Information Technology Standard 11.6.0

University Source Document Imaging Standard


Date of Current Revision or Creation:ÌýNovember 1, 2021


The purpose of an Information Technology Standard is to specify requirements for compliance with Â鶹´«Ã½ Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this standard is to establish the framework of controls and requirements in the capture, creation, use, storage, and management of digital images stored within the University Document Imaging and Repository System and in other University repositories where images are stored for records management purposes. This standard does not include scholarly and creative materials.

Definitions

Archival quality images are images with long-term or permanent value to the University, such as bylaws, deeds, contracts or other similar documents.

Data Breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen and/or used by an individual unauthorized to do so.

Data Classification - In the context of information security, it is the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization.

Electronic documents and records consist of data or information captured through electronic means that are machine-readable. For the purpose of this Standard, electronic records are digital images of papers, books, photographs, tapes, films, recordings, or other documentary materials, or any copies thereof, made, produced, executed, or received by any department or office of the University or by any academic or administrative staff member in connection with the transaction of University business. For specific file or record types, see Procedures.

Hold Order is a directive from the University Counsel's Office requiring documents that are potentially involved in litigation to be preserved, and includes documents in paper and electronic format, including email.

Library of Virginia's General Schedules are the regulations governing the retention and disposition of state and local public records.

Official Copy is the record having the legally recognized and enforceable quality of establishing a fact. Official records are kept for their full retention period.

Portable Document Format or PDF is a standard file format that represents documents and images in a manner independent of hardware, software or operating system.

Retention and disposition schedule identifies minimum requirements for how long records must be retained to satisfy administrative, fiscal, legal, and historical requirements.

Scanning or Imaging is the process by which paper documents are copied and saved as digital images.

Scanner Stations are electronic scanning equipment that optically scan documents, records or images and convert them to digital images. Scanners can be desktop devices, built into multifunctional copiers (MFDs) or high-volume equipment for managing document capture, storage and retrieval.

System Owner is the employee responsible for operation and maintenance of a University IT system.

Tagged Image File Format or TIFF is a standard file format used to store images and is widely supported by scanning and optical character recognition applications.

University Data - All data or information owned, used, created or maintained by the University whether individually controlled or shared, stand-alone or networked.

University Document Imaging System is a central system utilizing proprietary software to store document information electronically by recording a digital reproduction of a scanned document.

University Records Manager is the employee responsible for the standards, procedures, training and guidance to meet requirements for the proper management of University records

University Repositories and Resources are University owned and managed networked drives, local drives, databases or other data storage locations.

Scope

This standard pertains to all University document imaging resources and repositories for records management used to conduct university business. The standard is strongly encouraged for all IT systems; however, its application should not impede instruction and research activities. Any activity should not introduce unacceptable risk to the business operations protected by this standard.

Standards Statement

  1. General Document Imaging Standards

    Any University department using document imaging, where the electronic images are intended to replace the paper source documents as the official record, must use these standards.

    Images - Electronic documents, records and images are subject to the same rules and regulations as hard copy records, and once imaged, must represent an accurate reproduction of the original document.

    Access/Use - For systems not centrally managed by the University Document Imaging and Repository System, the system must be located in a secure area that is accessible only by those who are authorized to have such access.

    Access to scanned images in University repositories and resources should only be granted upon the approval of the Data Owner.

    Departments are to manage data in accordance with the University's Data Classification Policy.

    Third Party Access - Outside vendors engaged to perform scanning services for any records that might include personal or contractual information must have the appropriate administrative, physical and technical safeguards to assure secure handling of the University's records. A copy of the vendor's security policies must be submitted to the University Records Manager.

    Metadata and Indexing - Departments must ensure that the minimum indexing and recordkeeping metadata elements are compliant with the Library of Virginia's General Schedules and listed by type or series. In addition departments are responsible for maintaining accurate indexing data for use of the specific application.

  2. Technical Scanning Requirements

    Formats and Scanning Densities - In general, scanner settings should be set at a minimum density of 300 dpi.

    Electronic documents stored in a document repository are to be in standard image file formats. The Tagged Image File Format or TIFF file format is the preferred standard for documents submitted through a scanning system. Other industry-standard file formats are acceptable provided complete documentation is maintained.

    Images that have been converted to include text data using Optical Character Recognition (OCR) must be stored as a text searchable PDF.

    Images should be stored according to best practices; contact records management for up to date professional practices.

    Quality Control - The number of original paper documents must be compared to the number of scanned records to ensure that every document was scanned.

    At least 10% of the electronic images of original paper files for an application or batch should be inspected and compared to the originals, ensuring the images are both legible and complete. On a periodic basis, 1% of the images along with their associated metadata should be examined to ensure both are readable, subject to departmental procedures.

    Original documents that are of poor quality should be marked as poor quality originals during the scanning process. This can be done by placing a "Best Copy" stamp on the page in an area that does not obscure any information, or by preceding the page with a separator sheet that denotes "The following document is a poor quality original."

    In certain projects undertaken by Â鶹´«Ã½ employees onsite, images will be checked against source documents as they are scanned. In the event of a misscan or lack of completeness, the document in question is immediately rescanned. This practice is considered 100% quality control and does not require the additional 10% inspection referred to above.

    Image Enhancement - Digital enhancement is controlled by user security levels. Enhancement techniques may be used as long as they do not alter content that exists on an original document scanned into the system.

    Managing Scanned Records in a Networked Drive or Storage location - While a networked drive or storage location is not a preferred method for saving large (size of images and quantity of images) amounts of scanned records, it can be useful for saving basic administrative and instructional records.

    When saving to a networked storage location, establish a file plan and structure for the drive/directory that will hold the incoming records. Save individual documents to folders and consider including the year the records were either created or received in the folder title to assist in records retention and disposal.

    It is important to ensure that the original content of a scanned record is not altered or modified once it has been finalized. Scanned records should be "read only" to ensure that there is no improper alteration or modification.

    Each department should document the specific scanning procedures for its particular documents.

    NOTE: Networked drives or other storage locations are not be used for the storage of Protected or Regulated Data. Any images containing Social Security Numbers, FERPA or HIPAA protected information, or Personally Identifiable Information (PII) must only be stored on the University Document Management System.

    Retention - It is the responsibility of the user to ensure that the disposal of documents adhere to applicable retention policies and laws.

    All original source documentation must be maintained for at least one month (30 days) for batch scanning by either vendors or Â鶹´«Ã½ employees following imaging or any required audits to ensure quality checks have taken place and assurance the scanned documents are legible and stored securely. This does not apply to the 100% quality control projects referred to above where, absent a hold order, the source documents may be disposed of immediately or after audit as required. In all cases the destruction of source documents that have been scanned should take place no longer than twelve (12) months after imaging and any required audits.

    Destruction of the original source documents does not need require a Certificate of Records Destruction (RM3 Form) as the scanned image becomes the official copy and as such retention policies now apply to the scanned image. The source documents are then considered to be duplicates.

    Disposal - Acceptable methods for disposing of hard-copy records include recycling and shredding. Recycling is an acceptable method for disposing of paper records with no special disposition requirements. Records disposed of in this manner must not contain personal, internal or confidential information. Shredding is the required method for disposing of personal, internal or confidential information.

    When repurposing or disposing of a system, repositories or resources, all data must be scrubbed from the system in accordance with Facilities Management's instruction on data disposal.

    Legal Preservation - Documents that are subject to a litigation hold order, audit investigation, or FOIA request may not be disposed of until authorized by the University Counsel or Director of Audit as appropriate.

    Data Breach - Departments are required to report incidents which represent a potential or actual compromise or release of sensitive information. Reports are made to the University's Information Security Officer.

    Audit - Departments should maintain a record of when and by whom scanned images have been created, revised, or deleted to provide a full, trustworthy audit trail.

    Compliance - Departmental procedures should be established to ensure that management practices related to scanned images are in compliance with pertinent laws, regulations and statements of best practice.

    Assistance - Technical assistance and support can be obtained by contacting the Technical Support Person assigned to the department or by email to itshelp@odu.edu. Assistance with records management issues or compliance can be obtained by contacting the University Records Manager.

  3. University Document Imaging System Standards

    In addition to the General Document Imaging Standards, the following standards apply to the

    University Document Imaging System. All projects with documents considered for imaging that contain regulated or protected data must be operated through the ITS Project Management Office and reviewed for secure storage by ITS Information Security. Reformatted images with a retention of longer than five (5) years, requiring a trustworthy system for their storage, are also candidates for inclusion in the University Document Imaging System.

    All technical requirements listed above apply to the University Document Imaging System.

    University Imaging System Access -

    Access to the scanned images in the University Document Imaging and Repository System are generally limited to specific data by need to know, job responsibilities, supervisor approval, and Data Owner and System Owner/Administrator approval. Access requests must be submitted using the established process.

    University offices participating in the University Document Imaging and Repository System program must identify an employee to be responsible for the operation of the program and the training of assigned personnel.

    Proprietary Documentation - Information Technology Services will provide System Owners/Administrators with specific documentation as provided by the vendor on technical procedures and criteria for scanning and entering data; ensuring that all information within images is readable and that the accuracy of index terms is verified; revising, updating and deleting images; establishing and implementing security measures; providing access; and implementing disposition procedures.

    The System Owner/Administrator is responsible for maintaining and distributing this documentation.

    Each department should document the specific scanning procedures for its particular documents.

    Scanning Stations/Hardware - The participating departments are responsible for the procurement and maintenance of the scanning station equipment and software licenses and any associated fees. Information on approved hardware can be obtained through Information Technology Services. Hardware configurations must meet the approved technical requirements.

    Digital imaging hardware and software should be routinely checked to ensure that they accurately and reliably reproduce all original documents, and equipment maintenance logs shall be maintained.

    Formats and Scanning Densities - Scanner settings must meet the approved set of standards in place for the University Imaging System.

    Electronic documents stored in a document repository are to be in standard image file formats. The Tagged Image File Format or TIFF file format is the preferred standard for documents submitted through a scanning system. PDF and other industry-standard file formats are acceptable provided complete documentation is maintained.

    Training - System Owner/Administrators are responsible for initial instruction as well as regular, ongoing retraining to ensure that employees understand the standards and procedures and any changes that may occur. Training on the University Document Management System is provided by ITS.

    Revocation - Failure to adhere to the established settings, repeated abuse of the system and/or failure to promptly act on a notification may result in the temporary suspension of scanning privileges until the settings are properly configured with the assistance of ITS.

    University Document Management System Assistance - Technical assistance and support can be obtained by contacting Information Technology Services by email to itshelp@odu.edu.

    Assistance with records management issues or compliance can be obtained by contacting the University Records Manager.

  4. Exceptions

    This standard does not apply to the Digitization Program of the Â鶹´«Ã½ Libraries, which, because of unique requirements, maintains separate detailed standards and methodology for scanning and preserving archival records.

Procedures, Guidelines & Other Related Information

History

Date

Responsible Party

Action

December 2017

DMEC/CIO/ITAC

Approved

December 2018

Policy Office

Review

November 2021 ITS Policy Office Reviewed
Ìý