SOAS University of London

Freedom of Information Staff Guide: Records Management and FoI

  1. The need for records management
  2. Things to consider when creating records
    1. Is the record complete and accurate?
    2. Is the record relevant?
    3. Are personal comments justifiable?
    4. Have agendas and minutes taken account of FoI?
  3. Things to consider when holding/keeping records
    1. Maintain a clear distinction between your personal files and departmental files
    2. Organise your records according to a filing scheme which reflects your business functions and activities
    3. Don't keep records for longer than necessary - but destroy them in an orderly way
    4. Keep records secure
    5. Contact the Information Compliance Manager if you need assistance
1. The need for records management 

In order for SOAS to meet its obligations under the Freedom of Information Act and the Environmental Information Regulations, it is essential that we manage our records effectively. The reasons for this are not difficult to understand:

  • We have to be able to find information when it's requested. If it subsequently emerges that we held the information but failed to release it because we were unable to locate the relevant records, that will be both embarassing and, strictly speaking, a breach of the legislation.
  • Information should not be kept for longer than necessary. The Freedom of Information Act and the Environmental Information Regulations apply to old and defunct records as well as current information. Keeping records for longer than necessary increases the School's liability under FoI and EIR.

Good records management is also essential for business efficiency, and to meet the requirements of other legislation. For example, the General Data Protection Regulation (GDPR) and the Data Protection Act (2018) together lay down strict rules on how information about living individuals should be managed: personal data must be kept secure and up-to-date, and must not be retained for longer than is required for the purpose for which the data were gathered (for further information on data protection law, see the School's Data Protection Policy). The School's effectiveness will be impeded and operating costs increased if we are unable to find vital information, if information is duplicated unnecessarily, or if records are retained in filing cabinets and storage areas beyond their useful life span.

The link between information rights and information management is recognised by the legislation. The government has issued a Records Management Code under the Freedom of Information Act stipulating the policies, procedures and systems which public authorities are expected to have in place to manage their records in accordance with FoI. Although it is not legally binding, we are expected to abide by the Code. If a public authority conspicuously fails to do so, the Information Commissioner can investigate its practices and can issue a Practice Recommendation specifying what it should do to come up to the standard. Further advice on meeting the standards recommended in the Code of Practice on Records Management has been published by the ICO: ICO Guide to Section 46 of FOIA - Records Management

SOAS has developed a Records Management Policy to meet the requirements of the government's code of practice. The policy overlays the records management programme at SOAS which will include periodic information surveys (roughly every four years) of the School to locate important series of records, gather information about them and use that information to develop records management standards and tools. As training and detailed guidance on records management is developed, it will be placed on the School's Records Management web pages. This page will supplement these resources by flagging up issues particular to Freedom of Information, Environmental Information and Data Protection which need to be considered when creating and keeping records. For the purpose of this guidance, a "record" is any form of recorded information in any format - that is, the type of information which can potentially be the subject of an information request.

2. Things to consider when creating records 

Remember, above all, that:

  • The information could be requested under the Freedom of Information Act or the Environmental Information Regulations. If no valid limit or exemption applies, it will have to be released.
  • If the information relates to an individual, that person may gain access to it under data protection law.
  • Details could be released many years later, at a time when you won't be available to explain why things were done the way they were.
  • Release of information which shows the School's employees making inappropriate comments will be embarassing, and could result in legal action.

Record creation needs to be carried out responsibly, and with a view to the possibility that the information may eventually pass into the public domain. This section gives guidance on some questions relating to the creation of records that raise particular concerns.

2.1 Is the record complete and accurate? 

Records need to present a complete picture of the events, decisions or actions which they document. If the information is incomplete, it may be difficult to understand when or why something happened, how a decision was made, or the chain of events leading up to an action. This not only reduces the effectiveness of the record - it could also lead to confusion, suspicion or unjustified allegations if the information has to be released. It's therefore important that files and other records should contain all of the information which is relevant for the purpose for which the record was created.

Emails can be a particular problem, as it can tempting to treat them as ephemeral and to fail to save them in a secure format. Emails are a form of correspondence just like letters or memoranda; some are ephemeral, but others may show the process of vital decision making. Relevant emails either need to be preserved alongside the other electronic documents relating to a particular subject, or printed out and added to the file if you keep records primarily in paper form.

2.2 Is the record relevant? 

Completeness and relevance are opposite sides of the same coin. Records should contain no more than the information which is necessary for the purpose for which the record was created. Extraneous information should not be added. Files tend to stray from their subject matter over time; to avoid this, create a new file rather than adding papers to a file to which they are not directly related. Files should be created for a clear, specific topic, and information only added which relates to that topic.

As a general rule, only the final form of a document should be retained on file - draft documents should be destroyed once the final document has been approved. Keeping drafts can cause confusion, particularly if it is not clear what is the draft and what is the final form. The only exception to this is drafts relating to major policy decisions or major projects, where there may subsequently be a need to trace significant changes in approach. Where drafts must be retained, follow the SOAS guidance on Filing Electronic Records which is available on the MySOAS Records Management page.

2.3 Are personal comments justifiable? 

Care should always be taken when expressing personal opinions in documents, particularly opinions about other individuals. Expressions of opinion about an individual and of intentions towards them are personal data, and may have to be disclosed to that person under the Data Protection Act. The following are some points that you should consider before including your personal views in a letter, email or other communication:

  • Make sure that your comments are relevant. For example, if a request for a reference asks you to answer certain questions, do not volunteer opinions or views that go beyond those questions. Do not express opinions just for their own sake.
  • Keep a clear distinction between matters of fact and opinions - do not express opinions as if they were facts. "I believe that he is a good employee" is clearly an opinion, but "he is a good employee" is a statement of fact.
  • Do not express opinions which you cannot defend on the basis of evidence or facts. If challenged, you should be prepared to produce something to demonstrate the validity of your opinion.
  • Do not express opinions which overreach your area. Avoid offering your view about subjects which you are not qualified to speak about, or about which you do not have all the facts.
  • If you find yourself writing something in anger - stop and reflect. Hasty responses sent in anger can be a particular problem with emails. Remember that defamatory comments made in an email are just as embarassing and actionable as comments made in a letter.
  • Insulting and derogatory comments, and personal attacks on individuals or groups are unacceptable in any context - and may lead to disciplinary action. Such comments are likely to contravene the School's Harassment Policy, and other policies and codes of conduct, and will not be tolerated.
2.4 Have agendas and minutes taken account of FoI? 

Agendas and minutes can potentially be the subject of requests under the Freedom of Information Act, the Environmental Information Regulations or the Data Protection Act. Since much committee business is routine and non-contentious, it is in the School's interests to publish agendas and minutes as far as possible, to reduce the likelihood of information being requested. 

Agendas and minutes are often divided into "open" and "reserved" items, based on sensitivity. This can be a very useful way of helping the School to meet its obligations under information rights legislation, if it is done with Freedom of Information and Environmental Information in mind. In particular:

  • "Open" items should cover non-sensitive information which would be released if it was the subject of a Freedom of Information or Environmental Information request. This will make it easier to publish open agendas and minutes, e.g. on the website.
  • "Reserved" items should cover information which would usually be exempt under the Freedom of Information Act or Environmental Information Regulations. This information will not be published. Reserved agendas and minutes can still be requested under FoI and EIR, but are less likely to be released (and requests will be dealt with on a case by case basis).

Guidance has been developed to help committee secretaries divide agendas and minutes into open and reserved business, taking into account Freedom of Information and Data Protection considerations: see Freedom of Information and Data Protection: Guidance for Committee Servicing. Further guidance is available in Role of a committee secretary.

Open minutes and agendas of Governing Body and other School committees are published on the Committees pages of the SOAS website (initially restricted to staff only for one year), and are included in the School's Freedom of Information Publication Scheme.

3. Things to consider when holding/keeping records 

Detailed guidance and procedures on record keeping will be developed by the School and disseminated to staff on the Records Management web pages and on the staff intranet (see 1. The need for records management). This section provides some common sense advice on record keeping issues that, if followed, will help the School to meet its obligations under information legislation.

3.1 Maintain a clear distinction between your personal files and departmental files 

Everyone keeps their own personal files, and there’s nothing wrong with that provided you aren't filing away information which your colleagues may also need to access. Keeping 'group' information in personal files presents a number of problems:

  • Your colleagues are less likely to be aware of the existence of the information or to benefit from it.
  • It will be harder for others to carry on your work or answer information requests when you are away.
  • Personal filing systems encourage duplication (everyone keeps copies of the same thing), and hence inefficiency.

Personal files should be primarily reference material and 'works in progress' (e.g. drafts). As a general rule of thumb, if the file relates to something which other people may need to know about, keep it in a common filing system which you share with other people in your department rather than with your own papers.

You may wish to keep sensitive information on the staff you manage in your personal files. This is perfectly fine, and appropriate considering the confidentiality obligations you have as a manager, but please pay due regard to the SOAS retention schedule, particularly the section relating to retention of personnel information, and destroy records when they are no longer needed.

3.2 Organise your records according to a filing scheme which reflects your business functions and activities 

A subject classification scheme based on the business functions which your department carries out, and the activities relating to those functions, is the recommended way of organising paper files - and can also be applied to electronic folders. SOAS's Retention Schedule organises the policy information and appropriate actions for different categories of records according to a functional classification scheme which fits the School's functions and activities. At the highest level are functions, then principle areas of activity within each function, followed by broad record types. Directorates and Departments should follow this 'top-down' approach when arranging their own file plans, starting with the main functions covered by the service and cascading down through activities to the individual groups of records. It is advisable to keep the number of layers in file plans to the minimum possible to aid information discovery, and four is generally advised as the number to aim for (Function - Activity - Sub-Activity/Transaction type - Record)

3.3 Don't keep records for longer than necessary - but destroy them in an orderly way 

Keeping information for longer than is required increases the School's liability under Freedom of Information, and will be contrary to the second principle of the GDPR if the information is personal data (see 1. The need for records management). At the same time, in order to avoid allegations of improper destruction or "covering up", it is important that records are destroyed according to established procedures rather than on an ad hoc basis. This will also ensure that records which do have long-term or even historical value are preserved and not destroyed by mistake.

A Records Retention Schedule has been developed for SOAS covering the School's major series of records, i.e. focusing on those which the School generates in large quantities. The schedule specifies how long classes of records should be kept and what happens at the end of the record's retention period, as well as detailing the regulatory or legal basis for the retention period, the location of the records, and the level of restriction. The retention schedule will be reviewed and updated every four years using the information gathered during the information surveys. It is based in part on the model Records Retention Schedule which has been developed by the JISC as a benchmark for the HE sector (the Schedule is organised according to the JISC's model Business Classification Scheme - see 3.2). Advice on records retention is available from the Records Manager and Archivist (see 3.5).

3.4 Keep records secure 

Records which may contain sensitive or confidential information need to be protected from unauthorised access. This is particularly important where the information consists of personal data about individuals, as data protection law requires us to protect personal data against unauthorised access or accidental loss or destruction.

Staff should follow these principles when considering information security:

Physical records (paper, CD, microfilm, photographs etc.)

  • Keep records in locked filing cabinets, and make sure offices and store rooms containing records are locked when unattended.
  • If you need to send records containing 'Special Category' personal data (see link for GDPR definition) or other sensitive information (commercial or financial), to another part of SOAS, it is preferable to deliver to the recipient by hand in person. If sending outside SOAS, do so by recorded delivery.
  • Try to operate a 'clear desk' policy. Only leave out the work necessary to complete your activities that day, and lock papers away at close of business.
  • If you have large quantities of paper records containing personal information which you do not have room to store, you can use SOAS's offsite storage facility. Guidance is available on the staff intranet here: MySOAS Records Management Page.

Digital records (held on the SOAS network, corporate cloud services such as Office 365, Gmail, corporate systems, on desktops, mobile devices, and removable storage)

  • Ensure databases provided by SOAS to support functions, e.g. student records or financial accounting systems, are password protected and that only staff for whom access is needed to carry out their tasks have login credentials.
  • Portable storage devices and mobile devices should be encrypted or not used at all - the remote desktop allows access to information on the School’s systems and should be used whenever away from the School. Please contact the IT helpdesk for advice on installing and using the remote desktop, at helpdesk@soas.ac.uk.
  • Whilst your mobile device may be encrypted to allow access to the School's email service, avoid using your mobile device to open emails across public Wi-Fi networks, as the data is stored in cloud servers and may be vulnerable to hacking.
  • Try to keep anti-virus software up-to-date if you are bringing a device from home, or doing SOAS work on your own device.
  • Ensure that you are aware of your surroundings and that you are not being observed when entering passwords or other access codes, or working with sensitive information.
  • It is best practice not to keep records of passwords, however this is not always possible as memories are not infallible and staff may leave without passing information on to  colleagues. If you must keep a record, ensure it is held separately from the document or system but in a logical location, with access restricted to as few staff as possible.

The same general principles can be applied to other types of sensitive records. Detailed guidance about the security of electronic information is also provided in the School's IT Policies and Procedures.

3.5 Contact the Information Compliance Manager if you need assistance 

The Information Compliance Manager can provide advice and assistance on records management issues, and on the School's obligations under Freedom of Information, Environmental Information and Data Protection. The Information Compliance Manager can be contacted at:

Information Compliance Manager
SOAS Library, Room D4
Thornhaugh Street
Russell Square
London WC1H 0XG
United Kingdom

Telephone: +44 (0)20 7898 4817
Email: dataprotection@soas.ac.uk

The Records Manager and Archivist can provide advice and assistance on records management:

Ms Olenka Cogias
Telephone: +44 (0)20 7898 4150
Email: oc8@soas.ac.uk
Last updated: January 2019