Loading
The Oregon Administrative Rules contain OARs filed through August 15, 2016
 
QUESTIONS ABOUT THE CONTENT OR MEANING OF THIS AGENCY'S RULES?
CLICK HERE TO ACCESS RULES COORDINATOR CONTACT INFORMATION

SECRETARY OF STATE, ARCHIVES DIVISION

 

DIVISION 17

ELECTRONIC RECORDS

166-017-0005

Purpose

Agencies must ensure access to all public records as defined by ORS 192.410 to 192.505 for the entire length of the retention period approved by the State Archivist. Electronic public records are particularly susceptible to accidental deletion, damage and obsolescence. These rules help to ensure that public records maintained in electronic format are accessible for their scheduled retention period.

Stat. Auth.: ORS 192.050, 192.060 & 192.105
Stats. Implemented: 357.825(2), 357.855 & 357.895
Hist.: OSA 1-2016, f. & cert. ef. 5-5-16

166-017-0010

Definitions

In addition to the definitions contained in OAR 166-005-0010, the following definitions apply to this division:

(1) "AIIM" — Association for Information and Image Management.

(2) "ANSI" — American National Standards Institute.

(3) "ASCII" — American Standard Code for Information Interchange; A standard, seven-bit character set for use by digital computers, which includes 96 displaying symbols (letters, digits, punctuation) and 32 control codes (line feed, newline, tab, etc.).

(4) “Cloud storage” is a model of networked enterprise storage where data is stored in virtualized pools of storage which may be hosted by third parties.

(5) "Digitization" means the process of transforming analog material into electronic form, especially for storage and use in a computer.

(6) “DoD” — Department of Defense.

(7) "DPI" — Dots per inch; refers to the number of pixels contained in a linear inch.

(8) "Electronic record" means any information recorded in a form that requires a machine to process and access the information.

(9) "Electronic records system" is a generic term to indicate any combination of hardware, media or storage, and software used to store electronic records.

(10) "Electronic records management system (ERMS)" means commercial or open source purpose-built software used by an organization to manage records from creation to final disposition. The system’s primary functions are categorizing and locating records and identifying records that are due for disposition. The Electronic Records Management System also stores, retrieves and may dispose of the electronic records that are stored in its repository.

(11) "Hybrid micrographic system" means a system that combines a micrographic/microfilm analog system with electronic, digital technology.

(12) “IEC” — International Electrotechnical Commission.

(13) “ISO” — International Organization for Standardization.

(14) "Magnetic media" means any type of storage medium that utilizes magnetic patterns to represent information.

(15) “NIST SP” — National Institute of Standards and Technology Special Publication

(16) "Open format" means a data format that is defined in complete detail and that allows transformation of the data to other formats without loss of information. An open format may be either standards-based or proprietary.

(17) "Optical media" means a platter used to store large quantities of data that can be read using light.

(18) “PDF” — Portable Document Format.

(19) “TIFF” — Tagged Image File Format.

(20) "WORM” — Write once, read many; refers to a type of optical disk which cannot be erased or amended.

Stat. Auth.: ORS 192.050, 192.060 & 192.105
Stats. Implemented: ORS 357.825(2), 357.855 & 357.895
Hist.: OSA 2-1994, f. 1-28-94, cert. ef. 4-1-94; OSA 1-2016, f. & cert. ef. 5-5-16

166-017-0015

General Requirements

(1) Agencies must ensure that all public records in all formats or mediums, including electronic, are maintained in accordance with an applicable records retention schedule approved by the State Archivist.

(2) Agencies must develop policies and procedures and perform periodic reviews to monitor compliance to agency policies regarding access, use, retention, and disposition of electronic records.

(3) In accordance with their contracting authority, agencies may contract with external vendors for the storage or management of electronic records. The vendors must comply with all rules in OAR 166, Division 17. Agencies must not enter into a contract with any person or entity if the contract will impair the right of the public to inspect or copy the agency's nonexempt public records, including contracts where the custody of the records is transferred, either purposefully or inadvertently, from the agency to the hosting entity.

(4) Contracting agencies must ensure that vendors manage agency records in compliance with all rules in OAR 166, Division 17. Contracts for the storage of electronic records by external vendors must require the vendor to comply with OAR 166, Division 17 and to return all electronic data files and indexing information to the agency at the expiration of the contract or upon vendor failure to comply with OAR 166, Division 17.

(5) Agencies must ensure that electronic public records are accessible to the public for their entire authorized retention period and that non-permanent records are destroyed at the end of their authorized retention period. Agencies must also maintain confidentiality for electronic public records that are exempt from public disclosure.

Stat. Auth.: ORS 192.050, 192.060 & 192.105
Stats. Implemented: 357.825(2), 357.855 & 357.895
Hist.: OSA 1-2016, f. & cert. ef. 5-5-16

166-017-0025

Electronic Records Management Systems

If an agency purchases an Electronic Records Management System (ERMS) to manage electronic records, the system must be certified as conforming to DoD 5015.2-STD, "Design Criteria Standard for Electronic Records Management Applications, Version 2 or 3.”

Stat. Auth.: ORS 192.050, 192.060 & 192.105
Stats. Implemented: 357.825(2), 357.855 & 357.895
Hist.: OSA 1-2016, f. & cert. ef. 5-5-16

166-017-0035

Digitization Standards

Agency electronic records systems that maintain official copies of public records must meet the following minimum requirements for digitization of paper or microfilm records into the system (as stated in OAR 166, Division 25):

(1) Documents containing fonts ten-point or larger, and containing no signatures, must be scanned at a minimum density of 200 DPI (dots per inch), when converting paper or microfilm records to electronic records.

(2) Documents containing fonts smaller than ten-point, signatures, architectural and engineering drawings, maps and line art must be scanned at a minimum density of 300 DPI.

(3) Cancelled checks must be scanned at a minimum density of 240 DPI grayscale and meet the requirements of ANSI X9.100-140 — Specifications for an Image Replacement Document.

(4) Digitized documents must be verified for accuracy and completeness after digitization and prior to the destruction of the paper or microfilm original.

(5) Scanners must be monitored for quality control. Documentation describing each inspection must be maintained for each digital imaging system and must include the date of inspection, name of inspector(s), group of documents inspected, and sample size (if applicable). Policies and procedures must conform to ANSI/AIIM MS44-R1993, Recommended Practice for Quality Control of Image Scanners and ANSI/AIIM TR25-1995 — The Use of Optical Disks for Public Records which are incorporated by reference and are available from the Association for Information and Image Management, 1100 Wayne Avenue, Suite 1100, Silver Spring, MD 20910.

(6) Targeting for converting microforms to electronic images must be done in accordance with ANSI/AIIM MS44-R1993. Technical targets used must be the IEE Std 167A-1987, Facsimile Test Chart, AIIM Scanner Test Chart #2, and for color images, the Process Ink Gamut Chart. These Charts are available from the Association of Information and Image Management, 1100 Wayne Avenue, Suite 1100, Silver Spring, MD 20910 or from the Archives Division.

(7) A hybrid micrographic system (system combining a micrographic/microfilm analog system with electronic technology) that conforms to OAR 166-025-0021 may be used.

Stat. Auth.: ORS 192.050, 192.060 & 192.105
Stats. Implemented: 357.825(2), 357.855 & 357.895
Hist.: OSA 1-2016, f. & cert. ef. 5-5-16

166-017-0045

Electronic Record as Official Copy of a Public Record

Electronic records (including digital images) may serve as the official copy of a public record under the following conditions:

(1) Public records with a scheduled retention period of less than 100 years may be stored exclusively on electronic records systems and media provided that the standards and requirements specified in OAR 166, Division 17 are met.

(2) Public records with a scheduled retention period of 100 years or more may be stored on electronic records systems provided that the original records are retained in hard copy or on microfilm for the entire scheduled retention period, and in compliance with OAR 166.

(3) Agencies may petition the State Archivist in writing for exceptions to 166-017-0045(2) for public records meeting specific preservation requirements. The petition must specify whether the records are stored in a DoD 5015.2 certified system and state the file format for the records. The State Archivist will either grant or deny the request based on the information provided.

(4) At a minimum, records stored in an electronic format, with a scheduled retention period of 100 years or more must be maintained in accordance with one of the following:

(a) TIFF 6.0 (with Intel byte order) specification (June 3, 1992), which is hereby incorporated by reference and made a part of this rule. This specification is available from Adobe Systems Incorporated, 345 Park Avenue, San Jose, CA 95110-2704.

(b) ISO 32000-1 2008 PDF specification which is hereby incorporated by reference and made part of this rule. This specification is available from Adobe Systems Incorporated, 345 Park Avenue, San Jose, CA 95110-2704.

(c) ISO/IEC 11172-3 1993 MPEG Layer III Audio Encoding (MP3) specification which is hereby incorporated by reference and made part of this rule. This specification is available from the International Organization for Standardization, Geneva, Switzerland.

(d) ISO/IEC 14496-14 2003 MPEG 4 File Format (MP4), Version 2 specification which is hereby incorporated by reference and made part of this rule. This specification is available from the International Organization for Standardization, Geneva, Switzerland.

Stat. Auth.: ORS 192.050, 192.060 & 192.105
Stats. Implemented: 357.825(2), 357.855 & 357.895
Hist.: OSA 1-2016, f. & cert. ef. 5-5-16

166-017-0055

Security Standards

Agency electronic records systems that maintain official copies of public records must meet the following minimum security requirements:

(1) Provide a method for all authorized users of the system to retrieve desired records.

(2) Provide an appropriate level of security to ensure the integrity of the records. Security controls must include, at a minimum, physical and logical access controls, backup and recovery procedures, file integrity monitoring and training for custodians and users.

Stat. Auth.: ORS 192.050, 192.060 & 192.105
Stats. Implemented: 357.825(2), 357.855 & 357.895
Hist.: OSA 1-2016, f. & cert. ef. 5-5-16

166-017-0065

Interoperability Standards

Agency electronic records systems that maintain official copies of public records must meet the following minimum interoperability requirements:

(1) Identify the open format or standard interchange format when necessary to permit the exchange of records on electronic media between agency electronic records systems using different software/operating systems and the conversion or migration of records on electronic media from one system to another. For text records in the absence of other conversion capabilities, the word processing or text creation system must be able to import and export files in the ASCII format as prescribed by Federal Information Processing Standard Publication (FIPS PUB) Number 1-2; entitled Coded Character Sets - 7-Bit American National Standard Code for Information Interchange (7-Bit ASCII) (1986, R2002), which is hereby incorporated by reference, and made a part of this rule. This publication is available from the National Technical Information Service (NTIS), 5285 Port Royal Road, U.S. Department of Commerce, Springfield, VA 22161.

(2) Provide for the disposition of the records including, when appropriate, transfer to the Oregon State Archives in the format requested by the State Archivist.

(3) Electronic records must remain accessible during their entire authorized retention period.

Stat. Auth.: ORS 192.050, 192.060 & 192.105
Stats. Implemented: 357.825(2), 357.855 & 357.895
Hist.: OSA 1-2016, f. & cert. ef. 5-5-16

166-017-0075

Maintenance and Backup Standards

Agency electronic records systems must meet the following minimum requirements to ensure the ongoing maintenance of electronic records:

(1) Electronic storage media must be maintained in an environment with a constant temperature from 65 to 75 Degrees Fahrenheit not to fluctuate more than +/- 5 Degrees and relative humidity not to exceed 50% (ANSI/AIIM TR 25-1995).

(2) Electronic records stored on magnetic media must not be stored closer than 2 inches from sources of magnetic fields, including generators, elevators, transformers, loudspeakers, microphones, headphones, magnetic cabinet latches and magnetized tools. They must not be stored in metal containers unless the metal is non-magnetic.

(3) Storage containers must be resistant to impact, dust intrusion and moisture.

(4) Official copies of electronic records must be maintained by personnel properly trained in the handling of records and associated equipment.

(5) Written policies and procedures must be established and adopted by the agency for external labeling of the contents of disks, tapes, flash or hard drives or other storage media so that all authorized users can identify and retrieve the stored information.

(6) Storage media must be converted, as necessary, to provide compatibility with the agency's current hardware and software, ensuring that information is not lost due to changing technology or deterioration of storage media. Before conversion of information to different media, agencies must determine that authorized disposition of the electronic records can be implemented after conversion.

(7) Electronic records systems must be backed up on a regularly scheduled basis according to written agency policies and procedures to safeguard against the loss of information due to equipment malfunctions or human error.

(8) Backups must be stored and maintained in off-site storage areas meeting the requirements of 166-020-0015, 166-020-0045 and 166-017-0075(1), and must be located in buildings separate from the location of the records that have been copied.

Stat. Auth.: ORS 192.050, 192.060 & 192.105
Stats. Implemented: 357.825(2), 357.855 & 357.895
Hist.: OSA 1-2016, f. & cert. ef. 5-5-16

166-017-0085

Records Retention Requirements

Agencies must develop and adopt policies and procedures to ensure that electronic records are retained and managed as specified in a records retention schedule approved by the State Archivist (166-030-0026 or 166-030-0027). These retention policies and procedures must include provisions for:

(1) Scheduling the retention and disposition of all electronic records, as well as related access documentation and indexes, in accordance with approved records retention schedules developed and authorized by the State Archivist.

(2) Identifying, maintaining and protecting essential records and essential records systems (OAR 166-020-0045).

(3) Establishing procedures for regular recopying, reformatting, and other necessary maintenance to ensure the retention and usability of the electronic records throughout their authorized retention period so that the records remain accessible.

(4) Ensuring that electronic records specified in OAR 166-030-0026(4) are not destroyed without the written permission of the State Archivist.

Stat. Auth.: ORS 192.050, 192.060 & 192.105
Stats. Implemented: 357.825(2), 357.855 & 357.895
Hist.: OSA 1-2016, f. & cert. ef. 5-5-16

166-017-0090

Records Destruction Requirements for Electronic Records

Agency electronic records may be destroyed only in accordance with the provisions of a records retention schedule approved by the State Archivist. Each agency must ensure:

(1) Electronic records which are confidential by law and negotiable instruments (even when cancelled or satisfied in writing) and records that contain sensitive, proprietary, or security information must be destroyed so that the image and confidential metadata are irreversibly non-retrievable, either through electronic or physical destruction as specified below:

(a) Electronic records stored on magnetic media must be degaussed or "bulk erased" and then irreversibly reformatted to ensure the data/information cannot be retrieved.

(b) Electronic records held on optical media may be destroyed by cutting, crushing, shredding, or other physical means of destruction. Rewritable optical disks must be irreversibly reformatted before being disposed of or re-used.

(c) Electronic records stored on hard drives or flash drives of personal computers and servers must be irreversibly reformatted before computers are disposed of. If the agency is unable to determine whether a hard drive or flash drive has been irreversibly reformatted, it must be physically destroyed.

(d) For additional guidance on data sanitation and destruction, refer to NIST SP 800-88, Guidelines for Media Sanitization and DoD 5220.22-M.

(2) Expungement of digital images stored on WORM optical media must conform to the Expungement of Information Recorded on Optical Write-Once-Read-Many (WORM) Systems (TR28-1991) which is incorporated by reference and is available from Association of Information and Image Management, 1100 Wayne Avenue, Suite 1100, Silver Spring, MD 20910 or the State Archives.

Stat. Auth.: ORS 192.050, 192.060 & 192.105
Stats. Implemented: 357.825(2), 357.855 & 357.895
Hist.: OSA 1-2016, f. & cert. ef. 5-5-16

166-017-0095

Use of Alternate Formats and New Technologies for Public Records

(1) If adopting new formats or new technologies for public records, such as text messages, social networking sites, and alternate private email accounts, agencies must ensure all actions comply with the requirements of the Oregon Revised Statutes and the rules found in OAR 166 will be met.

(2) If an agency utilizes private records storage facilities such as cloud storage, the agency must ensure that they maintain ownership of all of the agency’s stored public records.

Stat. Auth.: ORS 192.050, 192.060 & 192.105
Stats. Implemented: 357.825(2), 357.855 & 357.895
Hist.: OSA 1-2016, f. & cert. ef. 5-5-16

The official copy of an Oregon Administrative Rule is contained in the Administrative Order filed at the Archives Division, 800 Summer St. NE, Salem, Oregon 97310. Any discrepancies with the published version are satisfied in favor of the Administrative Order. The Oregon Administrative Rules and the Oregon Bulletin are copyrighted by the Oregon Secretary of State. Terms and Conditions of Use