. Maintaining documentation of system hardware and software 5. Establishing audit trails that document actions taken on records stored by the information technology system 6. Providing backups for system records, and recovering deleted imaged records when necessary 7. Completing disaster recovery backup at least once every year 8. Establishing and providing document imaging training on equipment and software, documenting such training, and providing remedial training as needed. 9. Creating and updating detailed procedural manuals describing the imaging process and equipment Records Creators Responsibilities include - 1 . nclude: 1. Attending and signing off on training conducted by IT staff or by the Department of Cultural Resources 2. Creating passwords for computers that meet the Randolph County Technology Appropriate Use policy 3. Creating and managing electronic records in their purview in accordance with these policies and other guidance issued by the Department of Cultural Resources, and complying with all IT security policies 4. Reviewing the system records annually and purging records in accordance with the retention schedule 5. Carrying out day-to-day processes associated with the county's imaging program, including: • Designating records to be entered into the imaging system • Noting confidential information or otherwise protected records and fields • Removing transient records • Completing indexing guide form for each record being scanned • Reviewing images and indexing for quality assurance • Naming and storing the scanned images in designated folders • Once approved, destroying or otherwise disposing of original records in accordance with guidance issued by the Department of Cultural Resources. Randolph County Electronic Records and Imaging Policy, November 2013 Page 5 3. Availability of System and Records for Outside Inspection The county recognizes that the judicial system may request pretrial discovery of the information technology system used to produce records and related materials. County personnel will honor requests for outside inspection of the system and testing of data by opposing parties, the court, and government representatives. Records must be available for inspection and audit by a government representative for the full period required by law and approved records retention schedules, regardless of the life expectancy of the media on which the records are stored. Records must continue to exist when litigation, government investigation, or audit is pending, imminent, or if a court order may prohibit specified records from being destroyed or otherwise rendered unavailable. In order to lay a proper foundation for the purposes of admitting the county's electronic records into evidence, the county will be able to provide up-to-date, detailed documentation that describes the procedural controls employed in producing records; procedures for input control including tests used to assure accuracy and reliability; and evidence of the records' chain of custody. In addition to this policy, such documentation includes: • Procedural manuals • System documentation • Training documentation • Audit documentation • Audit trails The county will also honor inspection and copy requests pursuant to N.C. G.S. § 132. The county should produce the records in the order they were created and used in the course of business, and in the format in which they were created, unless otherwise specified by the requesting party. However, the county should produce the records in any format it is capable of producing if asked by the requesting party. If it is necessary to separate confidential from non -confidential information in order to permit the inspection or copying of the public records, the county will bear the cost of such separation. 4. Maintenance of Trustworthy Electronic Records • Produced by Methods that Ensure Accuracy • Maintained in a Secure Environment • Associated and Linked with Appropriate Metadata • Stored on Media that are Regularly Assessed and Refreshed Produced by Methods that Ensure Accuracy All platforms used by the county to create and manage electronic records, including email clients, social media platforms, and cloud computing platforms conform with all Department of Cultural Resources' policies and all applicable security policies. Randolph County Electronic Records and Imaging Policy, November 2013 Page 6 File formats used by the county are adopted as standard by the state, and are well - supported, are backwards compatible, and have robust metadata support. Maintained in a Secure Environment Security to the system and to the records it holds is maintained in the following ways: • Access rights are managed by the IT department, and are determined by a supervising authority to prevent unauthorized viewing of documents. • The information technology system allows data creators to organize and name file systems to reflect confidentiality of documents stored therein. • Confidential information is stored in folders secured with restricted access. • Physical access to storage systems and data centers is restricted. • Duplicate copies of digital media and system backup copies are stored in offsite facilities in order to be retrieved after a natural or human -made disaster. • Confidential material is redacted using the Laserfiche redaction tool before it is shared or otherwise made available. • All system password and operating procedure manuals are kept in secure off- site storage. Associated and Linked with Appropriate Metadata Metadata is maintained alongside the record. At a minimum, metadata retained includes file creator, date created, title (stored as the file name), and when appropriate, cell formulae and email header information. Employees are not instructed to create metadata other than metadata that is essential for a file's current use and/or retention. Stored on Media that is Regularly Assessed and Refreshed Data is converted to new usable file types as old ones become obsolete or otherwise deteriorate. The following steps are taken to ensure the continued accessibility of records kept in electronic formats: • Data is audited and assessed yearly • Media is refreshed every three to five years. • Records are periodically converted to new file types, particularly when a new information technology system requires that they be brought forward in order to properly render the file • Metadata is maintained during migration • Data is stored on a Storage Area Network using a redundant disk storage array. Data integrity is ensured through the use disk -level error checking on the storage array. • Storage media is maintained in a manner and in an environment that promotes bit -level preservation. Humidity does not exceed 50% and should not fall below 30%. Room temperature is set between 65° F to 75° F. The county adheres to the media manufacturer's recommendations for specific - • I u-1 . F0=10•I[i[T 111 11151ii IT41iT- 01MZ �'T•r1CIT 1 Randolph County Electronic Records and Imaging Policy, November 2013 Page 7 5. Components of Information Technology System • Training Programs • Audit Trails • Audits Training Programs The IT department will conduct training for system use and electronic records management, using material published by the Department of Cultural Resources when appropriate. All employees will be made aware of system procedures and policies, trained on them, and confirm by initialization or signature acknowledging that they are aware of the policies and have received training on them. When appropriate, employees will also attend trainings offered by the Department of Cultural Resources on the maintenance of electronic records. Documentation will be maintained for the distribution of written procedures, attendance of individuals at training sessions and refresher training programs and other relevant information. Audit Trails A log of activities on the system is maintained, which show who accessed the system, how and by whom records were created and modified, and whether standard procedures were followed. Audits Audits are designed to evaluate the process or system's accuracy, timeliness, adequacy of procedures, training provided, and the existence of audit trails. Internal audits are conducted regularly by county IT staff. 6. Documentation of Information Technology System • Content of System Documentation • Retention of System Documentation Content of System Documentation The county maintains system documentation that describes system procedures and actual practices, as well as system software and hardware, and the system environment in terms of the organizational structure, functions and responsibilities, and system processes. It explains how the system operates from a functional user and data processing point of view. Documentation is reviewed and updated yearly or upon implementation of a new information technology system by IT staff. Such documentation maintained by the county includes: • Procedural manuals • System documentation • Security backup and disaster recovery procedures as a part of the Continuity of Operations Plan Randolph County Electronic Records and Imaging Policy, November 2013 Page 8 • System -level agreements for contracted information technology services Retention of System Documentation One set of all system documentation will be maintained during the period for which the records produced by the process or system could likely be subject to court review, and until all data created by every system instance has been destroyed or transferred to new operating environment. All such documentation is listed in the county records retention schedule. 7. Digital Imaging Program Documentation and Procedures • System and Procedural Documentation • Training • Indexing and Metadata • Auditing and Audit Trails • Retention of Original and Duplicate Records System and Procedural Documentation The IT department is responsible for preparing and updating detailed procedures that describe the process followed to create and recreate electronic records. This documentation will include a description of the system hardware and software. A current procedural manual will be maintained to assure the most current steps are followed and to assure reliable system documentation will be available for judicial or similar proceedings. Each workstation designated as a scanning station will have, at a minimum, the following hardware and software: • Document/image scanner authorized by IT • Driver software for scanner • Laserfiche scanning software • Instructions manual describing in detail the steps required to get from the beginning to the end of the process. Scanning software will be preconfigured by IT with the following defaults. Documents will be scanned at a minimum resolution of 200 dpi and stored in a TIF file format. The document imaging software will rename the scanned document and file it according to department requirements. Imaging staff performing the scanning will complete any required document indexing. Training Only designated staff that have been formally trained by IT staff and signed off on training documentation on the use of the imaging software and equipment will be allowed to enter records into the content management system. Covered records will be scanned and filed as part of an ongoing regularly conducted activity. Components of the training will include basic techniques for image capture, indexing, quality control, Randolph County Electronic Records and Imaging Policy, November 2013 Page 9 security configuration, auditing, use of equipment, and general system maintenance. Rights to image and index records will not be assigned until the user has been trained. If a user improperly indexes or scans a document, an auditor will address this occurrence with the operator and remedial training will be performed as necessary. Indexing and Metadata All imaged records must be indexed in order to facilitate efficient retrieval, ease of use, and up-to-date information about the images stored in the system. This index should capture the content, structure, and context of the imaged records, and will be developed by IT staff prior to the implementation of any imaging system. It should also be indexed according to guidelines set by the Department of Cultural Resources (see Section 9 of this policy, Other Electronic Records Management Practices, for more information on database indexing). Auditing and Audit Trails The imaging staff will conduct a quality control audit following the imaging of a record to ensure that the following features of the imaged record are legible: • Individual letters, numbers, and symbols • Combinations of letters, numbers, and symbols forming words or sentences • Graphics such as signatures, logos, and pictures • Other features of records such as color, shape, texture, etc., that relate to the content of the information Managerial staff for the various county departments will also periodically audit imaged records for accuracy, readability, and reproduction capabilities. A written audit report will be prepared indicating the sampling of records produced and what remedial procedures were followed if the expected level of accuracy was not achieved. Audit trails built into the imaging system will automatically document who creates, duplicates, modifies, or otherwise prepares records, and what procedures were taken. Audit trails include the success or failure, date, time, and user of the following events: • Add/Edit electronic document • Assign index template • Copy document • Copy pages • Create document/folder • Delete entry • Delete pages • Delete volume • Edit image • Email document • Export document • Index creation/deletion/modification • Insert page Randolph County Electronic Records and Imaging Policy, November 2013 Page 10 • Log in/out • Move document • Move pages • Print document Retention of Original and Duplicate Records To obtain permission to destroy original records following imaging, the county will complete Section 8 of this document, Request for Disposal of Original Records Duplicated by Electronic Means. For each new records series to be scanned, the Department of Cultural Resources must approve the destruction of the original records. Permanent records may be imaged for ease of access, but the original documents may not be destroyed unless an analog copy exists prior to the records' destruction. Destruction of original records is allowed only after quality assurance has been conducted on the imaged records, necessary corrections have been made, auditing procedures have been conducted, and the destruction is approved. Prior to destruction of the original record, managerial staff will audit a sample of those records to verify the accurate reproduction of those records. Digital images of scanned records are maintained for the specified retention periods according to the records retention and disposition schedule. The retention period is considered to have begun when the original document was created, not when the electronic reproduction was created. Electronic and digital images of scanned records in a document management system will be considered the "official" county record. Any hard copy generated from the imaged records will be considered the county's duplicate "working" record. A copy of the purchase order and a detailed service -level agreement with the scanning vendor is maintained for any outsourced scanning. See Section 9 of this policy, Other Electronic Records Management Practices, for more information on contracting out electronic records management services. 8. Request for Disposal of Original Records Duplicated by Electronic Means This form is used to request approval from the Department of Cultural Resources to dispose of non -permanent paper records which have been scanned, entered into databases, or otherwise duplicated through digital imaging or other conversion to a digital environment. This form does not apply to records which have been microfilmed or photocopied, or to records with a permanent retention. Randolph County Electronic Records and Imaging Policy, November 2013 Page 11 )'STAFFI APS I 1J\/1:1S GOVEKCIED:TRECORDS SE-CnON STATE FECOMS CEYMR Request for DismsW of Oriainal Records Qurp!icated by Electronic Means Nyou homqwdm, caff(M)807-7350andask bribeRecwdsA#magementAn*sta.%*edlayowaWmy. Ths form is used to request approval from 0* Departnent of CWWrW Resources to dispme of rwmpemarrerd paper records which hwe been seamed, erAered irdo databasoes, or oderwise duphomed drmqh digial imag* or olher oorwersim to a M- envirorrrnent, This form dues not apply to record' d or pholowpied, or to recor& with a permanient retention, Agency Contact New: Sam- "ttrdkT sirA"M Re too Dart A"—d br Sir— "stoe�. saptezwr Due COW=Vd tT, siraft" Amimul Fatorcle AAnumtoator D'"t State Arohives of Nor& Cawb= "c*$ &Woss IkAw C4oftor S1,04 -W M N W"A'A $) pw'�M4' VWqV) 7v%"'YX2? Rsk,*)k NC TPOA Randolph County Electronic Records and Imaging Policy, November 2013 Page 12 9. Other Electronic Records Management Practices • System Planning • Electronic Records Management • Database Indexing • Security and Disaster Backup and Restoration • Contracting System Planning Each county department is responsible for determining the best storage method for it's records. Departments that plan to scan and store records in the document imaging system should first submit to IT a document imaging plan that consists of the types of records being stored, retention schedule and record volume. The requesting department is responsible for any additional storage resources needed. Electronic Records Management System documentation, system access records, digitization and scanning records, metadata, and information maintained by that system is listed in an approved records retention and disposition schedule prior to their destruction or other disposition. Records produced by the county are retained for the period of time required by local records retention schedules regardless of format. Any permanent records maintained in electronic form also exist as a paper or microfilm preservation duplicate copy in compliance with the Department of Cultural Resources' Human -Readable Preservation Duplicates policy. Database Indexing G.S. §132-6.1 requires that databases be indexed with the Department of Cultural Resources. Indexes contain the following data fields: • Description of the format or record layout • Frequency with which the database is updated • List of any data fields to which public access is restricted • Description of each form in which the database can be copied or reproduced using the county's computer facilities • Schedule of fees for the production of copies in each available form Security and Disaster Backup and Restoration The county has a disaster recovery plan for its electronic data in place, which includes contact information for data recovery vendors and information about back-ups of all data. Security back-ups to protect against data loss are generated for all but the most transitory of files. Routine back-ups are conducted daily, and are stored in secure off- site storage located at the 911 data center per the Randolph County Data Backup policy. Randolph County Electronic Records and Imaging Policy, November 2013 Page 13 Security backups of all imaged documents will be generated daily and maintained off- site. A backup copy of the scanned data and index database is created on a nightly basis for the purpose of document recovery. Contracting The terms of the service level agreement with any third -party scanning vendor will include the following details: • How the vendor provides security, confidentiality, storage, and back-ups for electronic records. • The equipment, including hardware and software, used by the vendor • The storage environment, including any geographically disparate storage locations • How the vendor complies with records retention requirements, including what the contractor is able to reproduce should legal proceedings or public records requests be issued • How the vendor avoids spoliation of evidence once e -discovery has commenced • How electronic records are to be recovered from the vendor in the event that the system is no longer supported Randolph County Electronic Records and Imaging Policy, November 2013 Page 14 10.Compliance and Electronic Records Self -Warranty The completion of this form by all signing employees signals that all employees of the unit/section/division will adhere to the rules set forth in this policy. Furthermore, this section is to be used as a self-evaluation tool to ensure that electronic records produced by state, county, municipal agencies, and other subdivisions of government are created, reproduced, and otherwise managed in accordance with guidelines for electronic public records published by the North Carolina Department of Cultural Resources. The self - warranting of records in itself does not authorize the destruction of records, originals or copies, nor does it change current records retention and disposition scheduling procedures. The government agency producing electronic records and/or reproductions is responsible for ensuring the records' authenticity and accuracy. The Department of Cultural Resources is not responsible for certifying the authenticity or accuracy of any records, whether originals or reproductions, produced by the originating agency. Records Custodian The records custodian is the person responsible for creating records or managing the staff who creates records. The records custodian certifies that: The records created or duplicated by electronic means in this office are prepared in accordance with these guidelines as indicated by the following statements: • Quality - Records are legible, accurate, and complete. • The records are produced or reproduced as part of a regularly conducted activity. • The records conform to DCR guidance regarding file formats, file naming, and if applicable digital preservation guidance produced by DCR. • Detailed, documented procedures are in place and followed when the records are created, copied, modified, or duplicated. • The person(s) who creates, copies, modifies, or duplicates the records receives formal training on detailed system procedures prior to records preparation. • Details of the training received are adequately documented through written policies and procedures. • Training records are signed by employee after receiving training. The county will comply with the best practices and standards established by the Department of Cultural Resources as published on its website. The county will submit to the Department of Cultural Resources Section 8 of this policy, Request for Disposal of Original Records Duplicated by Electronic Means, to seek approval for the destruction of original records that have been converted from paper to electronic record. Approved by: Date: Randolph County Electronic Records and Imaging Policy, November 2013 Page 15 Title: Signature: IT Professional or other Project Supervisor The IT Professional is the person responsible for providing technical support to the records custodians and who may be involved in infrastructure and system maintenance. In the absence of an IT department, the supervisor of the records custodian should verify the following items. The IT Professional certifies that: Audit trails document the identity of the individual(s) who creates, duplicates, modifies, or otherwise prepares the records, what actions are taken by the individual during the course of the process, when these actions are taken, and what the results of these actions are. Audits: • are performed periodically to confirm that the process or system produces accurate results. • confirm that procedures actually followed are in accordance with procedure stated in the system's documentation. • are performed routinely on documents to ensure no information has been lost. • are performed by an independent source (i.e., persons other than those who create the records or persons without an interest in the content of the records. Acceptable source may include different department or authorized auditing authority). • are adequately documented. The process or system hardware and software are adequately documented Permanent records conform to all file format, file naming, and digital preservation guidance produced by the Department of Cultural Resources. Back up procedures are in place and comply with best practices, as established by the Department of Cultural Resources. Successful disaster recovery back up is completed at least once every two years. Approved by: Title: Signature: Date Randolph County Electronic Records and Imaging Policy, November 2013 Page 16 FOR DEPARTMENT OF CULTURAL RESOURCES USE Approved by: Title: Signature: Date Randolph County Electronic Records and Imaging Policy, November 2013 Page 17