What’s the difference between Records Management and Privacy, Risk & Security?

By Liz on June 11, 2025

Training module 4, Classification and Retention Schedules

Survey respondents asked us, what is the difference between Records Management and Privacy, Risk and Security? Great question! The lines between the two functions seem blurry, and it is true, we do share “synergies,” and sometimes coffee! Hopefully after this post the differences will become clear.

Records Management, and Privacy & Information Security (PrISM) offices manage different but interconnected functions.

  1. Records Management Office: Mandated by Board of Governors Policy GA4 to create retention schedules defining how long records in any format should be kept and when they should be destroyed or sent to University Archives. We also manage the off-site records storage program, and we work with units to improve their recordkeeping through governance projects.
  2. Privacy & Information Security (PrISM SRS): Under the Freedom of Information and Protection of Privacy Act (FIPPA), the University is required to conduct privacy impact assessments (PIAs) for initiatives involving personal information. The PrISM SRS team, authorized by the Office of the University Counsel, conducts these assessments.

What is a PIA you ask?

A PIA evaluates the handling of personal information (PI), defined as any recorded information about identifiable individuals, excluding names and business contact information of employees, volunteers, and service providers. The scope of a typical PIA includes:

  1. Verifying the University’s legal authority to collect, use, and disclose PI.
  2. Ensuring the collection, use, and disclosure of PI is consistent with legal requirements.
  3. Assessing the system where PI is stored and processed. Ensuring its compliance with FIPPA and overall alignment with UBC’s information security standards.
  4. Confirming PI is not kept longer than necessary and is associated with a UBC retention schedule.

Further, PrISM SRS is concerned with the security measures that protect UBC Systems, keeps the records secure and keeps the systems functioning. They do this both through the PIA and Security Threat Risk Assessment process, but also through UBC’s Compliance Support process. 

How are these two functions intimately connected?

The short answer is through records. Both functions seek to manage human and technological behavior in creating, handling, securing, storing, and managing university records.  Knowing how long records must be retained, who can access them and when they should be destroyed is crucial in protecting privacy and improving both data quality and data security.

Both units care about adherence to the university’s records schedules because when staff decide to keep records around “just in case” it exposes the university to the risk of data leaks, and complicates Freedom of Information Requests. The Records Management Office and PrISM SRS work separately and together to help units better manage records.

Further reading:

Information Security Fact Sheet

Security Classification of UBC Electronic Information

Training – University Records Management Office

https://privacymatters.ubc.ca/

https://srs.ubc.ca/training/privacy-information-security/

https://privacymatters.ubc.ca/training

https://universitycounsel.ubc.ca/subject-areas/access-and-privacy-general/useful-resources/

Read More | No Comments