103: Records Custodians
Information Security Policies & Procedures Manual
Section 100: Information Security Roles and Responsibilities
The purpose of this section is to clarify the role of “Records Custodian” as defined in OSU policy and practice, to ensure that specific University obligations are met.
OSU’s policy on Acceptable Use of University Information defines a specific set of data related to the operation of the University and assigns a set of Records Custodians for those data in accordance with state law and University standard practice. These Records Custodians have been designated by the University President to ensure accountability and proper records handling for institutional data regardless of which individual collects this information on behalf of the University. These data include student records, financial records, and human resource records. For the purposes of Information Security Policy, University personnel who collect data that do not fit these categories are recognized as the appropriate Records Custodian for that data.
Records Custodians documented in the Acceptable Use of University Information policy (or their delegates) have planning and policy-level responsibility for Information Systems within their functional areas and management responsibility for defined segments of Institutional Information. All Records Custodians have the responsibility to ensure appropriate handling of information entrusted to the institution.
Records Custodians should do the following:
- Develop, implement, and manage information access policies and procedures.
- Ensure compliance with contractual obligations and/or federal, state, and University polices and regulations regarding the release of, responsible use of, and access to information.
- Assign information classifications based on a determination of the level of sensitivity of the information (see OSU ISM 202: Information Systems – Classification Standards.)
- Assign appropriate handling requirements and minimum safeguards which are merited beyond baseline standards of care as defined in OSU ISM 203.
- Promote appropriate data use and data quality, including providing communication and education to data users on appropriate use and protection of information.
- Develop and implement record and data retention requirements in conjunction with University Archives.