Skip to main content

local-nav3
Public Records

Joint Records Conservation Board/Supervisor of Records Bulletin 01-21

To: Agency and Municipal Public Records Custodians and Records Access Officers (RAOs)
Subject: Security and Custody of Records
Expiration Date: Until superseded
Purpose: This joint bulletin provides guidance and requirements for security and custody of agency and municipal records created within, as well as outside of, agency and municipal offices.

Background

Agencies and municipal records custodians and RAOs have a fundamental obligation to provide secure storage for their records and make them accessible to the general public. When public business is conducted outside of agency or municipal offices, this may lead to situations where records are used and stored outside the premises of a government building in unsecured spaces (including electronic records used in teleworking), leading, in some instances, to alienation of the record. In some instances, original records are created outside of, or removed from, a government building by a records custodian and stored in a private home or office. Such practices may jeopardize the security and accessibility of the records and hinder proper records management procedures.

Findings

The Records Conservation Board (RCB) has the authority to require agencies to report to it what series of records they hold, to set standards for the management and preservation of such records, to establish schedules for the destruction of agency records and approve destruction permissions from agencies. See G. L. c. 30, § 42.

The Supervisor of Public Records is responsible for seeing that the records of the Commonwealth, counties, cities and towns are put in the custody and condition required by law and securing their preservation. See G. L. 66, §1 (the Supervisor's responsibility to ensure preservation of the records of the Commonwealth, counties, cities and towns).

Agency and municipal officials are responsible for the safekeeping of records in their custody. See G. L. 66, §§ 11 and 12. Therefore, the RCB and Supervisor jointly direct public officials to take the following actions to provide security for and access to public records.

Actions

  1. Agency and municipal officials are required to implement sufficient internal controls to manage records in any medium, including compliance with the Records Management Guidance, the Electronic Records Management Guidelines (PDF), and the applicable Records Retention Schedules (PDF).  Note that Agencies and Municipalities that receive federal funds, including federal disaster relief funds, may have additional records management and retention responsibilities as a condition of receipt of funds as recipients or sub-recipients, and well as grantees of these funds.
  2. Whenever original public records are removed from an agency or municipal office by a records custodian, or by any authorized user who shall be considered a custodian, for use in the regular course of business in a private office or home, including electronic records used in teleworking, records shall be stored in fire resistant devices and safes provided by the municipality, or in a secure electronic medium with appropriate encryption or other safeguards.
  3. If a custodian cannot ensure fire resistant storage outside the municipal building, or for electronic records a secure electronic medium with appropriate encryption or other safeguards, then no original records may be removed. However, the custodian may create copies of records for use in a private office or home.
  4. Whenever original records are created outside agency or municipal offices, these records shall be transferred on a regular and frequent basis to secure storage in the agency or municipal building or authorized repository. If secure storage is available in the custodian's private office or home, then copies of records shall be made and stored in the agency or municipal building or authorized repository.
  5. Whenever officials relinquish their position, they shall deliver over to their successor all such records not authorized by law to retain. See G. L. c. 66, § 14.
  6. Agency or municipal officials who store records in electronic repositories, either locally in agency or municipal buildings, or off-site repositories, including cloud storage, must store these records in accordance with applicable Commonwealth Enterprise Security Standards (Agencies) or National or Municipal security standards (municipalities) and are required to manage or ensure that any third party hosting the repositories comply with these necessary cybersecurity controls to protect records from theft, ransomware, loss, destruction or other violations of the records management requirements.
  7. In the event of an emergency or disaster event (e.g., hurricane, flooding, blizzard, terrorist attack, pandemic) records custodians should presume that records created that relate to that event should be retained for historical, public health or safety purposes beyond prescribed records retention schedules. Records that may appear to be Administrative Use Records may be relevant as these events are reviewed after the event has been remediated.  If applicable, retain records until additional guidance is provided either by the Records Conservation Board or the Supervisor.  Agency and municipal officials should expect to be audited by state and federal authorities related to any event and should retain records accordingly. 

Questions regarding maintenance of records should be directed to:
Records Management Unit
Massachusetts State Archives at Columbia Point
220 Morrissey Blvd.
Boston, MA 02125
Phone: 617-727-2816
Fax: 617-288-8429
Email:
www.sec.state.ma.us/arc/arcrmu