MANAGING YOUR RECORDS EFFECTIVELY Legislative compliance and business efficiency Organise your (the Uni’s) records… don’t let them organise (or disorganise) you!! House-keeping Fire procedure Toilets No mobile phones Confidential Breaks Managing your records effectively • Introductions • Your name and role • Functions/activities/business processes that you work on • What you hope to get out of today Alignment with Strategy 20:20 Build Innovation, Enterprise and Citizenship • Adopt a continuous improvement/enhancement approach in all that we do • Maximise the value of our [information] assets Information and records are received and created by University staff members and representatives to facilitate and support business processes – they are inputs and outputs of the University’s activities. Ensuring that our information assets are managed correctly corresponds directly with the objectives of Strategy 2020, namely improving the efficiency of business processes. Alignment with the University’s Values (for PDR) • Professional - Take personal responsibility Use resources efficiently and effectively Comply with the University’s statutory obligations, policies and regulations where applicable • Ambitious and Innovative - Using the information from today’s session to work proactively, using initiative, to improve working practices to ensure the University is legislatively compliant, including identifying potential risks and taking steps to mitigate these. • Inclusive - Records Management relies on ensuring information is accessible to all those who require it, and consistent and compliant practices are shared with colleagues. • Confident and Supported - Equipped to perform role Updated professional/specialist skills and knowledge Sharing good practice across the University What we will cover in this session • What is records management? • Definitions and key concepts • What are the benefits of having a records management system? • Things to think about when creating records • Things to think about when using records • How to organise your records SVQ Business & Administration Level 3 This training supports the following units: S301 – 3, 6, 8, 12, G, H, I, & L S302 – 3, 10, 11, 12, 13, 14, 15, 16, A, B, F, M, N, O, P, Q, R & S S304 – 1, 3, 7, 10, B, F, G, L & T S308 – 2, 14, B, D & L S320 – 4, 7, 11 & D S325 – 10 & M S323 – 1, 2, 3, B & C Headlines… • Good records management is the responsibility of all members of staff. Like Health & Safety if you see practices which are questionable speak to the person concerned, your line manager or Governance Services, so that we can sort it out. The colleague is probably unaware there is a problem and together we can work to resolve the situation to ensure the University is not at risk of a data breach. • Ideally, for each business process (activity) there should be a procedure showing each step of the process, what records are collected or received (information asset register), how these are kept (file plan), how long they are kept for (retention schedule), who has access to them (security), how they are named or titled (naming convention), and these are easily accessible to all and kept updated. The file plan should be replicated for manual and electronic records. We must know what we’ve got, where it is kept, what security controls are in place, and how long we need to keep the information for. This gives everyone the confidence and knowledge to manage records and stops people keeping everything forever. • No-one should treat University information as if it is their own. All information collected or generated in the course of your employment should be kept in a corporate (shared) area where at least one other person (your line manager) has access. Corporate information should NOT be kept in Outlook, H:Drive, C:Drive, MySite, own mobile/portable devices. This includes all formats…paper, emails, WORD and Excel Documents, PDF’s, CD’s, USB sticks, etc. • If you are constantly asking a colleague for information then something is wrong! If you legitimately need access to enable you to do your job then this should be arranged. It may be that you can arrange this with your colleague, or your line manager may need to arrange this, or the file plan/filing arrangements may need to be altered (e.g. colleague stops saving records in Outlook and puts the emails with the other records related to that business process), or your SharePoint site structure/permissions is/are amended to allow certain colleagues access to certain information. Exercise One Why do we need records management? • Spend a few minutes thinking about why having a robust system of records management in place is important for the University. • Note down 3 points Please complete the Records Management quiz Business benefits of good records management • We spend less time looking for information – 45% of admin staff time spent retrieving information – 30 minutes a day per person could be saved through better information management – Using figures from a Gartner study…if every University employee had to retrieve 2 mis-filed documents per year, the annual cost could be as much as £300,000.00! • We keep the records we need for as long as we need them – and no longer, so saving storage space – physical and electronic. • We make better decisions through having access to records containing the right information • The University has the records necessary to defend its legal rights and those of others • New staff have the information they need, and understand the records they have inherited If records are easily found and useable it saves re-inventing the wheel. SO what are good record management practices? Wheels? Sort of…the tools to help you work more efficiently! http://www.optimisation-conversion.com What’s wrong with what we’ve got? • Network drives (shared and ‘personal’) are used to store significant numbers of documents that have: • • • • • • • • Access issues Poor security Multiple versions Duplicates No authoritative version No/poor naming conventions No documented filing (records management) procedures Browsing (we search most other systems) means that correct file structures and naming conventions are important to make sure we can retrieve information • Structure, growth, no control What is records management? “…the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including processes for capturing and maintaining evidence and information of business activities and transactions in the form of records.” BS ISO 15489-1:2001 • It is about managing records, not just ‘information’ or documents, from their creation, through processes associated with their use, such as version control, distribution, filing, retention, storage, through to their final disposition and/or disposal of records, in a way that is administratively and legally sound, whilst at the same time serving the operational needs of the University and preserving an adequate historical record. • The aim is to capture and maintain evidence of activities and transaction in an efficient and systematic way. • Organise records…don’t let them organise (or disorganise) you! Why manage records? Don’t be an information hoarder! Image – Edinburgh Napier Health and Safety Team Why manage records? • All staff produce and use records • Records are a valuable University asset and resource, and managed properly they ensure that you have reliable information to support your work; • Improve use of resources: staff time, space costs • Document accountability and provide evidence • Demonstrate compliance • Support decision making across the University In the beginning… • • • • • • In the days when Admin teams were employed as a dedicated resource to manage manual records strict procedures were followed to ensure all boxes were ticked. Then everyone was given a ‘Word Processing’ folder and ‘Lotus 123’ folder and told they were ‘theirs’ Then we did away with the Admin teams as information and records became predominantly electronic and individuals were given ‘control’ to create folder structures as we pleased. We all decided on different folder structures which we could make sense of and no-one else could understand or access, and had different structures in all our different electronic systems. Email became the preferred method of conducting business, so, as the communications were addressed to us individually we unconsciously decided we ‘owned’ these and apart from creating unfathomable folder structures within Outlook we decided not to save these RECORDS in shared areas because we didn’t have time, although we DO have time to trawl through our email stash endlessly looking for ‘stuff’, because we know who sent it when (approx). As SharePoint has a slightly different structure to the MS Office folder structure that we are familiar with, we didn’t like or trust it (MS Office is the only application we prefer to ‘browse’ in, we ‘search’ all other systems happily). What we need Departmental IRM Policies & Procedures to ensure there is consistency in practice across information collection/ creation, storage systems/file plans, retention periods, etc. which will give all staff members the confidence that they are managing their information & records correctly. What is a record? • The word record is used to mean ‘any recorded evidence of an activity’ • Records are not defined by: – Format, either physical or electronic – Age, or – importance What is a record? • A record is recorded information kept to provide evidence of some transaction or activity • The term ‘record’ can be used for an individual document or a collection of documents organised as a unit: – eg a letter, a paper files, a MS word file, an electronic folder, an email, an MS outlook folder. • Records management processes are the same regardless of the format of the material because they are based on the content of the record. • We should therefore organise paper and electronic records according to the same scheme. Exercise Two What records do you create? • Think about the records you create and receive and those that are created in your team/area/department. List 5 different types of records which are created that are central to your core functions and activities. Why is records management necessary? • Good records management is not optional • It is essential as a result of: – Legislative requirements such as Freedom of Information, Data Protection and other information related legislation – Regulatory requirements eg QAA – Contractual requirements; and – Business needs • Some drivers are external (FOI) but the strongest are internal, and to do with working more efficiently and effectively. Legislative requirements • Legislation often imposes general requirements which require good record keeping. • The Data Protection Act 1998: – Sets down conditions for processing personal data – creating records is a form of processing, as is storing, retrieving, updating and sharing them – Creates rights of access by individuals to their data; – Personal data must not be retained for longer than necessary for the purpose(s) for which it was gathered • How long will depend on the circumstances, any may be overridden by other legal requirements. Consider the consequences for a breach of the DPA? How does a breach happen? Good records management can mitigate the risk! Legislative requirements • The Freedom of Information (Scotland) Act 2002 has created a general right of access to information and records (mainly non personal) held by public authorities • Under Section 61 of the FOISA, Scottish Ministers have issued a Code of Practice regarding records management in Scottish public authorities • Good records management is central to compliance with FOI, as without good records systems the University won’t know what information it has created, where it is stored and will ultimately be unable to respond to requests for information • This can result in legal action being taken against the University • The Scottish Information Commissioner is also able to conduct audits of public authorities which scrutinise records management practices. Generally one University is routinely audited, but others are audited if there is a breach of FOISA • How does FOISA test our RM practices? Regulatory requirements We need to keep good records to meet the requirements of regulators, for example: – Research Excellence Framework (REF) • Do we have accurate data on staff research, achievements and publications? – Professional bodies • Nursing, Engineering, Law – Enhancement-led Institutional Review/Quality Assurance Agency audits (QAA) • Do we have adequate programme specifications in place? – Funding bodies, research & teaching quality assessments, financial audits, risk management & business continuity planning Business requirements • But above all….. we need good records management to function effectively and efficiently an as organisation. • Records are an asset (and a liability!). • Everybody’s work requires access to and use of information…. records are the result. • Not having the records you need is a problem …as is accumulating too many of them! Exercise Three Legislative and regulatory requirements • From the records you identified earlier are there any legislative or regulatory requirements you would have to take into account when managing these records? Good records management depends on… • • • • Creating records when necessary and in an appropriate way Organising records to support access and re-use Retaining records for as long as they have value Disposing of records correctly – through destruction or transfer to offsite storage • Security of records and data protection should be taken into account throughout the life cycle of the record Creating and organising records Which comes first? Record creation OR it’s place in the filing structure? When a record is created, in the majority of cases, as it is ‘evidence of business activity’ (generated by a specific business process), its place in the filing system (classification, access, security) and retention period should already exist. This means that if the filing system is set up correctly the person who is creating the record does not necessarily have to think about these issues. If you are creating a new record it should be saved before you start working on it. Business processes, activities and tasks Business process cont’d… Retention Periods Termination of contract + 6years Recruitment completion + 3 years Termination of contract + 6years Others incl. exercise completion + 3 months Retention Periods and Schedules These business processes should therefore be linked to your retention schedules and records with the same retention periods grouped together for easy disposition. Business Process Working documents (examples) Records Retention Periods File Arrangement/Plan HR Recruitment -Email correspondence -Statistics spreadsheets -Draft business case -Emails -Drafts, emails, reference documents -Business case -CFY+6yrs -Meeting minutes documenting BCase approval -Authorisation form (signed) -Permanent -Person specification -Job description -Advertisement text -Emails, drafts -Checklists -Shortlisting matrix template -Interview questions -Enquiries -Completed applications -Completed shortlist -Interview notes/scoring -Employment offer -Employment contract -CFY+1yr -Job T+1yr -Job T+1yr -Process T+3mnths -Process T+3mnths -Process T+3mnths -Unsuccessful UK Process T+3mnths -Unsuccessful EU Process T+1yr -Successful T+6yrs -Process T+3mnths -Process T+3mnths -T+6yrs -T+6yrs (moves from recruitment files to personnel file) Business Cases Authorisations Job Descriptions Person Specifications Advertising Enquiries Applications, shortlisting and interview records Employee Contract Management Training and Development Evaluation, Pay and Benefits Exercise Four Mapping business processes and cross referencing to retention schedules http://www.st-andrews.ac.uk/lean/whatwedo/casestudies/leanmovie/ Organising records • When creating records think about: – Do you need to share the information? – Will your colleagues need access to it? • If other people need access to records the you should: – Save the records to a shared directory (if electronic) or a shared paper filing system • Shared record keeping systems are preferable to personal systems eg storing on H:Drive or on disks. Personal files and directories should be used for personal information not corporate records created in the course of your employment. Drafts and confidential information can be protected using access controls/passwords. • Advantages of shared systems: – Other people can access the information e.g. if you're away – Less duplication of documents Organising records • Where possible put all related documents in a single area • Name folders for activities and subjects • try to be as open/accessible with permissions as possible – make sure someone else knows where your data is (however, do not give out your network password to anyone!) • Involves setting up a filing or classification scheme and applying the same scheme to every part of your recordkeeping system. • This would include using the same filing scheme for paper files, MS Office folders, Outlook folders and Sharepoint workspace Things to think about when creating records.. • Some information does not need to become records – in the sense of information retained in a record-keeping system, for example: – Ephemeral/transitory/temporary emails eg ‘thank yous’, acknowledgements, invitations – Publications and reference materials – Duplicates of information – Phone messages and post-it-notes – Drafts (in most cases, there may be exceptions) once the final version is produced. • You also have to ensure that the record is complete, for example: – Does it provide a full and accurate picture of the subject, event, decision etc...? – If emails are used to make key decisions or convey important information, they too will also become records. • What format are you going to keep your records in? – ‘Print to paper’ – ‘All electronic’ I say “tomato” and you say “tomAto” Naming Conventions What’s in a name? Quite a lot! For one, the ability to find the information/record you need! • Agree a consistent (sensible) convention designed for the process/activity. • Document the convention so that everyone knows what to use. • Titles should be concise, but contain enough relevant information • Use standard terms or forms for names, places etc. • Use the standard date format YYYYMMDD. • Use whole names, or standard acronyms. If acronyms are used, ensure that the full description is spelt out within the document. Beware! Acronyms mean different things to different people! Exercise Five Information Security • Write down one risk relating to information/records in the following scenarios: – – – – – – – Mobile working Sending emails Working at your desk Printing Destroying records Retaining hardcopy records Retaining electronic records Using records: security issues • Security is particularly vital for records containing: – Personal data – Commercially sensitive information – Information provided in confidence – Legally privileged information • Because: – The Data Protection Act requires us to protect personal data against unauthorised access and accidental loss – Poor data security (loss of USB data sticks or paper records) can lead to reputational damage and result in the University being fined or prosecuted. The University’s Information Security Policy can be accessed at: http://staff.napier.ac.uk/Services/citservices/Information+for+Staff/Information+Security/ censorshipinamerica.com/ Information security - general ICO guidance states… A data security breach can happen for a number of reasons: • Loss or theft of data or equipment on which data is stored • Inappropriate access controls allowing unauthorised use • Equipment failure • Human error [(or behaviour) employee responsibility and awareness] • Unforeseen circumstances such as a fire or flood • Hacking attack • ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it Keeping information secure ELECTRONIC • • • Passwords – keep passwords secure; use strong passwords with letters, numbers and characters; change passwords regularly. Lock your PC/electronic device whenever you are logged into the University network and are not using it e.g. when you move away from your desk! Access – ensure the appropriate colleagues have access to the information and access is restricted to others. Access settings on SharePoint and MS Explorer folders can be restricted or passwords used. Access to software systems (proprietary and free) should be maintained (restricted or allowed) by system administrators. • • • • Mobile devices (laptop/USB/etc.) should be encrypted and kept secure. If you are accessing University information on your mobile phone ensure it locks. Mobile devices should be backed up regularly e.g. information placed on the University network in the appropriate departmental area. Data sharing – encrypt emails as appropriate (and ensure that University Policy is adhered to, including the Data Protection Code of Practice) University systems should be accessed remotely via the virtual private network (VPN) http://staff.napier.ac.uk/services/cit/OffCampusServices/Pages/RemoteNetwork.aspx • Complete the online Security Awareness training module! Keeping information secure PHYSICAL • • • • • • • • Clear desk policy Locked drawers/cabinets/offices – don’t expect colleagues to lock up on your behalf. Locked offices are particularly important if you are unable to operate a clear desk policy. If you work from home it is not advisable to take paper documents and records home with you, particularly if they contain personal or confidential information. Don’t leave them in your vehicle en route and do lock them up when you get home. Ensure you have all your printing when you finish printing. Use the University’s off-site storage facility Use the confidential disposal consoles (paper and redundant electronic media), or arrange for bulk shredding (Property & Facilities). Don’t put confidential or personal date in the recycling bins. Ensure your PC monitor cannot be overlooked. …and, of course, lock your PC when you move away from your desk (this should become automatic!) Emails • Outlook is a communication tool NOT a filing system • Emails documenting decisions and evidence of business transactions are records and therefore subject to the same legislation and other requirements as records held in other formats. • Records kept in Outlook are essentially being filed in a personal storage area and are therefore not accessible to others who may need to see them. • Emails should be routinely managed and stored along with other records pertaining to the same task/subject/business • Email is not secure! Email encryption is available and should be used when transmitting information which is personal, confidential or sensitive (see the Information Security Classification Scheme and Email Guidance) Vital Records Vital records are those records which are crucial to the functioning of the University. They are necessary for the continuing operation of the organisation following a crisis/disruption/disaster as they contain information which is essential to provide evidence of the University’s legal and financial status, ensuring that the rights and responsibilities of stakeholders are maintained. These records are necessary to assist the University in resuming business as soon as possible after a crisis/disaster. How do we identify vital records? Risk assessments and inclusion of vital records schedules in business continuity plans. Procurement/Contracts and FOISA Contracts One area that many organisations find challenging is the records management of contracts, agreements and associated documents. Good records management is critical to efficient and effective contract management. Do we know where all the Uni’s contracts are? It is estimated that companies spend almost 5% of their revenue to track agreements after signing a contract. - Goldman Sachs That’s a lot of money! Apart from time wasted searching for contract documents costs could also be incurred by having to re-draft documents, losses incurred if SLAs or contract terms are not met and this cannot be substantiated by production of the original contract or related documents. Contracts and records management Contracts should be registered on a central or departmental register and accessible to the necessary people. This register should be cross referenced to a retention schedule and identify the following information: • Where the ‘Golden Record’ held • How the ‘golden record’ is held (fire proof safe, off-site storage, etc.) • Who is the custodian (department or faculty/job title) • What is the ‘trigger point’ for the retention period to kick in? (Generally contract termination) • What is the retention period? Is there a review date? The retention period for contracts is usually dependant on the type of contract and determined by the Prescription and Limitations Act 1973. • Is the contract a vital record? Contracts – other considerations Risk Management – good records management practices can mitigate risks: Legislative compliance (Prescription and Limitation Act 1973, EU Law, etc.) Legal admissibility and evidential weight of information Audit requirements – is an adequate audit trail provided? Evidence for litigation purposes in the event of a legal challenge. Other considerations: • Consistency – ensuring the contract complies with recommendations/University guidance and using University templates which include relevant data protection and FOISA clauses • Evidence of past actions to inform future developments e.g. setting precedents for re-tendering • High costs associated with contract creation and management – good RM can assist with rationalising these For guidance drafting contracts and using templates contact: Commercialisation Contracts - Aileen Wood and Fiona Mason, Innovation Managers Finance and Procurement Contracts – Lynne Smith, Operations Support Manager General Contracts – Helen Mizen, Governance Officer (Data Protection & Legal) Outcome Agreements with the SFC – Anastasia Dragona, Information and Project Officer Exercise Six Organising your records effectively 1) Name five examples of bad records management practice demonstrated on the sample given 2) What problems could be caused to the University or to staff if the department continues in this way? 3) How should records be file instead? Overview • Good records management is necessary for statutory, regulatory and contractual reasons. • It also helps the University to function more efficiently. • When creating records, we need to think about: – – – – Whether the record is necessary Whether the language is appropriate What format are we going to save the record in Whether people will need access to the record • Records can exist in many different formats – and pass through a lifecycle reflecting their business value. Overview • Records are the output of business activities and should be arranged in a way that reflects this. • Put records in organised shared areas, preferably on SharePoint. When deciding on the file structure think about how you are going to dispose of them – don’t have folders full of documents with mixed retention periods. • No records should just be accessible to one person (e.g. in an H: Drive or in Outlook). This doesn’t necessarily make them secure. • Name documents sensibly. Ideally have departmental naming conventions which have been documented, so everyone knows how they should be naming documents and has something to refer to. • Have disposal events once or twice a year to weed out records/documents that you no longer need to retain. Individuals should schedule time into their diaries to maintain their records and information. Final thoughts… We’ve covered hoarding, evolution, livestock and produce… • The University Records Management Policy is available on the intranet (Records Management pages) – it applies to all University employees, so please make sure you read it! • The University’s Data Protection policy statement and code of practice are available on the intranet (applicable to ALL!!! PLEASE READ). • Other related online modules are available, including Information Governance, Data Protection, Freedom of Information and Information Security. • Email guidance is available on the intranet and specific training is offered by Information Services (technical usage of Outlook) and Corporate Learning and Development. • What do you think are the barriers to good records management? • What problems have you encountered? Further information • Records Management – Governance Services • http://staff.napier.ac.uk/services/secretary/Pages/uso.aspx • http://staff.napier.ac.uk/services/secretary/governance/records/Page s/default.aspx – JISC Infokit – Records Management • www.jiscinfonet.ac.uk/infokits/records-management – JISC Managing records – guide for administrators • www.jiscinfonet.ac.uk/records-management/guide-for-administrators • Freedom of Information – Edinburgh Napier FOI website: • www.napier.ac.uk/foi – Scottish Information Commissioner: • www.itspublicknowledge.info • Data Protection – Info Commissioner - www.ico.gov.uk/ Contact Diana Watt Governance Officer (Records Manager) Email: D.Watt@napier.ac.uk Telephone: 0131 455 6257