NAC239.697. Records management program: General requirements.  

     1. The records management program established pursuant to NAC 239.696 must include:

     (a) A directive which establishes the objectives, authority, standards, guidelines and instructions of the records management program.

     (b) Controls for the creation, maintenance, use, security and distribution of the records of the agency to ensure that the agency:

          (1) Refrains from accumulating unnecessary records or gathering information which is not essential to the proper functioning of the agency;

          (2) Adheres to the appropriate schedule developed and approved in accordance with NRS 239.080;

          (3) Refrains from creating any form or report which inefficiently or unnecessarily collects information;

          (4) Annually reviews each of its forms and reports to determine whether the form or report needs to be improved or eliminated;

          (5) Designs and revises each of its forms and reports so that the form or report:

               (I) Is easy to use;

               (II) Is easy to read and process;

               (III) Presents the information in a manner that provides for the easy retrieval of the information; and

               (IV) Refrains from requesting information which is not needed for the proper functioning of the agency;

          (6) To reduce cost, eliminates each unnecessary form and report and limits the distribution of a form or report to only those persons or other governmental agencies which need the information contained on that report;

          (7) Maintains its records in a manner which is cost-effective and which allows for the rapid retrieval and protection of the information contained within that record;

          (8) If the record is recorded by electronic means, provides for the security of the record in a manner which is consistent with established policies, standards and procedures for security and recovery of an electronic record in a disaster as established by the Information Technology Strategic Planning Committee or its successor;

          (9) Establishes a written organized filing system which:

               (I) Is standardized for each of the divisions or bureaus within the state agency; and

               (II) Provides for an ongoing training program in the use of the filing system for the staff of the agency;

          (10) Provides for the transfer of its records which are of research and archival value to the State Archives in accordance with NRS 239.080, 239.085, 239.090 and 378.250 and NAC 239.760; and

          (11) Establishes written procedures for the proper access or denial of access to the public or other governmental agencies to records which have been declared by law to be confidential.

     (c) Written policies and procedures to protect access to and the use of personal identifying information. Such written policies and procedures must:

          (1) Identify the use and need for collecting the personal identifying information in accordance with applicable state and federal law;

          (2) Restrict the access to personal identifying information within the agency to staff authorized to access such information;

          (3) Reduce the exposure of personal identifying information in electronic format in accordance with the policies, standards and procedures established by the Information Technology Strategic Planning Committee or its successor;

          (4) Reduce the exposure of personal identifying information in paper files by never leaving such information unattended by an authorized person except when in a secure storage area;

          (5) Store personal identifying information that is in paper files in a secure manner, including:

               (I) A locked and monitored room;

               (II) A locked file cabinet;

               (III) A locked box; or

               (IV) As otherwise required by a regulation or a law of this State or the Federal Government;

          (6) Create and maintain an access log detailing, for all unauthorized staff, the general public and representatives of other governmental entities, who accessed the personal identifying information, when access was granted and for what purpose the information was accessed;

          (7) Produce and maintain a procedure whereby a file containing personal identifying information must be replaced with an insert which indicates that the file is out, the person who took the file and the date on which the file was removed; and

          (8) Include any requirements of a law of this State and the Federal Government relating to who may access personal identifying information, how such information may be accessed and where access may be granted.

     2. Each state agency shall establish a training program for all staff, to be provided on an ongoing basis, concerning all laws, regulations, policies and procedures relating to accessing, using, maintaining, storing and disposing of personal identifying information.

     3. As used in this section, “personal identifying information” has the meaning ascribed to it in NRS 205.4617.