Records Management Policy
Records Management Policy
| Key Policy Information | |
|---|---|
| Policy title: | Records Management Policy |
| Policy owner: | Chief Information Officer |
| Department: | Information and Technology |
| Date approved: | 14 December 2020 |
| Date to be reviewed: | November 2023 |
| Approval route: | Executive Board |
| Circulation: | Staff |
| Publication: | Website |
1. Introduction
1. Introduction
The Records Management Policy is necessary to inform SOAS employees in understanding and meeting the school's requirements for the creation, maintenance, use, storage and disposal of SOAS records. The 2021 Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000 sets the expectation for all public authorities to work towards a mature records management programme supported by suitable policy and procedures.
By following this policy and the supporting guidance, employees will be able to manage the records for which they are responsible in a way which:
- Facilitates compliance with statutory and regulatory requirements
- Prevents unauthorized or unlawful disclosure of information by ensuring records are managed in a controlled way
- Protects the interests of SOAS, its staff, students and other stakeholders by maintaining high quality information for as long as its required, and to ensure its timely and secure destruction
- Supports continuous improvement in the School’s core activities of teaching and research, and evidence based decision making by maintaining accurate and reliable records
- Provide evidence of corporate governance
- Support business efficiency and continuity by ensuring information can be quickly located and protecting vital information for the continued functioning of SOAS during a disaster
- Provide evidence in litigation
- Maintain SOAS’s corporate memory by preserving records of historical significance.
2. Scope
2. Scope
2.1. This policy applies to all SOAS staff. It will also apply to all contractors engaged to work within the School. Except where the terms of funding take precedence, this policy will also apply to all records of research generated by SOAS staff.
2.2. The policy covers all records created during SOAS business and its activities. A record is recorded information, in any form (e.g. an electronic file or e-mail, a database record or a paper document), created or received by SOAS or individual members of staff to support and show evidence of the School’s activities. More detailed definitions of a record and other related terms are provided in the Definitions section below.
3. Definitions
3. Definitions
3.1 What is a record?
A record is a subset of recorded information which supports and shows evidence of SOAS activities. It can exist in any format and be created or received by SOAS or individual members of staff. It is important to differentiate between a record and a document. All records are documents, but not all documents are records. In effect, a document becomes a record when it forms part of a business activity.
An example of a document would be a blank form. If somebody completes and submits the form, it becomes a record, because it has participated in a business activity. Some documents will never (and should never) become records, due to their ephemeral nature. Examples include promotional literature received (unless it is relevant to a particular project or initiative, whether ongoing or planned), junk mail (e-mail or otherwise) and other items of no more than passing significance.
Records need to be authentic, reliable, have integrity (be complete or unaltered, except under controlled conditions) and be useable. Records therefore need to be subject to controls that ensure these features are maintained.
3.2 What is records management?
The international standard on records management describes it as:
“[The] field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and [disposal] of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records.” (BS ISO 15489-1 Information and documentation – Records Management).
Effectively, it is about applying the necessary controls to SOAS records to ensure their authenticity, reliability, integrity and usability.
3.3 What are Local Information Champions?
The Local Information Champions, along with the Information Compliance Manager and Records Manager and Archivist, are members of the Information Compliance and Records Management (ICRM) Network, each representing a Directorate, who are responsible for managing records within their section. The Network meets every term to discuss any records management issues and receive any records management training required. They are responsible for disseminating records management policies and procedures, best practice and training to their department.
ICRM Network Terms of Reference 2020 (pdf; 120kb)
3.4 The records lifecycle
This is a model used by records managers to describe the stages through which a record progresses during its existence. It is helpful for planning records management activities, so that records can be maintained and stored efficiently.
Records are placed within files classed as ‘current’ until they are closed. Files then progress through a ‘semi-current’ phase, when staff may still access them regularly, but will not add any records. Often another phase, ‘non-current’, follows where a file needs to be retained, perhaps for legal reasons, but is rarely referenced. Once a file is no longer needed, it can be disposed of, either by transfer to the School Archive via the Records Manager and Archivist if it is likely to be of historical significance, or by destruction.
3.5 The retention schedule
This is a policy setting out what records SOAS holds and how long they will be retained before disposal. It can also be used to set out what needs to happen to records at different stages of their lifecycle to ensure that they are stored efficiently.
To view the schedule, please see SOAS Retention Schedule (pdf; 621kb)
3.6 What are vital records?
These are records without which SOAS could not function, and which would be impossible or prohibitively difficult to reconstruct in the event of a disaster. The Records Manager and Archivist is responsible for developing and updating guidance on identifying, recording and protecting vital records, and helping Directorates to identify their vital records.
4. Roles and responsibilities
4. Roles and responsibilities
4.1 The Information Compliance Manager has overall responsibility for Records Management. Operational responsibility is delegated to the Records Manager and Archivist who is responsible for developing the corporate records management policy, procedures and guidance, and promoting good practice and promoting compliance with the policy and procedures
4.2 The Data Governance Steering Group is responsible for reviewing records management policies and procedures and recommending their approval to the relevant committee
4.3 Executive Board are responsible for approving substantive changes to the Records Management Policy
4.4 Directors are responsible for ensuring that adequate records of their directorate’s activities are maintained and that records possess ‘authenticity, reliability, integrity and usability’ (ISO 15489)
4.5 The Information and Technology Directorate is responsible for providing an off-site storage service and arranging the transfer/return of records to the supplier, and retrieval of records from the supplier.
4.6 Local Information Champions of the Information Compliance and Records Management Network are responsible for communicating records management policy and procedures to their directorates and reporting on their implementation to the Records Manager and Archivist
4.7 Line managers are responsible for ensuring their staff are aware of the Records Management Policy
4.8 The Local Information Champions are responsible for disseminating or circulating training given by the Records Manager and Archivist to any staff within their department who require it.
4.9 The Records Manager and Archivist is responsible for providing records management training and procedures to Liaison Officers
4.10 All SOAS staff are responsible for documenting their work and keeping records in line with SOAS policies and procedures, including retaining and disposing of records in line with records management procedures and the Records Retention Schedule
4.11 The Chief Information Officer is responsible for ensuring that adequate technical provision is in place to support record keeping across the School to allow the School to comply with this policy
4.12 The Director of Estates and Property Services is responsible for providing onsite storage for physical records, and to provide disposal services which follow compliant confidential waste disposal methods for physical records which are no longer required, to allow the School to comply with this policy
4.13 Committee Secretaries are responsible for maintaining records of their committees and managing their disposal in line with the instructions provided in the SOAS Retention Schedule
4.14 The Information and Technology Directorate is responsible for any historical administrative records of the School deemed to be of enduring historical value following appraisal and deposited in the School Archive.
5. Main Policy
5. Main Policy
The records of SOAS are its corporate memory, and are necessary for good corporate governance, to be accountable, to comply with legal requirements, to provide evidence of decisions and actions, to provide information for current and future decision-making, and to safeguard the rights of individuals.
All records created by staff whilst working for SOAS are the property of the School and therefore need to be managed in line with this Policy. Managing and using records effectively and efficiently will ensure that SOAS gains the maximum benefit from them.
SOAS recognises the importance of this essential resource and undertakes to:
5.1 Manage records effectively and efficiently in line with this policy
5.2 Comply with legal obligations that apply to its records
5.3 Exercise best practice in the management of records, where beneficial to SOAS and cost efficient, as outlined in relevant standards
5.4 Provide the tools to enable staff to effectively and efficiently access and use records as corporate resources of information
5.5 All records should be stored digitally where possible with all necessary provisions made to maintain the integrity, reliability and accessibility of records during their lifespan
5.6 Store records efficiently, utilising appropriate storage methods as outlined in the retention schedule at all points in their lifecycle, and disposing of them appropriately when they are no longer required
5.7 Use appropriate levels of security to prevent the unauthorised or unlawful use and disclosure of information.
Paper records containing confidential information must be stored in locked cabinets or rooms when not in use, and access can only be provided to authorised staff. Computer screens should be locked when computers are left unattended. Any confidential records on removable hardware, such as a USB or external hard disk, must be kept secure and protected from theft as well as encrypted at rest. Similarly, mobile devices used for work purposes must be protected from theft and encrypted at rest.
5.8 Provide appropriate protection for records from unwanted environmental (fire, flood, infestation) or human impact (alteration, defacement, theft)
5.9 Identify and protect records which would be vital to the continued functioning of SOAS in the event of a disaster (such as fire, flood, virus attack). These include records that would recreate SOAS’ legal and financial status, preserve its rights and ensure that it continues to fulfil its obligations to stakeholders
5.10 Identify and make provision for the preservation of records of long term and historical value.
To achieve the objectives outlined above, SOAS will adopt the following implementation methods:
5.11 Establish a network of Information Compliance and Records Management Liaison Officers to ensure that records management policies and procedures are communicated and implemented in directorates
5.12 Information surveys will periodically be carried out across all directorates at SOAS to identify all main records series that are created, received and stored by, or on behalf of, SOAS
5.13 The SOAS Records Retention Schedule outlining SOAS policy for retention and disposal of records will be reviewed by the Records Manager and Archivist every five years. Staff within departments directorates will be relied on to implement the schedule
5.14 Guidance and facilities for the appropriate disposal of records will be provided
5.15 Directorates will ensure that their records are adequately controlled, through such methods as registration of files and use of actively managed shared areas on the School network and approved storage space in the cloud
5.16 Records management guidance will be made available to SOAS staff, including guidance on such matters as security and access to records, document naming and version control, and appropriate storage at different stages of the records lifecycle
5.17 Staff will receive training in records management appropriate to their role
5.18 Records and information management risks will be identified in the School’s Risk Register
5.19 Vital records will be identified and steps taken to ensure their survival in the event of a disastrous occurrence
5.20 Records management issues will be considered when planning or implementing new systems (electronic or otherwise) and during re-structuring or major changes to the School
5.21 Progress in implementing this policy will be reported by the Records Manager and Archivist to the Data Governance Steering Group
5.22 The Records Manager and Archivist will carry out information surveys every five years to review compliance with the Policy and report back to the Data Governance Steering Group.
6. Conditions
6. Conditions
The following laws, regulations, codes of practice, standards and policies are part of the legal and professional framework which has a bearing on this policy.
Laws and regulations
- General Data Protection Regulation (EU 2016/679)
- UK Data Protection Act 2018
- Environmental Information Regulations 2004
- Freedom of Information Act 2000
- Limitation Act 1980
Standards and Codes of Practice
- BS ISO 15489-1, Information and documentation – Records management – Part 1: General
- BS ISO/IEC 27001: 2005, Information technology. Security techniques. Information security management systems. Requirements
- BS ISO/IEC 27002: 2005, Information technology. Security techniques. Information security management systems. Code of Practice
- BS 10008 Evidential weight and legal admissibility of electronic information - Specification
- BS 8470:2006, Secure destruction of confidential material. Code of practice
- BS 4783, Storage, transportation and maintenance of media for use in data processing and information storage
- 2021 Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000
- JISC Higher Education Business Classification Scheme and Records Retention Guide.
Related SOAS strategies and policies
- Data Protection Policy
- IT Policy/IT Acceptable Use Policy (currently under review)