UNIVERSITY OF EXETER
Records Management Policy
1. Introduction
1.1 Effective Records Management is vital to enable the professionalism that is expected from a Top 10 university. The efficient management of the University’s records is necessary to support our core functions, to comply with legal and regulatory obligations, and to contribute to the effective management of the
University. These all contribute to building a reputation as a leading University.
1.2 Records provide evidence of the University’s ‘business’ activities and may be important for operational, legal or historical purposes. Records play a vital role in ensuring that the University is able to operate effectively and, if managed correctly, can be a significant asset to the University. Records Management involves the systematic management of information, to ensure that it is available when and where necessary and that it is kept securely, for as long as necessary, but no longer. This document provides the policy framework through which this effective management will be supported and monitored.
2. Scope of Policy
2.1 Records Management underpins an organisation, through ensuring access to accurate, up-to-date records when required by those that require them. Efficient Records Management processes will ensure ease of access to information, efficient use of physical and virtual storage space, legal compliance and reduced duplication of information and effort. This policy applies to all records created, received or maintained by staff of the University in the course of carrying out their corporate functions. Records may be created, received or maintained in hard copy or electronically and act as evidence of a business transaction of the
University.
2.2 This policy does not apply to the University’s historical records which are currently jointly managed by the
Devon Records Office and the University’s Archive Curator. The Records Manager will work with the
Archive curator to ensure that appropriate records are selected for permanent preservation, historical research and as an enduring record.
3. Aims of Policy
3.1 The Records Management policy acts as a framework to support the management of records which will:
• Provide a clear system of accountability and responsibility for record-keeping and use.
• Improve and maintain the quality of Records Management procedures, through a co-ordinated and consistent approach to the maintenance of records throughout the University.
• Ensure compliance with various pieces of legislation, such as the Data Protection and Freedom of
Information Acts.
• Promote best practice in Records Management throughout the University, thus reducing duplication of records and effort.
• Enable more streamlined processes and efficient services to staff and students.
1
• Work towards compliance with Records Management standards such as the Information Commissioner’s
Personal Information Promise and the National Archives Code of Practice.
• Support the efficient management of the Modern Records Centre.
4. Policy Statements
4.1 The University will:
• Provide a dedicated Records Management Service within the University, to provide advice and guidance on current procedures as well as support in changing and implementing new systems.
• Develop and maintain a robust records retention schedule, providing guidance on the retention and destruction of records held.
• Identify and retain vital records for operational use.
• Comply with legal obligations related to Records Management, such as those required by Data Protection and Freedom of Information legislation.
• Provide training and develop a range of guidance notes to support Records Management.
• Protect and keep secure all records in a manner appropriate to their value, content and retention period.
• Consider the implementation of electronic systems where significant benefits can be achieved and resources allow.
4.2 Electronic Records Management Systems (ERMS) are an increasingly important issue for the University and frequently considered as a solution to storage and access concerns. The Records Management
Service will work with colleagues in BISS to support the selection and implementation of any ERMS system in the future.
5. Implementation
5.1 A dedicated Records Management Service is already in place and will lead on the implementation of this policy. Regular updates will be provided on the Records Management Services webpages. The policy will be regularly reviewed to keep up to date with rapidly changing technology, business needs and regulatory requirements.
5.2 Appendix A provides a brief action plan for the Records Management Service with the aim of working towards compliance with the Personal Information Promise and some aspects of the National Archives
Records Management Code of practice. It is anticipated that the majority of the actions listed will be achieved within one year, providing a sound foundation on which to develop the RMS and the opportunity to review priorities in-line with potential developments in the implementation of an ERMS.
Caroline Dominey
August 2009
2
Appendix A
Records Management Action Plan – July 2009 to July 2010 working towards compliance with the Personal Information Promise and Aspects of the National Archives Records
Management Code of Practice
1
1a value the personal information entrusted to us and make sure we respect that trust;
Demonstrate this through commitment to the ongoing implementation of the Personal Information
Promise
2 go further than just the letter of the law when it comes to handling personal information, and adopt good Records Management practice standards;
2a
Provide a dedicated Records Management Service with clear responsibilities including Data
Protection support
2b Provide optional Data Protection training for staff
2c Provide a dedicated Information Security Service with responsibility for providing support
2d Produce and implement a Records Management Policy and Guidance documents
2e Review and update the Data Protection Policy
2f Produce and implement an Information Security Policy
2g Ensure that a senior member of staff has responsibility for Data Protection
2h Work towards the Personal Information Promise and National Archives Records Management code.
3 consider and address the privacy and security risks when planning to use or hold personal information in new ways, such as when introducing new systems;
3a Require approval from the Information Security Manager for all new IT systems
3b Ensure approval from the Records Manager regarding Records Management processes for new processes
3c Ensure that the Records Manager is consulted on new projects which involve personal data
3d Ensure staff are aware of the implications of Data Protection on new and existing processes
3e Review the use of personal data in existing systems
3f Ensure privacy is considered in all new processes introduced
3g Ensure notification is updated where required
4 be open with individuals about how we use their information and who we give it to;
4a Ensure that fair processing notices are clear, up to date and consistently used across the University
4b Ensure that students are provided with a simple and easy mechanism to opt out of marketing
4c Regularly review, update and renew its Notification with the Information Commissioner's Office
5 make it easy for individuals to access and correct their personal information;
5a Provide clear and accessible guidelines on obtaining access to personal information
5b Have a consistent process for responding to Subject Access Requests
5c Provide training to staff involved in responding to Subject Access Requests
6
6a keep the minimum information (including personal information) necessary and delete it when we no longer need it;
Develop and implement retention schedules (covering electronic and paper records) for all information with a view to facilitating the implementation of an information security classification scheme
6b Only retain information/records that are required for operational, legal or historical purposes
6c Only process personal information which is required
6d Ensure the maximization of space usage within the Modern Records Centre
7 have effective safeguards in place to make sure information (including personal information) is kept appropriately secure and does not fall into the wrong hands;
7a Require approval from the Information Security Manager for all new systems
3
7b
Ensure approval from the Records Manager regarding Records Management processes for new processes
7c Complete an information security review for IT systems
7d Ensure that paper records containing personal data are kept secure
7e Provide differing levels of access to systems depending upon requirements
7f Produce and implement an Information Security Policy including (the use of portable media)
8 provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or don’t look after personal information in line with policy;
8a
Include an overview of Records Management and Information Security in induction training for all new members of staff
8b Provide optional data protection training for all members of staff, to include support for Guild staff
8c Treat it as a disciplinary matter if personal information is not appropriately treated put appropriate financial and human resources into Records Management and Information
9
Security to make sure we can live up to our responsibilities;
9a Provide a dedicated Information Security Team
9b Provide a dedicated Records Management Service (including responsibility for Data Protection)
9c
Regularly review resources dedicated to Records Management and Information Security in line with needs and priorities
10 regularly check that we are living up to our commitments and report on how we are doing.
10a Produce an annual report for senior management
10b Respond and investigate any complaints/concerns in a timely and efficient manner
10c Regularly review, update and renew our Notification with the Information Commissioner's Office
10d Audit/Review the use of personal data in existing systems
10e Audit/Review existing IT systems
10f Regularly review the RMS and its objectives
10g Review Records Management practices across the University
11 streamline and improve Records Management processes through the effective use of IT
Systems
11a Monitor developments in Electronic Records Management Systems
11b Promote the efficient management of Electronic Records
11c Advise on the requirements of a Electronic Records Management System
11d Support the introduction of a formal Electronic Records Management System
Note: purple highlighted actions are covered by the work of the Information Security Manager
4