HHS OCIO Policy for Records Management
September 15, 2005
Table of Contents
- 1. Nature of Changes
- 2. Purpose
- 3. Background
- 4. Scope
- 5. Policy
- 6. Roles and Responsibilities
- 7. Applicable Policies and Guidance
- 8. Information and Assistance
- 9. Effective Date/Implementation
- 10. Approved
This is a revision to the September 15, 2005 issuance of the HHS-OCIO-2005-0002.001, Policy for Records Management, solely to correct a technical reference citing. Changes are made as follows:
- Section 1. Purpose, has been changed to reference the technical correction.
- Section 5, Roles and Responsibilities, 5.1 The Agency Head (Department), has been changed from: HHS-OCIO-2005-000X.001, dated June XX, 2005
to correctly reflect that technical reference as: Electronic Records Management Policy, HHS-OCIO-2005-0001.001, dated September 15, 2005.
This document establishes the policy for records management within the Department of Health and Human Services (HHS) into standard policy format. The Policy applies to all HHS personnel, contractors, interns and visitors that have access to HHS facilities or HHS information. It is developed to implement requirements to establish objectives, responsibilities, standards, guidelines and instructions for records management such as records creation, maintenance, adequate documentation and proper records disposition. It intends to protect HHS resources and data from unauthorized use and disclosure, inappropriate records disposition, to improve incident response for records management violations, and to mitigation of any indiscretions.
This version updates the previous version (HHS-OCIO-2005.0002.001) for a technical reference citing in 5. Roles and Responsibilities. This policy superceded HHSIRM Circular #21, Records Management, dated January 15, 1993. It converted the content from “Circular format” to HHS Office of the Chief Information Officer (OCIO) Policy format while updating references, as appropriate, as well as updating the responsibility and roles sections to incorporate the influence that Enterprise Architecture and security have on Records Management, per a meeting between HHS CIO staff and the National Archives and Records Administration on March 23, 2005.
The heads of Federal agencies are responsible for making and preserving records containing adequate documentation of the organization, functions, policies, decisions, procedures and essential transactions of the agency. The records should be designed to furnish information necessary to protect the legal and financial rights of the Government and of persons directly affected by the agency’s activities. (See 44 U.S.C. 3101). Each Federal agency is required to establish an active and continuing records management program, and is responsible for submitting records disposition schedules to the Archivist of the United States for approval. (No record may be destroyed without the authorization of the Archivist. Unauthorized destruction of records can result in criminal penalties [18 U.S.C. 2071].)
Failure to create and/or dispose of Federal records is not the only concern for HHS. We also must assure that our records are properly maintained which includes their protection from improper exposure. This policy serves as the foundation for a comprehensive risk mitigation strategy; enhanced by published security standards, best practice documents and, where applicable, more granular Agency-specific policy.
The National Archives and Records Administration Act of 1984 (Public Law 98-497, 44 United States Code [U.S.C.] Chapter 29), amended the records management statutes to divide records management responsibilities between the National Archives and Records Administration (NARA) and the General Services Administration (GSA). Under the Act, NARA is responsible for adequacy of documentation and records disposition, as stated in 36 CFR Chapter XII, Subchapter B, which prescribes policies for records management programs relating to records creation and maintenance, adequate documentation and proper records disposition; and GSA is responsible for economy and efficiency in records management. Federal agency records management programs must comply with regulations promulgated by both NARA and GSA, as stated in the Federal Information Resources Management Regulation (FIRMR), Subchapter B, §201-9, “Creation, Maintenance, and Use of Records”. (NOTE: FIRMR Bulletin B-1, “Electronic Records Management,” provides specific guidance for electronic records and is essentially the same as 36 CFR Chapter XII, Subchapter B, Part 1234). See also the HHS OCIO 2005-0001, Policy for Electronic Records Management, dated September 15, 2005.
Further guidance is contained in GSA and NARA bulletins, handbooks and other publications, as well as their websites.
This document establishes the Policy for records management implemented within the Department of Health and Human Services (HHS). This Policy applies to all Department Operating Divisions, including the Office of the Secretary, and organizations conducting business for and on behalf of the Department, whether owned and operated by HHS, or operated on behalf of HHS, through contractual relationships and/or service level agreements when using HHS IT resources. It applies to all HHS personnel, contractors, interns and visitors who have access to HHS supported facilities or HHS information.
Within this policy the term Operating Division (OPDIV) includes the Inspector General, as well as the Office of the Secretary as a combined, single entity. The Office of the Secretary includes the Offices of the Regional Directors and, for “Information Resources Management (IRM)” purposes, the Administration on Aging.
This policy applies to the management of all records, regardless of medium (i.e., paper, electronic, microfiche, data files or other) on which the records are created, used, filed or retrieved (databases, file cabinets, database management systems, etc.). Additional HHS guidance, specific to electronic records, is contained in the HHS OCIO Policy for Electronic Records Management.
Agency officials shall apply this policy to contractor personnel, interns and other non-government employees through incorporation by reference in contracts, service level agreements (SLA) or memoranda of understanding (MOU) as conditions for using Government provided IT resources.
Agencies shall use this Policy or may create a more restrictive OPDIV policy, but not one that is less restrictive, comprehensive or compliant with the applicable sections of Title 44 of the U.S.C., the Department, GSA and NARA requirements.
5.1 Each OPDIV shall establish and maintain an active, continuing program for the:
5.1.1 accurate and complete documentation of OPDIV policies and transactions;
5.1.2 economic and efficient management of its records in support of the operations of the OPDIV;
5.1.3 control of the quantity and quality of records produced, including prevention of the creation of unnecessary records, simplification of records processes, and the prevention of unnecessary paperwork; and
5.1.4 judicious preservation and disposal of records.
5.2 The OPDIVs shall comply with applicable sections of Title 44 of the U.S.C., the regulations published by NARA and GSA, and the supplementary policies and guidance provided by the Department.
5.3 The OPDIVs shall consider the guidance contained in GSA and NARA handbooks and bulletins when establishing and implementing their records management programs.
5.4 The OPDIVs shall schedule all OPDIV records for disposition.
5.5 OPDIVs shall use the mandatory NARA General Records Schedules (GRS), as applicable, and to the greatest extent possible, to schedule the disposition of their records. The GRS covers only disposable (temporary) records. See http://www.archives.gov/records-mgmt/ardor/records-schedules.html for current GRS.
5.6 OPDIVs shall develop proposed requests for disposition of records created or received which are not covered by the GRS or which have not previously been scheduled for disposition, in accordance with the policy and procedures specified in this policy.
5.7 The proposed requests for disposition shall be sent to the HHS Records Management Officer for concurrence and submission to NARA for approval. Until a request for disposition is approved by NARA, the records are unscheduled, and shall be maintained indefinitely, in accordance with 36 CFR Chapter XII, Subchapter B, §1222.50.
5.8 OPDIVs shall ensure that all employees creating or receiving records are adequately trained in recordkeeping, and are reminded annually of OPDIV recordkeeping policies and the sanctions provided for the unlawful “alienation” (removal or destruction) of Federal records.
5.9 OPDIVs shall periodically review and evaluate their records activities and records management programs to:
5.9.1 ensure that records creation, documentation, maintenance, use, and disposition comply with applicable laws and regulations; and
5.9.2 assess the effectiveness of their records management programs.
5.10 To meet the requirements of 36 CFR Chapter XII, Subchapter B and FIRMR §201-9.103, at a minimum, the OPDIVs shall take the following actions to maintain their records management programs:
5.10.1 OPDIVs shall assign specific responsibility for the development and implementation of their records management programs to a qualified records manager within the OPDIV. Each OPDIV shall report the name and organization of the records manager assigned responsibility for its records management program to the HHS Records Management Officer.
5.10.2 OPDIVs shall ensure that individuals responsible for the implementation of the agency’s records management programs participate in the development of new or revised programs, processes, systems and procedures; in the IRM strategic planning process; and in the determination of information needs and Federal Information Processing (FIP) resources requirements. Records managers will ensure that records disposition is part of the architecture of any new program development or any updates/corrections or modifications to existing programs
5.10.3 OPDIVs shall issue any necessary internal directives establishing policies and procedures for their records management programs.
5.10.4 When determining program requirements and FIP resources requirements, the OPDIVs shall consider issues regarding the creation, maintenance and use, retention and disposition of associated records; the integration of electronic records with other records; safeguards against unauthorized use or destruction of records; and Privacy Act requirements.
5.10.5 OPDIVs shall institute controls over:
126.96.36.199 the creation of records, to ensure agency functions are adequately and properly documented;
188.8.131.52 the maintenance and use of records, to ensure that integrity, availability, and confidentiality requirements are met; and
184.108.40.206 the disposition of records, to ensure that permanent records are preserved and ultimately transferred to the Archives and that temporary records no longer of current use are promptly disposed of or retired in accordance with their disposition schedules.
5.11 Each proposed records schedule developed by an OPDIV shall be submitted on an SF 115, “Request for Records Disposition Authority,” to the HHS Records Management Officer for concurrence. Upon the HHS Records Management Officer’s concurrence, proposed records disposition schedules shall be sent to NARA for approval. OPDIVs shall not adopt a proposed records schedule, or dispose of records based on a proposed records schedule, prior to NARA’s final approval of the proposed records schedule.
5.12 Each OPDIV shall maintain an inventory of all series of records (and associated disposition schedules) created or received within the OPDIV. Alternatively, each OPDIV component organization may maintain separate inventories, as determined by the OPDIV.
5.13 Each OPDIV shall report any violations in conformance with 36 CFR Chapter XII, Subchapter G, “Damage to, Alienation, and Unauthorized Destruction of Records”, to the Department head via the HHS Records Management Officer. §1228.102 provides the criminal penalties, and, §1228.104, prescribes the reporting process.
The Agency Head is responsible for making and preserving records; establishing a continuing records management program; and submitting disposition schedules. See 44 U.S.C. 3101 and 18 U.S.C. 2071. Refer to HHS-OCIO Electronic Records Management Policy, 2. Background, (HHS-OCIO-2005-0001.001, dated September 15, 2005).
36 CFR Chapter XII, Subchapter G, “Damage to, Alienation and Unauthorized Destruction of Records”, §1228.100, Responsibilities, states:
“The Archivist of the United States and heads of Federal agencies are responsible for preventing the alienation or unauthorized destruction of records, including all forms of mutilation. Records may not be removed from the legal custody of Federal agencies or destroyed without regard to the provision of agency records schedules (SF 115 approved by NARA or the General Records issued by NARA).
The heads of Federal agencies are responsible for ensuring that all employees are aware of the provisions of the law relating to unauthorized destruction, alienation, or mutilation of records, and should direct that any such action be reported to them.” §1228.102 states the criminal penalties, and, §1228.104, states, the required reporting.
The OPDIV Director or OPDIV CIO develops and implements OPDIV-wide policy for records management in accordance with this policy, and other Department, GSA and NARA guidance and requirements. This includes following the required reporting of any and all alienation or unauthorized destruction of records or mutilation. Refer to 36 CFR Chapter XII, Subchapter G, “Damage to, Alienation and Unauthorized Destruction of Records”.
The Department Enterprise Architect shall ensure that any and all systems development plans, schedules, work breakdown structures, business cases and OMB Exhibits 300, “Capital Asset Plan and Business Case Summary”, address records management provisions upfront in the planning and development stages of the lifecycle by establishing the requirement that an architectural records management layer be addressed as standard development, regardless of medium (paper, electronic, etc.).
The OPDIV CISO is responsible for ensuring the technical security of the ODPIV data records management in the case of electronic records. He/she is responsible for implementing this policy in conjunction with the Electronic Records Management Policy and providing the detailed monitoring, and enforcement tools and procedures as well as the requirements for incident reporting established under the Security Policy.
The Department Records Management Officer is responsible for reviewing OPDIV prepared records disposition schedules, circulating these proposed schedules to the appropriate Department officials for their review/comment/concurrence (i.e. Privacy/FOIA, OGC, etc.) and submitting them to the Archivist for his/her final approval.
For each proposed records disposition schedule the Department Records Management Officer is responsible for certifying, by signing the SF 115, Request for Records Disposition Authority (“Signature of Agency Representative” block) to NARA (see 36 CFR 1228), that HHS has taken into account its needs for the records for the conduct of current business as well as the likelihood for potential future usage for legal, fiscal, and administrative purposes.
The Department Records Management Officer is responsible to coordinate the reporting of any and all violations of records disposition from the Department head to NARA, as prescribed in 36 CFR Chapter XII, Subchapter G, “Damage to, Alienation and Unauthorized Destruction of Records”.
The OPDIVs are responsible for establishing the objectives, responsibilities, standards, guidelines and instructions for their records management programs, in accordance with this policy and other Department, GSA and NARA guidelines and requirements. This includes reporting to the Department Records Management Officer any and all unauthorized destruction, alienation or mutilation of any kind. See 36 CFR Chapter XII, Subchapter G, “Damage to, Alienation and Unauthorized Destruction of Records”.
For each proposed records schedule, the OPDIV Records Management Officer is responsible for certifying, by signing the SF 115 (in Block 4, “Name of Person with Whom to Confer”), to the HHS Records Management Officer that:
6.6.1 the OPDIV has taken into account its needs for the records for the conduct of current business as well as the likelihood for potential future usage for legal, fiscal and administrative purposes; and
6.6.2 adequate documentation (including the opinion of the Office of the General Counsel, as necessary) supporting the proposed disposition schedule is maintained in the appropriate OPDIV records management files.
7.1.1 Federal Property and Administrative Services Act of 1949, as amended (40 U.S.C. 759 § 111).
7.1.2 Federal Records Act of 1950, as amended (44 U.S.C. Chapter 21, Chapter 29, Chapter 31, Chapter 33).
7.1.3 National Archive and Records Administration Act of 1984 (Public Law 98-497, 44 U.S.C. Chapter 21).
7.1.4 Paperwork Reduction Act of 1980, as amended (44 U.S.C. Chapter 35).
7.2.1 36 CFR Chapter XII, Subchapter B especially Part 1234, “Electronic Records Management.”
7.2.2 36 CFR Chapter XII, Subchapter G, “Damage to, Alienation and Unauthorized Destruction of Records”.
7.2.3 Federal Information Resources Management Regulation (FIRMR) Bulletin B-1, “Electronic Records Management. (Note that FIRMR Bulletin B-1 is essentially the same as 36 CFR Chapter XII, Subchapter B, Part 1234).”
7.2.3 FIRMR Part 201-9, “Creation, Maintenance, and Use of Records.”
7.3 Department Guidance
7.3.1 HHS OCIO-2005-0001, Policy for Electronic Records Management, dated September 15, 2005.
7.4 GSA Guidance
7.4.1 GSA “Evaluating Electronic Recordkeeping, A Self-Inspection Guide for Agencies,” November 1990.
7.4.2 GSA Handbook, “Electronic Recordkeeping,” July 1989.
7.5 NARA Guidance
NARA Instructional Guide “Managing Electronic Records,” 1990. See footnote below.
Direct questions, comments, suggestions or requests for further information to the Deputy Assistant Secretary for Information Technology (formerly Information Resources Management), (202) 690-6162
The effective date of this policy is the date the policy is approved.
These policies and procedures will not be implemented in any recognized bargaining unit until the union has been provided notice of the proposed changes and given an opportunity to fully exercise its representational rights.
The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy statement dated August 7, 1997, as amended, titled "Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations." It is HHS' policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available
resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.
_/s/ Charles Havekost________________________ ______September 15, 2005_________
HHS Chief Information Officer DATE
Alienation-Losing care and custody. Not protecting from loss or access.
Database – A set of data, consisting of at least one data file, that is sufficient for a given purpose.
Database Management System – A software system used to access and retrieve data stored in a computer database.
Data File – Related numeric, textual or graphic information that is organized in as strictly prescribed form and format.
Disposal – The action taken regarding temporary records after their retention periods expire and consisting usually of destruction or occasionally of donation. Also, when specified, “disposal” refers to the actions taken regarding non-record materials when no longer needed, especially their destruction. (See NARA, “A Federal Records Management Glossary.”)
Disposition – The action taken with regard to records following their appraisal by NARA (36 CFR 1220.14). The actions include transfer to agency storage facilities or Federal records center; transfer from one Federal agency to another; transfer of permanent records to the National Archives; and disposal of temporary records. “Disposition” is also the action taken regarding non-records materials when no longer needed, including screening and destruction. (NARA, “A Federal Records Management Glossary”).
Electronic Mail (Email) – A way to send messages between computer users, either over a network or the Internet. E-mail is usually just text, but can be pictures, diagrams, sounds or programs embedded in the text or as attachments.
Electronic Records – Any information that is recorded in a form that only a computer can process and that satisfies the definition of a Federal record in 44 U.S.C. 3301. Electronic records include numeric, graphic and text information, which may be recorded on any medium capable of being read by a computer and which satisfies the definition of a record.
This includes, but is not limited to, magnetic media, such as tapes and disks, and optical disks. Unless otherwise noted, these requirements apply to all electronic records systems, whether on microcomputers, minicomputers, or mainframe computers, regardless of storage media, in network or stand-alone configurations. (FIRMR Bulletin B-1).
Electronic Records System – Any information that produces manipulates or stores Federal records by using a computer.
Information System – Is defined by the Office of Management and Budget (OMB) in Circular No. A-130 “….the organized collection, processing, transmission and dissemination of information in accordance with defined procedures, whether automated or manual.”
Non-record Materials – are those Federally-owned informational materials that do not meet the statutory definition of records (44 U.S.C. 3301), or that have been excluded from coverage by the definition. Excluded materials are extra copies of documents kept only for reference, stocks of publications and processed documents, and library or museum materials intended solely for reference or exhibit. (36 CFR 1220.14)
Office of the Secretary (OS) – includes the Offices of the Regional Directors and, for Information Resources Management (IRM) purposes, the Administration on Aging.
OMB Exhibit 300- Capital Asset Plan and Business Case Summary– As prescribed and described in OMB’s Circular A-11, Preparation, Submission and Execution of the Budget.
OMB Circular A-130-Management of Federal Information Resources – Establishes policy for the management of Federal information resources. OMB includes procedural and analytic guidelines for implementing specific aspects of these policies. The policies in this Circular apply to the information activities of all agencies of the executive branch of the Federal government.
Operating Division – An entity of Health and Human Services (HHS) that is an independent agency
OS Operating Division (OPDIV) – Includes the Inspector General, as well as the Office of the Secretary as a combined, single entity.
Records – includes all books, papers, maps, photographs, machine readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business, and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decision, procedures, operations or other activities of the Government, or because of the information value of the data in them. (44 U.S.C. 3301)
Records Disposition – is any activity with respect to:
- disposal of temporary records no longer needed for the conduct of business by destruction or donation to an eligible person or organization outside of Federal custody;
- transfer of records to Federal agency storage facilities or records centers;
- transfer to the national Archives of the United States of records determined to have sufficient historical or other value to warrant continued preservation; or
- transfer of records from one Federal agency to any other Federal agency. (44 U.S.C. 2901 ).
Records Management – the planning, controlling, directing, organizing, training, promoting, and other managerial activities involved with respect to records creation, records maintenance and use, and records disposition in order to achieve adequate and proper documentation of the policies and transactions of the Federal Government and effective and economical management of agency operations. (44 U.S.C. 2901 .
Records Schedule – means:
- an SF 115, “Request for Records Disposition Authority,” that has been approved by NARA to authorize the disposition of Federal records;
- a General Records Schedule (GRS) issued by NARA; or
- a printed agency manual or directive containing the records descriptions and disposition instructions approved by NARA on one or more SF 115s or issued by NARA in the GRS. (36 CFR 1220.14).
Records series – file units or documents arranged according to a filing system or kept together because they relate to a particular subject or function, result from the same activity, document a specific kind of transaction, take a particular physical form, or have some other relationship arising out of their creation, receipt, or use, such as restrictions on access and use. (NARA, “A Federal Records Management Glossary”).
Scheduling – the process of developing schedules for the disposition of records, along with disposition instructions for nonrecord materials. (NARA, “A Federal Records Management Glossary”).
Sensitive Data – Sensitive data are data that require protection due to the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the data. The term includes data whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary data, records about individuals requiring protection under the Privacy Act, and data not releasable under the Freedom of Information Act.
Text Documents – Narrative or tabular documents, such as letters, memoranda and reports, that are in loosely prescribed form and format.
 Where disposition authority for electronic records and disposition authority for records other than electronic records are requested on a single Standard Form 115, “Request for Records Disposition Authority,” OPDIVs shall assure that the OPDIV Electronic Records Management Officer and the OPDIV Records Management Officer both participate in the development of the request and that each officer certifies the accuracy of the request for the items which fall under their respective responsibility. Such a request should be sent to the HHS Records Management Officer. Also, see sections Procedures 1 and Responsibilities 3 of this Policy.
 See http://www.archives.gov/records-mgmt/ardor/records-schedules.html for current GRS; See http://www.archives.gov/records-mgmt/policy/ Then follow Policy and Guidance link.
 This includes E-mail, sent or received, by all devices.