Laserfiche WebLink
ERMU Management Policy—A.21 Records Management Policy <br /> Under special circumstances, a record not yet listed on the State Records Retention Schedule for <br /> Minnesota Cities can be destroyed. The Executive Administrative Assistant must submit a PRI <br /> Form -Authority to Destroy Records to the State Records Disposition Panel and receive approval <br /> from the panel before these records can be destroyed. <br /> SUSPENSION OF RECORDS DESTRUCTION—PENDING LITIGATION, <br /> GOVERNMENT INVESTIGATION OR AUDIT: <br /> If litigation is pending or threatened,the retention policy must be suspended for the document <br /> that could be subject to the litigation(litigation hold). The manager and the records coordinator <br /> must review all records prior to destruction to ensure that pending actions (litigation, government <br /> investigation, or audit)will not be affected by the destruction. If a department has been notified <br /> that litigation, government investigation, or audit is imminent or pending, all destruction must be <br /> suspended for records involved with the action. Departments should contact the city attorney to <br /> clarify the specific records involved in an action to ensure that all record production and <br /> discovery obligations can be met. <br /> SECURITY ASSESSMENT: <br /> At least annually,the responsible authority and department managers will conduct a <br /> comprehensive security assessment of any personal information maintained by ERMU. The <br /> responsible authorities shall also have all employees within their departments review ERMU's <br /> Data Practices policies. The responsible authorities will take measures to assure the employees <br /> are staying in compliance with the policies. <br /> If ERMU discover a data breach,the responsible authority for that department will give written <br /> notice by first class mail of that breach to the person who is the subject of the data. The person <br /> must also be informed that ERMU will perform an investigation of the data breach, and <br /> instructions on how the report can be accessed after completion. <br /> Upon completion of an investigation into any breach in the security of data and final disposition <br /> of any disciplinary action, including exhaustion of all rights of appeal under any applicable <br /> collective bargaining agreement,the responsible authority shall prepare a report on the facts and <br /> results of the investigation. If the breach involves unauthorized access to or acquisition of data <br /> by an employee, contractor, or agent of ERMU,the report must at a minimum include: <br /> • A description of the type of data that was accessed or acquired. <br /> • The number of individuals whose data was improperly accessed or acquired. <br /> • The names of each employee responsible for the unauthorized access, if there has been <br /> final disposition of disciplinary actions. <br /> • The final disposition of any disciplinary action taken as a result. <br /> If ERMU discovers circumstances requiring notification under this section of more than 1,000 <br /> individuals at one time, ERMU will also notify, without unreasonable delay, all consumer <br /> reporting agencies that compile and maintain files on consumers on a nationwide basis, as <br /> Page 4 of 5 <br /> 156 <br />