Records Management for all updated 20150422

advertisement
MANAGING YOUR RECORDS
EFFECTIVELY
Legislative compliance and business efficiency
Organise your (the Uni’s) records…
don’t let them organise (or disorganise) you!!
House-keeping
Fire procedure
Toilets
No mobile phones
Confidential
Breaks

Managing your records effectively
• Introductions
• Your name and role
• Functions/activities/business
processes that you work on
• What you hope to get out of today
Alignment with Strategy 20:20
Build Innovation, Enterprise and Citizenship
• Adopt a continuous improvement/enhancement
approach in all that we do
• Maximise the value of our [information] assets
Information and records are received and created by University staff
members and representatives to facilitate and support business
processes – they are inputs and outputs of the University’s activities.
Ensuring that our information assets are managed correctly corresponds
directly with the objectives of Strategy 2020, namely improving the
efficiency of business processes.
Alignment with the University’s Values (for PDR)
• Professional
-
Take personal responsibility
Use resources efficiently and effectively
Comply with the University’s statutory obligations, policies and regulations where
applicable
• Ambitious and Innovative
-
Using the information from today’s session to work proactively, using initiative, to
improve working practices to ensure the University is legislatively compliant,
including identifying potential risks and taking steps to mitigate these.
• Inclusive
-
Records Management relies on ensuring information is accessible to all those
who require it, and consistent and compliant practices are shared with
colleagues.
• Confident and Supported
-
Equipped to perform role
Updated professional/specialist skills and knowledge
Sharing good practice across the University
What we will cover in this session
• What is records management?
• Definitions and key concepts
• What are the benefits of having a records
management system?
• Things to think about when creating records
• Things to think about when using records
• How to organise your records
SVQ Business & Administration Level 3
This training supports the following units:
S301 – 3, 6, 8, 12, G, H, I, & L
S302 – 3, 10, 11, 12, 13, 14, 15, 16, A, B, F, M, N, O, P, Q, R & S
S304 – 1, 3, 7, 10, B, F, G, L & T
S308 – 2, 14, B, D & L
S320 – 4, 7, 11 & D
S325 – 10 & M
S323 – 1, 2, 3, B & C
Headlines…
• Good records management is the responsibility of all members of
staff. Like Health & Safety if you see practices which are questionable
speak to the person concerned, your line manager or Governance
Services, so that we can sort it out. The colleague is probably
unaware there is a problem and together we can work to resolve the
situation to ensure the University is not at risk of a data breach.
• Ideally, for each business process (activity) there should be a
procedure showing each step of the process, what records are
collected or received (information asset register), how these are kept
(file plan), how long they are kept for (retention schedule), who has
access to them (security), how they are named or titled (naming
convention), and these are easily accessible to all and kept updated.
The file plan should be replicated for manual and electronic records.
We must know what we’ve got, where it is kept, what security controls
are in place, and how long we need to keep the information for. This
gives everyone the confidence and knowledge to manage records and
stops people keeping everything forever.
• No-one should treat University information as if it is their own. All
information collected or generated in the course of your employment
should be kept in a corporate (shared) area where at least one other
person (your line manager) has access. Corporate information should
NOT be kept in Outlook, H:Drive, C:Drive, MySite, own
mobile/portable devices. This includes all formats…paper, emails,
WORD and Excel Documents, PDF’s, CD’s, USB sticks, etc.
• If you are constantly asking a colleague for information then
something is wrong! If you legitimately need access to enable you to
do your job then this should be arranged. It may be that you can
arrange this with your colleague, or your line manager may need to
arrange this, or the file plan/filing arrangements may need to be
altered (e.g. colleague stops saving records in Outlook and puts the
emails with the other records related to that business process), or your
SharePoint site structure/permissions is/are amended to allow certain
colleagues access to certain information.
Exercise One
Why do we need records management?
• Spend a few minutes thinking about why having a
robust system of records management in place is
important for the University.
• Note down 3 points
Please complete the Records Management quiz
Business benefits of good records management
• We spend less time looking for information
– 45% of admin staff time spent retrieving information
– 30 minutes a day per person could be saved through better information
management
– Using figures from a Gartner study…if every University employee had to
retrieve 2 mis-filed documents per year, the annual cost could be as much
as £300,000.00!
• We keep the records we need for as long as we need them – and no
longer, so saving storage space – physical and electronic.
• We make better decisions through having access to records
containing the right information
• The University has the records necessary to defend its legal rights and
those of others
• New staff have the information they need, and understand the records
they have inherited
If records are easily found and useable it saves re-inventing the wheel. SO what are good record management practices? Wheels? Sort
of…the tools to help you work more efficiently!
http://www.optimisation-conversion.com
What’s wrong with what we’ve got?
• Network drives (shared and ‘personal’) are used to store
significant numbers of documents that have:
•
•
•
•
•
•
•
•
Access issues
Poor security
Multiple versions
Duplicates
No authoritative version
No/poor naming conventions
No documented filing (records management) procedures
Browsing (we search most other systems) means that correct file structures
and naming conventions are important to make sure we can retrieve
information
• Structure, growth, no control
What is records management?
“…the efficient and systematic control of the creation, receipt,
maintenance, use and disposition of records, including processes for
capturing and maintaining evidence and information of business activities
and transactions in the form of records.”
BS ISO 15489-1:2001
• It is about managing records, not just ‘information’ or documents, from
their creation, through processes associated with their use, such as
version control, distribution, filing, retention, storage, through to their
final disposition and/or disposal of records, in a way that is
administratively and legally sound, whilst at the same time serving the
operational needs of the University and preserving an adequate
historical record.
• The aim is to capture and maintain evidence of activities and
transaction in an efficient and systematic way.
• Organise records…don’t let them organise (or disorganise) you!
Why manage records?
Don’t be an
information
hoarder!
Image – Edinburgh Napier Health and Safety Team
Why manage records?
• All staff produce and use records
• Records are a valuable University asset and resource, and managed
properly they ensure that you have reliable information to support your
work;
• Improve use of resources: staff time, space costs
• Document accountability and provide evidence
• Demonstrate compliance
• Support decision making across the University
In the beginning…
•
•
•
•
•
•
In the days when Admin teams were employed as a dedicated resource to
manage manual records strict procedures were followed to ensure all boxes were
ticked.
Then everyone was given a ‘Word Processing’ folder and ‘Lotus 123’ folder and
told they were ‘theirs’
Then we did away with the Admin teams as information and records became
predominantly electronic and individuals were given ‘control’ to create folder
structures as we pleased.
We all decided on different folder structures which we could make sense of and
no-one else could understand or access, and had different structures in all our
different electronic systems.
Email became the preferred method of conducting business, so, as the
communications were addressed to us individually we unconsciously decided we
‘owned’ these and apart from creating unfathomable folder structures within
Outlook we decided not to save these RECORDS in shared areas because we
didn’t have time, although we DO have time to trawl through our email stash
endlessly looking for ‘stuff’, because we know who sent it when (approx).
As SharePoint has a slightly different structure to the MS Office folder structure
that we are familiar with, we didn’t like or trust it (MS Office is the only application
we prefer to ‘browse’ in, we ‘search’ all other systems happily).
What we need
Departmental IRM Policies & Procedures
to ensure there is consistency in practice
across information collection/ creation,
storage systems/file plans, retention
periods, etc. which will give all staff
members the confidence that they are
managing their information & records
correctly.
What is a record?
• The word record is used to mean ‘any
recorded evidence of an activity’
• Records are not defined by:
– Format, either physical or electronic
– Age, or
– importance
What is a record?
• A record is recorded information kept to provide evidence of some
transaction or activity
• The term ‘record’ can be used for an individual document or a
collection of documents organised as a unit:
– eg a letter, a paper files, a MS word file, an electronic folder, an
email, an MS outlook folder.
• Records management processes are the same regardless of the
format of the material because they are based on the content of the
record.
• We should therefore organise paper and electronic records according
to the same scheme.
Exercise Two
What records do you create?
• Think about the records you create and receive
and those that are created in your
team/area/department. List 5 different types of
records which are created that are central to your
core functions and activities.
Why is records management necessary?
• Good records management is not optional
• It is essential as a result of:
– Legislative requirements such as Freedom of Information, Data
Protection and other information related legislation
– Regulatory requirements eg QAA
– Contractual requirements; and
– Business needs
• Some drivers are external (FOI) but the strongest are internal, and
to do with working more efficiently and effectively.
Legislative requirements
• Legislation often imposes general requirements which require good
record keeping.
• The Data Protection Act 1998:
– Sets down conditions for processing personal data – creating records is a form of
processing, as is storing, retrieving, updating and sharing them
– Creates rights of access by individuals to their data;
– Personal data must not be retained for longer than necessary for the purpose(s) for
which it was gathered
• How long will depend on the circumstances, any may be overridden by other legal
requirements.
Consider the consequences for a breach of the DPA?
How does a breach happen?
Good records management can mitigate the risk!
Legislative requirements
• The Freedom of Information (Scotland) Act 2002 has created a
general right of access to information and records (mainly non
personal) held by public authorities
• Under Section 61 of the FOISA, Scottish Ministers have issued a
Code of Practice regarding records management in Scottish public
authorities
• Good records management is central to compliance with FOI, as
without good records systems the University won’t know what
information it has created, where it is stored and will ultimately be
unable to respond to requests for information
• This can result in legal action being taken against the University
• The Scottish Information Commissioner is also able to conduct audits
of public authorities which scrutinise records management practices.
Generally one University is routinely audited, but others are audited if
there is a breach of FOISA
• How does FOISA test our RM practices?
Regulatory requirements
We need to keep good records to meet the requirements
of regulators, for example:
– Research Excellence Framework (REF)
• Do we have accurate data on staff research, achievements and
publications?
– Professional bodies
• Nursing, Engineering, Law
– Enhancement-led Institutional Review/Quality Assurance
Agency audits (QAA)
• Do we have adequate programme specifications in place?
– Funding bodies, research & teaching quality assessments,
financial audits, risk management & business continuity
planning
Business requirements
• But above all….. we need good records management to function
effectively and efficiently an as organisation.
• Records are an asset (and a liability!).
• Everybody’s work requires access to and use of information….
records are the result.
• Not having the records you need is a problem …as is accumulating
too many of them!
Exercise Three
Legislative and regulatory requirements
• From the records you identified earlier are there
any legislative or regulatory requirements you
would have to take into account when managing
these records?
Good records management depends on…
•
•
•
•
Creating records when necessary and in an appropriate way
Organising records to support access and re-use
Retaining records for as long as they have value
Disposing of records correctly – through destruction or
transfer to offsite storage
• Security of records and data protection should be taken into
account throughout the life cycle of the record
Creating and organising records
Which comes first?
Record creation OR it’s place in the filing structure?
When a record is created, in the majority of cases, as it is ‘evidence of
business activity’ (generated by a specific business process), its place in
the filing system (classification, access, security) and retention period
should already exist. This means that if the filing system is set up
correctly the person who is creating the record does not necessarily have
to think about these issues.
If you are creating a new record it should be saved
before you start working on it.
Business processes, activities and tasks
Business process cont’d…
Retention Periods
Termination of
contract + 6years
Recruitment
completion + 3
years
Termination of
contract + 6years
Others incl.
exercise
completion + 3
months
Retention Periods and Schedules
These business processes should therefore be linked to your retention
schedules and records with the same retention periods grouped together
for easy disposition.
Business
Process
Working documents
(examples)
Records
Retention Periods
File Arrangement/Plan
HR
Recruitment
-Email correspondence
-Statistics spreadsheets
-Draft business case
-Emails
-Drafts, emails, reference
documents
-Business case
-CFY+6yrs
-Meeting minutes
documenting BCase
approval
-Authorisation form (signed)
-Permanent
-Person specification
-Job description
-Advertisement text
-Emails, drafts
-Checklists
-Shortlisting matrix template
-Interview questions
-Enquiries
-Completed applications
-Completed shortlist
-Interview notes/scoring
-Employment offer
-Employment contract
-CFY+1yr
-Job T+1yr
-Job T+1yr
-Process T+3mnths
-Process T+3mnths
-Process T+3mnths
-Unsuccessful UK
Process T+3mnths
-Unsuccessful EU
Process T+1yr
-Successful T+6yrs
-Process T+3mnths
-Process T+3mnths
-T+6yrs
-T+6yrs
(moves from
recruitment files to
personnel file)
Business Cases
Authorisations
Job Descriptions
Person
Specifications
Advertising
Enquiries
Applications,
shortlisting and
interview
records
Employee Contract
Management
Training and Development
Evaluation, Pay and Benefits
Exercise Four
Mapping business processes and cross referencing to
retention schedules
http://www.st-andrews.ac.uk/lean/whatwedo/casestudies/leanmovie/
Organising records
• When creating records think about:
– Do you need to share the information?
– Will your colleagues need access to it?
• If other people need access to records the you should:
– Save the records to a shared directory (if electronic) or a shared paper filing system
•
Shared record keeping systems are preferable to personal systems eg storing
on H:Drive or on disks. Personal files and directories should be used for
personal information not corporate records created in the course of your
employment. Drafts and confidential information can be protected using
access controls/passwords.
• Advantages of shared systems:
– Other people can access the information e.g. if you're away
– Less duplication of documents
Organising records
• Where possible put all related documents in a single area
• Name folders for activities and subjects
• try to be as open/accessible with permissions as possible – make sure
someone else knows where your data is (however, do not give out
your network password to anyone!)
• Involves setting up a filing or classification scheme and applying the
same scheme to every part of your recordkeeping system.
• This would include using the same filing scheme for paper files, MS
Office folders, Outlook folders and Sharepoint workspace
Things to think about when creating records..
• Some information does not need to become records – in the sense of
information retained in a record-keeping system, for example:
– Ephemeral/transitory/temporary emails eg ‘thank yous’, acknowledgements,
invitations
– Publications and reference materials
– Duplicates of information
– Phone messages and post-it-notes
– Drafts (in most cases, there may be exceptions) once the final version is produced.
• You also have to ensure that the record is complete, for example:
– Does it provide a full and accurate picture of the subject, event, decision etc...?
– If emails are used to make key decisions or convey important information, they too
will also become records.
• What format are you going to keep your records in?
– ‘Print to paper’
– ‘All electronic’
I say “tomato”
and you say “tomAto”
Naming Conventions
What’s in a name? Quite a lot! For one, the
ability to find the information/record you need!
• Agree a consistent (sensible) convention designed for the
process/activity.
• Document the convention so that everyone knows what to use.
• Titles should be concise, but contain enough relevant information
• Use standard terms or forms for names, places etc.
• Use the standard date format YYYYMMDD.
• Use whole names, or standard acronyms. If acronyms are used,
ensure that the full description is spelt out within the document.
Beware! Acronyms mean different things to different people!
Exercise Five
Information Security
• Write down one risk relating to information/records in the following
scenarios:
–
–
–
–
–
–
–
Mobile working
Sending emails
Working at your desk
Printing
Destroying records
Retaining hardcopy records
Retaining electronic records
Using records: security issues
• Security is particularly vital for records containing:
– Personal data
– Commercially sensitive
information
– Information provided in
confidence
– Legally privileged information
• Because:
– The Data Protection Act requires us to protect personal data
against unauthorised access and accidental loss
– Poor data security (loss of USB data sticks or paper records) can
lead to reputational damage and result in the University being
fined or prosecuted.
The University’s Information Security Policy can be accessed at:
http://staff.napier.ac.uk/Services/citservices/Information+for+Staff/Information+Security/
censorshipinamerica.com/
Information security - general
ICO guidance states…
A data security breach can happen for a number of reasons:
• Loss or theft of data or equipment on which data is stored
• Inappropriate access controls allowing unauthorised use
• Equipment failure
• Human error [(or behaviour) employee responsibility and
awareness]
• Unforeseen circumstances such as a fire or flood
• Hacking attack
• ‘Blagging’ offences where information is obtained by
deceiving the organisation who holds it
Keeping information secure
ELECTRONIC
•
•
•
Passwords – keep passwords secure; use strong passwords with letters,
numbers and characters; change passwords regularly.
Lock your PC/electronic device whenever you are logged into the University
network and are not using it e.g. when you move away from your desk!
Access – ensure the appropriate colleagues have access to the information
and access is restricted to others. Access settings on SharePoint and MS Explorer folders
can be restricted or passwords used. Access to software systems (proprietary and free) should be
maintained (restricted or allowed) by system administrators.
•
•
•
•
Mobile devices (laptop/USB/etc.) should be encrypted and kept secure. If you
are accessing University information on your mobile phone ensure it locks.
Mobile devices should be backed up regularly e.g. information placed on the
University network in the appropriate departmental area.
Data sharing – encrypt emails as appropriate (and ensure that University
Policy is adhered to, including the Data Protection Code of Practice)
University systems should be accessed remotely via the virtual private
network (VPN) http://staff.napier.ac.uk/services/cit/OffCampusServices/Pages/RemoteNetwork.aspx
• Complete the online Security Awareness training module!
Keeping information secure
PHYSICAL
•
•
•
•
•
•
•
•
Clear desk policy
Locked drawers/cabinets/offices – don’t expect colleagues to lock up on your
behalf. Locked offices are particularly important if you are unable to operate a
clear desk policy.
If you work from home it is not advisable to take paper documents and
records home with you, particularly if they contain personal or confidential
information. Don’t leave them in your vehicle en route and do lock them up
when you get home.
Ensure you have all your printing when you finish printing.
Use the University’s off-site storage facility
Use the confidential disposal consoles (paper and redundant electronic
media), or arrange for bulk shredding (Property & Facilities).
Don’t put confidential or personal date in the recycling bins.
Ensure your PC monitor cannot be overlooked.
…and, of course, lock your PC when you move away from your desk (this should
become automatic!)
Emails
• Outlook is a communication tool NOT a filing system
• Emails documenting decisions and evidence of business transactions
are records and therefore subject to the same legislation and other
requirements as records held in other formats.
• Records kept in Outlook are essentially being filed in a personal
storage area and are therefore not accessible to others who may need
to see them.
• Emails should be routinely managed and stored along with other
records pertaining to the same task/subject/business
• Email is not secure! Email encryption is available and should be used
when transmitting information which is personal, confidential or
sensitive (see the Information Security Classification Scheme and
Email Guidance)
Vital Records
Vital records are those records which are crucial to the functioning of the
University. They are necessary for the continuing operation of the organisation
following a crisis/disruption/disaster as they contain information which is essential
to provide evidence of the University’s legal and financial status, ensuring that the
rights and responsibilities of stakeholders are maintained. These records are
necessary to assist the University in resuming business as soon as possible after
a crisis/disaster.
How do we identify vital records?
Risk assessments and inclusion of vital records schedules in business continuity
plans.
Procurement/Contracts and FOISA
Contracts
One area that many organisations find challenging is the records
management of contracts, agreements and associated documents.
Good records management is critical to efficient and effective contract
management. Do we know where all the Uni’s contracts are?
It is estimated that companies spend almost 5% of their revenue to track agreements after
signing a contract.
- Goldman Sachs
That’s a lot of money! Apart from time wasted searching for contract
documents costs could also be incurred by having to re-draft documents,
losses incurred if SLAs or contract terms are not met and this cannot be
substantiated by production of the original contract or related documents.
Contracts and records management
Contracts should be registered on a central or departmental register and
accessible to the necessary people.
This register should be cross referenced to a retention schedule and
identify the following information:
• Where the ‘Golden Record’ held
• How the ‘golden record’ is held (fire proof safe, off-site storage, etc.)
• Who is the custodian (department or faculty/job title)
• What is the ‘trigger point’ for the retention period to kick in? (Generally
contract termination)
• What is the retention period? Is there a review date? The retention
period for contracts is usually dependant on the type of contract and
determined by the Prescription and Limitations Act 1973.
• Is the contract a vital record?
Contracts – other considerations
Risk Management – good records management practices can mitigate risks:
Legislative compliance (Prescription and Limitation Act 1973, EU Law, etc.)
Legal admissibility and evidential weight of information
Audit requirements – is an adequate audit trail provided?
Evidence for litigation purposes in the event of a legal challenge.
Other considerations:
• Consistency – ensuring the contract complies with recommendations/University guidance and
using University templates which include relevant data protection and FOISA clauses
• Evidence of past actions to inform future developments e.g. setting precedents for re-tendering
• High costs associated with contract creation and management – good RM can assist with
rationalising these
For guidance drafting contracts and using templates contact:
Commercialisation Contracts - Aileen Wood and Fiona Mason, Innovation Managers
Finance and Procurement Contracts – Lynne Smith, Operations Support Manager
General Contracts – Helen Mizen, Governance Officer (Data Protection & Legal)
Outcome Agreements with the SFC – Anastasia Dragona, Information and Project
Officer
Exercise Six
Organising your records effectively
1) Name five examples of bad records management practice
demonstrated on the sample given
2) What problems could be caused to the University or to staff if the
department continues in this way?
3) How should records be file instead?
Overview
• Good records management is necessary for statutory, regulatory
and contractual reasons.
• It also helps the University to function more efficiently.
• When creating records, we need to think about:
–
–
–
–
Whether the record is necessary
Whether the language is appropriate
What format are we going to save the record in
Whether people will need access to the record
• Records can exist in many different formats – and pass through a
lifecycle reflecting their business value.
Overview
• Records are the output of business activities and should be arranged
in a way that reflects this.
• Put records in organised shared areas, preferably on SharePoint.
When deciding on the file structure think about how you are going to
dispose of them – don’t have folders full of documents with mixed
retention periods.
• No records should just be accessible to one person (e.g. in an H:
Drive or in Outlook). This doesn’t necessarily make them secure.
• Name documents sensibly. Ideally have departmental naming
conventions which have been documented, so everyone knows how
they should be naming documents and has something to refer to.
• Have disposal events once or twice a year to weed out
records/documents that you no longer need to retain. Individuals
should schedule time into their diaries to maintain their records and
information.
Final thoughts…
We’ve covered hoarding, evolution, livestock and produce…
• The University Records Management Policy is available on the
intranet (Records Management pages) – it applies to all University
employees, so please make sure you read it!
• The University’s Data Protection policy statement and code of practice
are available on the intranet (applicable to ALL!!! PLEASE READ).
• Other related online modules are available, including Information
Governance, Data Protection, Freedom of Information and Information
Security.
• Email guidance is available on the intranet and specific training is
offered by Information Services (technical usage of Outlook) and
Corporate Learning and Development.
• What do you think are the barriers to good records management?
• What problems have you encountered?
Further information
• Records Management
– Governance Services
• http://staff.napier.ac.uk/services/secretary/Pages/uso.aspx
• http://staff.napier.ac.uk/services/secretary/governance/records/Page
s/default.aspx
– JISC Infokit – Records Management
• www.jiscinfonet.ac.uk/infokits/records-management
– JISC Managing records – guide for administrators
• www.jiscinfonet.ac.uk/records-management/guide-for-administrators
• Freedom of Information
– Edinburgh Napier FOI website:
• www.napier.ac.uk/foi
– Scottish Information Commissioner:
• www.itspublicknowledge.info
• Data Protection
– Info Commissioner - www.ico.gov.uk/
Contact
Diana Watt
Governance Officer (Records Manager)
Email: D.Watt@napier.ac.uk
Telephone: 0131 455 6257
Download