Records Management Policy Statement
advertisement
Records Management Policy Statement January 2011 Policy Overview and Scope Policy Aims Responsibility for Records Management Records Management Framework and Implementation Staff Training and Development Policy Review and Audit Contact Information 1.0 Policy Overview and Scope 1.1 The University of Gloucestershire is committed to creating, managing and disposing of its academic and non-academic records effectively in order to document its operations efficiently and openly, as well as meeting its legal obligations and community expectations 1.2 The Information Security Management System (ISMS) forms an integral part of the University’s ISO 27001 accreditation for Information Security. The standard provides a central focus for the institution’s approach towards the creation, filing, retrieval and disposal of its records. The policies are built on the premise that effective creation, control and disposal of records brings administrative and financial benefits to the University, while promoting good practice in complying with legal obligations, particularly those established by Data Protection and Freedom of Information legislation 1.3 The policies are formulated in accordance with the Code of Practice on the Management of Records, which is published under section 46 of the Freedom of Information Act 2000, the University’s Data Protection, Freedom of Information Policies and the University’s ISMS 1.4 The policies are based on the understanding that all University employees are responsible for creating and maintaining authentic and reliable records in relation to their work 1.5 Within the context of this policy statement, “records” refers to all documents created, received or maintained by the University in the course of carrying out its corporate functions. These documents may be held in electronic or hard copy format 2. Policy Aims 2.1 The policy provides a framework for managing the University’s records, and seeks to educate and assist staff across the institution in fulfilling their obligations and responsibilities in the important area of records management. It is built around a number of practical goals: UoG Records Management Policy 08/03/2016 1 Owner: Academic Registry Version 1 the creation and capturing of authentic and reliable records to demonstrate evidence of accountability and information about the University’s decisions and activities; secure maintenance and preservation of access to the records, as long as they are required to support University operations; confidential destruction of records as soon as they are no longer required; adherence to all legal obligations, specifically those established by the Data Protection Act 1998 and the Freedom of Information Act 2000; secure identification and archiving of records in-line with University Archives policy University-wide staff awareness of all records management and related issues. 3. Responsibility for Records Management 3.1 Academic Registry is responsible for the development and maintenance of records management policies and procedures. Central to this is the promotion, implementation, maintenance and monitoring of all records management activity, in consultation with relevant staff across the University 3.2 Responsibility for adherence to the policies (including the Data Protection and Freedom of Information obligations) as developed by Academic Registry, lies with the Heads of Department and Faculty Deans. Senior management responsibility for records management lies with the Vice-Chancellor 3.3 On the basis of the information and guidance provided by Academic Registry, staff are obliged to: understand and adhere to policies relevant to their work; ensure that records are held on the most appropriate medium for the task they perform; identify those records that are vital to the operation of the University, and ensure they are preserved appropriately; review periodically records that have been identified for permanent archive; and dispose of and/or destroy appropriately those records that have reached the end of their retention period. UoG Records Management Policy 08/03/2016 2 Owner: Academic Registry Version 1 4. Records Management Framework and Implementation 4.1 Each department will contribute to the development of a university Records Retention Schedule setting out how long documents produced by that department are retained, archived and destroyed. It is the responsibility of each department to apply the Retention Schedules to the documents produced by that department and oversee the archiving and destruction of the documents as indicated. 4.2 Each department will review the Retention Schedules annually to ensure that they remains current and appropriate and reflect the department’s activities accurately. 4.3 Academic Registry will facilitate the development and maintenance of Retention Schedules but it is the responsibility of the document-owning department to apply the schedules. 4.4 Each department nominates an individual with whom Academic Registry liaises on all matters relating to records management. Collectively, the group of nominees is known as the Records Management Network. 4.5 In liaison with Academic Registry, each department is responsible for ensuring it has effective manual and electronic filing systems that enable timely and efficient access to data upon request. 5. Staff Training and Development 5.1 Academic Registry produces and maintains relevant guidance for staff, all of which is published via the University of Gloucestershire Records Management webpages 5.2 Academic Registry provides and supports appropriate training and information for all members of staff. The training aims to provide employees with the skills and knowledge necessary for them to understand and adhere to the policies, and to raise awareness of the University’s legal obligations in this area. 5.3 The University’s new staff induction programme includes sections on Data Protection and Freedom of Information to ensure new staff understand the University’s legal obligations. 7. Contact Information Queries concerning any aspect of records management policy, including data protection and freedom of information, should be addressed in the first instance to Academic Registry. 8 Records Disposal Procedures UoG Records Management Policy 08/03/2016 3 Owner: Academic Registry Version 1 8.1 The University of Gloucestershire recognises the importance of destroying both paper and electronic records effectively in order to ensure compliance with its various legal obligations and to protect the security of the information in all parts of the University. Its fundamental aim is to ensure a rigorous and consistent approach to the secure destruction and disposal of such records. The policy recognises the difficulty in determining the level of confidentiality for any specific record. The established definitions of “confidential” and “highly confidential” material contained in the policy may not fit all, or every record in need of destruction. The policy is designed to provide a framework within which those involved in controlling destruction of records can operate. Individuals are able to use limited discretion when making the final decision on which category a particular record should fall into. 8.2 The effective destruction of records is an important part of the University’s approach towards protecting the security of the information in its possession. In particular, there are two specific legal obligations that require effective adherence to this policy: The provisions and principles of the Data Protection Act 1998 require the University to ensure that any record containing personal data, such as an individual’s name, address, or information relating to personal health, or financial or legal matters, is managed in a way that prevents the inadvertent disclosure or loss of information. In effect, this requires the University to destroy personal data under secure and confidential conditions. The provisions of the Freedom of Information Act 2000 require effective destruction of a record at the end of its lifecycle in accordance with the established Record Retention Schedule, to be able to guarantee that responses to requests for information made under the Act are lawful. 8.3 It is the individual responsibility of all staff to ensure information they are handling is destroyed effectively, securely and in accordance with this policy. Manual records that have reached the end of their lifecycle, either in accordance with the Records Retention Schedule or as usual paper waste, are divided into the following three categories, and are destroyed in accordance with the instructions relating to each category: Non-Confidential Information Confidential Information Highly Confidential Information 8.4 For Non-Confidential records and/or data, and those containing no personal information, hexagonal bins are provided for recycling purposes. All hexagonal recycle bins are emptied whenever necessary by campus administration, as necessary. As paper collected in the bins is only ever recycled and never shredded, it is the responsibility of all those placing material in the bins to check that it has been identified correctly for recycling. 8.5 Confidential information can be defined as records containing basic personal data, such as name, address, contact details, date of birth or similar. All confidential information must be shredded or disposed of in line with University procedures UoG Records Management Policy 08/03/2016 4 Owner: Academic Registry Version 1 Records marked as confidential may not be shredded immediately. Any record in need of immediate shredding must be treated as “highly confidential” (see below). 8.6 Any record containing data described below is treated as Highly Confidential material, as is any record in need of immediate destruction. A record is considered “highly confidential” if it contains the following material or similar, or is in need of immediate destruction: data relating to confidential financial activities of the University; data relating to policy decisions/future activities of the University; payroll and pension data; sensitive personal data, as defined by the Data Protection Act 1998, covering racial or ethnic origin, political opinions, religious beliefs, Trade Union activities, physical or mental health, sexuality, or details of criminal offences; higher level personal data, such as information relating to student/staff disciplinary proceedings or harassment; records containing “private” personal data, such as information relating to an individual’s home or family life, personal finances, or a personal reference; records of a commercially sensitive nature, such as contracts, tenders, purchasing and maintenance records, or legal documents; records concerning intellectual property rights, such as unpublished research data, draft papers, and manuscripts; records containing personal or sensitive data about research subjects. Anyone in doubt about which category to use is advised to contact Academic Registry. 8.7 Any Information already available in the public domain, for example via the University website, but which could fall potentially into a “confidential” or “highly confidential” category, such as decisions recorded in Council, Executive or Committee minutes, is not normally considered to be “confidential” or “highly confidential” material, unless otherwise stated. For records containing such information, destruction via the hexagonal recycling bins is adequate. UoG Records Management Policy 08/03/2016 5 Owner: Academic Registry Version 1 9 Policy Review and Audit In conjunction with relevant staff, Academic Registry undertakes to review the policies at least every three years, to help ensure compliance with government legislation and new developments within the HE sector. Academic Registrar January 2011 Further information Information Security Management System (ISMS) Information Related Policies & Strategies Freedom of Information Data Protection University Archives UoG Records Management Policy 08/03/2016 6 Owner: Academic Registry Version 1
