Policy Statement

Ramapo College ensures the secure scanning, storage, and disposal of paper documents—including those containing Personally Identifiable Information (PII).

Reason for Policy

It is the responsibility of the College to ensure the secure scanning, storage, and disposal of paper documents, including those containing Personally Identifiable Information (PII). This policy establishes the standards and procedures necessary to safeguard sensitive information, maintain compliance with applicable data protection regulations, and uphold internal records retention and information security requirements.

This policy does not supersede Policy 642 Records Retention or the State of New Jersey record retention and disposition requirements.

To Whom Does the Policy Apply

This policy applies to all College departments that scan, store, or manage documents—particularly those containing sensitive or confidential information—using enterprise systems, including but not limited to Banner and its Document Management module.

Contact

Information Technology Services

Supplemental Resources:

• Procedure 412: Secure Handling & Disposal of Documents
• Policy 642: Records Retention
• Policy 410: Data Protection (PII)

I. Banner Document Management (BDM) Record Guidelines

These guidelines apply to records scanned into Banner Document Management (BDM), the College’s official document management system. As a rule of thumb when using BDM, consider the value and relevance of each document before scanning. If a document is unlikely to be referenced again and there is no legal or regulatory requirement to retain it, it may not be necessary to scan it into the system. Only documents that serve a clear business, compliance, or archival purpose should be stored in BDM.

a. System of Record

• Once a document is successfully scanned into BDM, it becomes the institution’s official system of record for that document. This aligns with the purpose of BDM as an enterprise records management system designed for secure, compliant document storage.

b. Document Validation

• Prior to uploading, staff must ensure that the scanned document is authentic and complete.
• All required signatures are obtained and are legible.
• Documents must include all required fields and identifiers (e.g., student ID, employee name, date).
• If a document is incomplete or questionable, consult with the appropriate department before uploading.

c. Redaction and PII Handling

• Personally Identifiable Information (PII) that is not required for the business purpose or system function should be removed prior to scanning, uploading, or attaching, with the exception of retaining only the last four digits of a Social Security Number or R Number, if necessary.
• Departments must use care when handling documents that contain PII to prevent unauthorized disclosure.
• Scanners and users should follow all data security protocols when managing sensitive information.

d. Scanning and Uploading Standards

• Documents must be scanned via your unit’s designated BDM scanner only.
• Preferred file format is PDF; mobile device scans may use JPEG when appropriate and approved.
• Ensure scanned or uploaded images are complete, legible, clear, and properly aligned.
• Validate that the number of pages scanned matches the physical document.

e. Storage Restrictions

• Documents scanned, attached, or uploaded to BDM must not be stored separately on local drives or personal folders.
• Temporary copies can be retained only as needed for the upload process and can be deleted once the document is successfully stored in BDM.

f. Retention and Disposal

• Because documents stored in BDM become the official record of that document, any hard and electronic copies of documents scanned, attached, or uploaded to BDM should be retained for at least one business day, unless otherwise instructed, to ensure they are captured in the College’s backup process. Afterwards, the documents may be disposed of—either through shredding or file deletion—in accordance with the Records Retention Policy, which varies by document category. Documents uploaded to BDM and stored within the Banner system are centrally backed up; therefore, retaining permanent hard copies is not required.
• Disposal of electronic records will follow State of New Jersey record retention and disposition requirements.

g. Security and System Standards

• System access must be tied to individual user accounts; shared accounts are prohibited unless explicitly approved by the system owner with appropriate logging and accountability in place.
• When an employee departs from a department, the unit manager is responsible for terminating (or notifying ITS to terminate) their access to all scanning and document management systems or devices.

II. Scanning Guidelines for Non-BDM Related Documents

These guidelines apply to non-BDM related activities, such as saving files on shared network drives, cloud drives, saving files from email, etc.:

• If the original document is electronic, it can be saved onto the network drive, which is backed up once a day.
• If the original document is on paper, the paper copy must be retained even if it has been scanned and saved to the network drive.
• Scanned copies (e.g., PDFs) can be modified and are not considered the official record.
• For security reasons, files should not be saved on desktop or local computer folders (folders that are not on the network drive). As an example, if a computer crashes, any locally stored data will be lost, as desktop storage is not backed up.

Security and System Standards

• Devices such as network-connected scanners, printers, fax machines, and copiers may store digital images of scanned documents. These devices should be configured to automatically delete stored data or must be manually cleared on a regular basis, or if the data should remain, the device must encrypt the data.
• Departments are encouraged to implement or request automatic memory wipe settings on multifunction devices (i.e. printers) where feasible, if not already done so by default.

III. All Documents: Legal and Regulatory Alignment

All files—regardless of where they are stored, presented, or accessed—must comply with all applicable federal, state, and institutional regulations governing the handling of sensitive and protected information. This includes, but is not limited to:

• FERPA (Family Educational Rights and Privacy Act)
• HIPAA (Health Insurance Portability and Accountability Act)
• GLBA (Gramm-Leach-Bliley Act)
• State Records Retention Laws
• Public Records Requests and Litigation Holds

Departments are responsible for ensuring that any documents scanned, uploaded, or attached into College systems are managed in compliance with these legal requirements. For this reason, each office should develop the processes, procedures, and policies to support Banner Document Management. For guidance on how specific laws or regulations apply to a particular office’s records, or for assistance interpreting retention or access issues, please contact the Records Custodian or the Office of the General Counsel.

IV. All documents: Disposition

All records—whether in BDM, scanned, or other formats—must comply with the State of New Jersey’s record retention and disposition requirements. See Policy 642: Records Retention.