TITLE 13. CULTURAL RESOURCES

PART 1. TEXAS STATE LIBRARY AND ARCHIVES COMMISSION

CHAPTER 6. STATE RECORDS

SUBCHAPTER C. STANDARDS AND PROCEDURES FOR MANAGEMENT OF ELECTRONIC RECORDS

13 TAC §§6.91 - 6.97

The Texas State Library and Archives Commission adopts repeal of 13 TAC §§6.91 - 6.97, regarding standards and procedures for management of electronic records, without changes to the proposed text as published in the May 26, 2017, issue of the Texas Register (42 TexReg 2795). The repealed rules will be replaced at the same time by the adoption of new rules with updated standards and procedures for management of electronic records.

The repeal will allow the commission to adopt new rules relating to the management, retention and disposition of state agency records in electronic format. In part, the repealed rules are too specific to technology that rapidly changes.

No comments were received regarding the proposed repeal.

Statutory authority for this subchapter is provided in Texas Government Code §§441.189(a), 441.190, and 441.199.

The agency certifies that legal counsel has reviewed the adoption and found it to be a valid exercise of the agency's legal authority.

Filed with the Office of the Secretary of State on August 11, 2017.

TRD-201703096

Nanette Pfiester

Program Planning & Research Specialist

Texas State Library and Archives Commission

Effective date: August 31, 2017

Proposal publication date: May 26, 2017

For further information, please call: (512) 463-5477


13 TAC §§6.91 - 6.98

The Texas State Library and Archives Commission (TSLAC) adopts 13 TAC §§6.91 - 6.98, regarding standards and procedures for management of electronic records, with changes to §§6.92 - 6.95 in the proposed text as published in the May 26, 2017, issue of the Texas Register (42 TexReg 2795) and those sections are republished below. Section 6.91 and §§6.96 - 6.98 are adopted without changes. The adopted rules replace repealed rules with updated standards and procedures for management of electronic records.

The Texas State Library and Archives Commission is adopting rules for the creation, protection, maintenance, preservation and storage of electronic state records. The rules address standards and reflect practices in electronic records management necessary to strengthen state government records management.

Comments were received from two state agency Records Management Officers (RMO) during the comment period. They are in favor of the rules. Comments and responses follow.

Comment: An RMO stated that TSLAC should continue to require visual QC check on every scanned document.

Response: No change. These rules no longer address scanning requirements.

Comment: An RMO stated that the enumeration from section to section is inconsistent. Some sections' main paragraphs are numbered (1), (2), (3), whereas other sections use (a), (b), (c). All sections should be numbered consistently.

Response: No change. If a rule does not have a (b) section, then it is an implied (a) and the sections are numbered (1), (2), (3), etc. at Secretary of State's instruction.

Comment: An RMO stated that §6.92(12) should be changed by deleting "s" after "records" in "records series" and adding a comma between "associated" and "filed."

Response: TSLAC reviewed and changed text to match definition of a records series as cited from §6.1(13). Updated text does not need "s" removed nor does it need a comma.

Comment: Both RMOs stated that in §6.92(15) a definition is provided for "unstructured data" but this term is never used in the rules.

Response: Agency agrees with commenters; definition has been removed.

Comment: An RMO stated that §6.93(1)(G) should be reviewed for clarity.

Response: Agency agrees with commenter; changed in (G) "must" to "shall" and deleted "shall be trained to" in (i) and (ii).

Comment: Both RMOs stated that in §6.93(1)(G)(ii) the term "decision makers" is vague. There is no need to distinguish a "decision maker" from an "end user" unless this term is explicitly defined. Staff at any level can "make a decision": what kind of decision does this refer to? Purchasing decisions? Personnel management decisions and how is this defined?

Response: No change. Any staff may make various decisions and all need to be trained. Each agency's policies can enumerate training levels as needed.

Comment: An RMO stated that in §6.93(2) and (3) TLSAC should fix grammar. Paragraph (1) reads as a list of complete sentences, whereas paragraphs (2) and (3) are sentence fragments.

Response: Agency agrees with commenter; added "An agency's policies and procedure shall" at the beginning of each paragraph.

Comment: An RMO stated that in §6.94(a)(2), (5) and (6) the rules use IT terms that are not defined by rule. TSLAC should provide definitions for the terms "designated community," "cloud computing," "authenticity," "integrity," "reliability," and "usability" to assist agencies in complying with the sections that refer to these terms. TSLAC should plan on releasing guidelines (pursuant to §6.96) that explain how agencies would be expected to maintain ownership/responsibility of data that is typically owned by 3rd-party services.

Response: No change. The agency is determined to minimize definitions referenced to outside standards. TSLAC will instead include terms in companion materials.

Comment: Both RMOs stated that in §6.94(a)(8) TSLAC should fix the grammar in (a)(8), which reads "Each state agency must do not use system backups" and delete the word "do."

Response: Agency agrees with commenters; change beginning to "ensure that system backups" and add "are not used" before "to satisfy."

Comment: An RMO stated that in §6.95(1)(A)(ii)(III) agency security considerations may supersede an agency's ability to provide TSLAC with a full folder structure.

Response: No change. TSLAC determined that the Archives division only needs file folder structure of what is transferred to the Archives and not security details. Work with Archives on a case-by-case basis.

Comment: An RMO stated that in §6.95(1)(B) TSLAC needed to review for clarity; it is quite awkwardly worded. Texas Government Code 441.186(e) was meant to be a contingency for records that TSLAC could not accept because they were electronic. The way it reads now, it requires this level of documentation for records by assuming that TSLAC can't accept them. Is this not be the case with the TDA?

Response: No change. Applies to archival electronic records in agency custody as in GC §441.186(e). This section is based on statute. Even with the Texas Digital Archives, there may be situations when TSLAC cannot accept certain electronic archival records.

Comment: An RMO stated that §6.95(1)(B)(iv) should be revised as it currently reads "the state agency must Redacted records are not…" and this does not follow the form of the others.

Response: Agency agrees with commenter; changed to follow on from the "agency must" in (B) to say "not redact the record copy but may store redacted copies with the record copy."

Comment: Both RMOs stated that in §6.95(2)(A)(i) the rules should cite the specific statutes than an agency would be expected to consult; it is inappropriate for administrative rules to include the phrase "Check the statutes." and consider rewording--"Check the statutes" seems strangely informal.

Response: Agency agrees with commenters; changed to "Refer to Government Code Chapter 441."

Comment: An RMO stated that §6.96 seems to remove some of the authority of these guidelines. Does TSLAC Legal feel that these guidelines hold the same weight as the rest of the requirements in the TAC?

Response: No change. Future guidelines will have to be reviewed individually to identify which may need to be adopted as formal rules.

Comment: An RMO stated that §6.97(c) only applies to confidential information, but this implies that it applies to all electronic records.

Response: No change. Does not only apply to confidential information. DIR offers information on: Sale or Transfer of Computers and Software and in the Security Controls Catalog, including Item MP-6.

The new sections are adopted under the authority of Texas Government Code §§441.189(a), 441.190, and 441.199 that provide the Commission the authority to establish standards and procedures for management of electronic records.

Statutory authority for this subchapter is provided in Texas Government Code §§441.189(a), 441.190, and 441.199.

§6.92.Definitions.

The following words, terms, acronyms, and concepts when used in this subchapter, shall have the following meanings, unless the context clearly indicates otherwise. Terms defined in Texas Government Code §441.180 shall have the meaning assigned by statute.

(1) Archival state record--Archival state record has the meaning as defined in Texas Government Code §441.180(2).

(2) ARIS--Archives and Information Services division of the commission.

(3) Digital Rights Management--Various access control technologies that are used to restrict usage or access of proprietary hardware, software, or copyrighted works by controlling the use, modification and distribution of records, as well as systems within devices that enforce these policies.

(4) Electronic state record--Information that meets the definition of a state record in the Texas Government Code §441.031 and §441.180, and is maintained in electronic format for computer processing, including the product of computer processing of the information. Any state record may be created or stored electronically in accordance with standards and procedures adopted as administrative rules of the commission as authorized by Texas Government Code §441.189.

(5) Essential state record--See Vital state record.

(6) Final disposition--Final processing of state records by either destruction or archival preservation by the commission, by a state agency, or by an alternate archival institution as permitted by Texas Government Code Chapter 441, Subchapter L and 13 TAC §6.1(10).

(7) Information systems--The combination of information, technology, processes, and people brought together to support a given business objective.

(8) Institution of higher education--SEE State agency.

(9) Metadata--Data that summarizes basic information about a record, and which can facilitate tracking, locating, verifying authenticity, or working with specific records or data. Examples include but are not limited to author, date created, date modified, file extension, and file size.

(10) Migration--In a computer environment, the act of moving data or records in electronic form from one hardware or software system or configuration to another so that they may continue to be understandable and usable for as long as they are needed.

(11) Records management program--The program of a state agency undertaken on a continuing and active basis (i.e. not a project) to apply management techniques to the creation, use, maintenance, retention, preservation, and destruction of state records as required by Texas Government Code §441.183.

(12) Records series--A group of identical or related records that are normally used and/or filed together, and that permit evaluation as a group for retention scheduling purposes as defined in 13 TAC §6.1(13).

(13) State agency--State agency has the meaning as defined in Texas Government Code §441.180(9).

(14) Structured data--Data that resides in fixed fields within a record or file. Relational databases and spreadsheets are examples of structured data.

(15) Vital state record--Vital state record has the meaning as defined in Texas Government Code §441.180(13).

§6.93.Policies and Procedures.

State agency heads or designees shall approve and institute written policies and procedures that communicate an enterprise-wide approach for electronic state records management practices, and that create accountability and auditability for the execution of these policies and procedures. Refer to Guidelines (§6.96) for recommended electronic records management best practices and standards to satisfy requirements specified under this subchapter.

(1) An agency's policies and procedures required by this section shall include these elements:

(A) Establish a component of the agency's active and continuing records management program to address the management of electronic state records that includes the management of electronic state records created, received, retained, used, transmitted, or disposed of electronically, including those electronic state records in the possession of the state agency, vendors, or other third parties (i.e., telecommunication, social media, etc.);

(B) Integrate the management of electronic state records with other records and information resources management programs of the state agency;

(C) Incorporate electronic state records management objectives, responsibilities, and authorities in pertinent state agency directives;

(D) Address electronic state records management requirements, including retention requirements and final disposition;

(E) Address the use of new technologies adequate to fulfill the agency's duty to identify, manage, retain, and make final disposition of electronic state records;

(F) Ensure transparency by documenting in an open and verifiable manner the processes and activities carried out in the management of electronic state records; and

(G) Require that records management concepts and requirements be included in agency training on information systems and resources. Also, an agency's information resources personnel shall receive training on records management issues as they relate to electronic information systems, electronic mail systems, the operation, care, and handling of information, and the hardware, software, and media used to ensure that:

(i) Information resources personnel understand the records management implications of selecting, purchasing, developing, installing, deploying, modifying, and retiring technology hardware, software, etc.; and

(ii) Decision makers and end users understand their responsibilities to create, protect, and manage electronic state records anywhere.

(2) An agency's policies and procedures shall adhere to 1 TAC 202 requirements regarding security programs; and

(3) An agency's policies and procedures shall follow privacy requirements for information that must be protected from unauthorized use or disclosure as required by applicable state or federal law (e.g. constitutional, statutory, judicial, and legal agreement requirements).

§6.94.Minimum Requirements for all Electronic State Records.

(a) Each state agency must:

(1) Manage electronic state records according to the state agency's records management program and certified records retention schedule regardless of format, system, or storage location;

(2) Maintain state agency ownership and responsibility for state records regardless of where the record originates or resides, including but not limited to cloud computing services and social media sites;

(3) Develop and maintain up-to-date documentation about electronic records systems adequate to identify, retain, read, process, or migrate the records and ensure the timely, authorized final disposition of electronic state records;

(4) Ensure that electronic state records remain readily retrievable and readable for as long as they are maintained by the state agency by migration or by maintaining any software, hardware, and documentation required to retrieve and read the electronic state records;

(5) Maintain descriptive and technical metadata required for electronic state records to be fully understandable by the appropriate designated community, including metadata necessary to adequately support the authenticity, integrity, reliability, and usability as well as the preservation of a record;

(6) Preserve the authenticity, integrity, reliability, and usability of the records;

(7) Ensure that electronic state records are readily retrievable and readable independently of other records in the information or storage system;

(8) Ensure that system backups that are required for disaster recovery are not used to satisfy records retention requirements unless indexed for ready retrievability and tested on a regular basis; and

(9) Require all third-party custodians of records to provide the state agency with descriptions of their business continuity and/or disaster recovery plans as regards to the protection of the state agency's vital state records.

(b) Any technological component for electronic state records developed, used, or acquired by a state agency must meet the following requirements:

(1) Support the state agency's ability to meet the minimum requirements in subection (a) of this section to preserve and make readily retrievable and readable any electronic state record or to extract or migrate the record in as complete a form as possible for its full retention period; and

(2) Provide security to ensure the authenticity of the records in accordance with 1 TAC 202 regarding security programs.

§6.95.Additional Record Requirements for Archival, Permanent, and Vital Electronic State Records.

In addition to the minimum requirements in §6.94, the following requirements apply to electronic state records that are archival for the State Archives, archival for an agency archives, permanent, and vital:

(1) Archival for the State Archives: Archival electronic state records indicated by records series that are marked with "A" (Archival) or "R" (Archival Review) codes in the state agency's certified records retention schedule, must be:

(A) Offered to the commission for review or transferred to the custody of the commission when retention requirements are met, the administrative need of the state agency ends, or earlier as required and in accordance with Texas Government Code §441.186, unless the law requires the records to remain with the state agency. A transfer or review must include the following:

(i) The state agency must contact the commission to coordinate transfer or review of the archival electronic state records;

(ii) Each records series to be transferred must contain, at minimum, the following metadata:

(I) Series title (from records retention schedule);

(II) Inclusive dates covered by the transfer;

(III) Arrangement (folder structure) of the records in the transfer;

(IV) File format(s) represented;

(V) Creating application; and

(VI) Date of last modification;

(iii) Each individual record transferred must include, at minimum, the following metadata:

(I) Title or subject;

(II) Creator (could be a person, office, division, and/or state agency); and

(III) Date of creation;

(iv) Metadata must be embedded in the records or provided in a separate file at the time of transfer;

(v) The state agency must maintain the integrity of the record through use of checksums on each record transferred;

(vi) The state agency must remove any encryption or other Digital Rights Management prior to transfer or provide the commission with method(s) for doing so; and

(vii) The state agency must follow procedures published on the commission's website for transferring or reviewing archival electronic state records.

(B) Identified as archival electronic state records in the custody of the state agency because the commission cannot immediately accept custody of the records in accordance with Texas Government Code §441.186(e) and the state agency must:

(i) Maintain documentation for the operating environment in which the records were created or are being maintained;

(ii) For structured data, also maintain all metadata required to understand the structure of the records;

(iii) Store records in standard formats as identified in procedures published on the commission's website, or else:

(I) If business requirements necessitate use of non-standard formats, the records must be converted to standard formats before transfer to the commission or before going into long-term storage; and

(II) If the records are stored in a proprietary system, the state agency must retain all licenses required to access records;

(iv) Not maintain redacted records as the record copy, but may store redacted records with the record copy; and

(v) Follow the commission procedures published on the commission's website for storing archival electronic state records until transfer to or review by the commission.

(2) Archival for agency archives: For archival electronic state records indicated by records series that are marked with "A" or "I" (Archival) or "R" or "O" (Archival Review) codes in the state agency's certified records retention schedule.

(A) This paragraph applies to:

(i) The small number of agencies which are allowed by statute to maintain a state agency archive instead of transferring their archival state records to the commission. Refer to Government Code Chapter 441 and confirm with the State Archives before implementing a state agency archives; and

(ii) Archival electronic state records described in records series marked as "I" (Archival) or "O" (Archival Review) in a university's certified records retention schedule, which must be transferred to or reviewed by the university's archives.

(B) Each state agency must:

(i) Have policies and procedures to properly identify, maintain, migrate, and preserve archival electronic state records; and

(ii) Adhere to the requirements listed in paragraph (3) of this section and as issued in commission guidelines.

(3) Permanent: Electronic state records with permanent retention periods but that are not archival ("A", "I", "O" or "R") on the state agency's certified records retention schedule:

(A) Must meet the requirements listed in paragraph (1)(B) or (2) of this section, as applicable;

(B) Must be documented and migrated when necessary to ensure that they remain permanently accessible and readable; and

(C) May be indexed and converted to microfilm for permanent retention.

(4) Vital: Vital electronic state records must be included with special provisions in state agency records management policies and procedures and the state agency records management program and the state agency must:

(A) Identify records series containing vital electronic state records on the state agency's certified records retention schedule;

(B) Create written policies for the protection of vital electronic state records in all formats and storage locations;

(C) Create written disaster recovery procedures for accessing vital electronic state records during a disruptive event;

(D) Address vital electronic state records in continuity of operations, business continuity, and/or disaster recovery plans as part of the state agency's overall continuity program, as required in Texas Labor Code §412.054; and

(E) Require all third-party custodians of records holding records on behalf of the agency to provide the state agency with descriptions of their business continuity and/or disaster recovery plans as regards to the protection of the state agency's vital electronic state records.

The agency certifies that legal counsel has reviewed the adoption and found it to be a valid exercise of the agency's legal authority.

Filed with the Office of the Secretary of State on August 11, 2017.

TRD-201703077

Nanette Pfiester

Program Planning & Research Specialist

Texas State Library and Archives Commission

Effective date: August 31, 2017

Proposal publication date: May 26, 2017

For further information, please call: (512) 463-5477