Records management self
advertisement
CSU RECORDS MANAGEMENT PROGRAM RECORDS MANAGEMENT SELF-ASSESSMENT TOOL1 INTRODUCTION Purpose: The purpose of self-assessment is to measure how well your business unit is managing its records and to identify areas for improvement which can feed into your Records Management Plan. Additionally, it assists the University Records Manager to identifying common areas for improvement which can be used to develop strategies to help improve records management practices on a Universitywide basis. Responsibility: Business units are required to complete this self-assessment in line with the selfassessment schedule, and incorporate any identified areas for improvement into their Records Management Plan. INSTRUCTIONS Step 1: Complete this coversheet. Step 2: Respond to the questions in the following sections. Answers must accurately reflect the situation in your business unit. This will help identify what is being done well and areas for improvement. Complete all questions. N/A options are only available for some questions. Step 3: Your response to a question may indicate that action is required. Remedial action should be fed into your Records Management Plan. Proposed remedial actions are listed as part of each question and further advice on suitable actions can also be sought from the University Records Manager. Step 4: A copy of the completed assessment is to be emailed to the University Records Manager for their information (smcmenamin@csu.edu.au). BUSINESS UNIT DETAILS Date of self-assessment Name of business unit Name of Faculty (if applicable) In completing and lodging this assessment, the business unit acknowledges that the assessment is an accurate reflection of the records management practices in their business unit Head of Area Name: Ext: Details of person completing the self-assessment Name: Ext: Email: Position: 1 Reproduced and adapted for CSU with permission of University of Technology, Sydney University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture Page 1 of 19 Records Management Self-Assessment Tool ENTER SCHOOL/DIVISION NAME NO. REQUIREMENT 1 Responsibilities and Delegations 1.1 All staff must be aware of their responsibilities to manage records, your recordkeeping system and recordkeeping procedures, including how to create and manage files, and retention and destruction responsibilities. Are ALL staff within your business unit aware of their recordkeeping responsibilities, your recordkeeping system, and records procedures? Records management responsibilities need to be formally assigned to staff to ensure records activities are undertaken. Have your staff been formally delegated records responsibilities? 1.2 1.3 Business units are required to review staff responsibilities and provide details of training as part of this self-assessment. QUESTION RESPONSE Yes POSSIBLE REMEDIAL ACTIONS - Brief staff in local staff meetings and remind them of their responsibilities. - Ensure all new staff are advised of their records management responsibilities. - Include records management requirements in local procedures. - Requirements for staff awareness needs to be included in the Communication Plan component of your business unit’s Records Management Plan (see section 2). - Include delegations in the Work Plans or PD’s of staff. No (action required) Yes No (action required) Complete Section A of Attachment One. University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture Page 2 of 19 Records Management Self-Assessment Tool ENTER SCHOOL/DIVISION NAME NO. REQUIREMENT 2. Planning 2.1 All business units must develop a Records Management Plan (or be covered by a broader Plan at a Faculty or Unit level). This plan includes: 2.2 2.3 - areas for improvement identified in self-assessments and risk assessments. - regular actions such as archiving, destruction, training, and self-assessment. - new records management projects. To ensure staff awareness of their recordkeeping responsibilities, business units must include a Communication Plan as part of their business unit’s Records Management Plan. This will detail strategies for communicating requirements to staff and maintaining their awareness. Business units are required to identify records that relate to their business processes and provide a summary as part of this selfassessment. QUESTION Does your business unit have a CURRENT Records Management Plan? Does your business unit have a CURRENT Communication Plan for records management, either separate or as part of your Records Management Plan? RESPONSE Yes POSSIBLE REMEDIAL ACTIONS - Create a Records Management Plan by completing this Self-assessment Tool and the Records Storage Risk Assessment Tool (see also section 6). - Remedial actions included in these tools and the Records Management Plan template can assist in the development of your Records Management Plan. - Include a Communications Plan as part of your Records Management Plan (see section 2.1). - The University’s Records Management Plan template can assist in the development of your Records Management Plan. No (action required) Yes No (action required) Complete Section B of Attachment One. University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture Page 3 of 19 Records Management Self-Assessment Tool ENTER SCHOOL/DIVISION NAME NO. REQUIREMENT 3 Creation of Corporate Files QUESTION RESPONSE POSSIBLE REMEDIAL ACTIONS ** Note: network / shared drives and email accounts are NOT compliant recordkeeping systems. Please enter name of system/s used by your business unit: ___________________________________________________________________ 3.1 Corporate files must be created to document the business activities: - of your business unit, - you undertake on behalf of another business unit, and/or - you undertake on behalf of the University as a whole. Are corporate files created to hold the documents relating to the activities of your business unit? Yes Files must be created as close to the commencement of an activity as practicable. It is not appropriate to leave file creation until the end of an activity .This prevents the ability to manage and locate records and can result in forgetting to put records into the system. Are ALL corporate files created at, or closely following, the commencement of a new issue or business activity? University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture Identify any records held by your business unit and assess whether they should be corporate files. - Ensure staff are aware of their responsibilities regarding file creation and that they are trained to facilitate file creation (see section 1). - Include the requirement for corporate file creation in local procedures as appropriate.. - Ensure staff are aware of their responsibilities regarding file creation and that they are trained to facilitate file creation (see section 1). - Include the requirement for corporate file creation in local procedures as appropriate. No (action required) N/A* Note: Corporate files may not need to be kept by your business unit if they are already created and kept officially by another business unit. 3.2 - Yes No (action required) N/A* Page 4 of 19 Records Management Self-Assessment Tool ENTER SCHOOL/DIVISION NAME NO. REQUIREMENT QUESTION 3.3 To create a corporate file it must be registered in an approved digital recordkeeping system accurately and in a consistent manner. This facilitates file management and retrieval. It assists in identifying a file’s location, who can access it, and future archiving and records destruction activities. Are ALL corporate files (and individual file parts, where required) registered consistently and accurately? University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture RESPONSE Yes POSSIBLE REMEDIAL ACTIONS - Ensure staff are aware of their responsibilities for file creation and that they are trained to facilitate file creation (see section 1). - Ensure staff are trained in the use of the digital recordkeeping system. - Include the requirement for corporate file creation in local procedures as appropriate. - Register any un-registered corporate files No (action required) N/A* Page 5 of 19 Records Management Self-Assessment Tool ENTER SCHOOL/DIVISION NAME NO. REQUIREMENT 4. Filing Documents QUESTION RESPONSE POSSIBLE REMEDIAL ACTIONS ** Note: network / shared drives and email accounts are NOT compliant digital recordkeeping systems. 4.1 4.2 Documents that relate to business activities and are required to explain what happened, or provide evidence of decisions, advice, etc, must be filed onto corporate files, and not kept loose in desks, draws or on unofficial files. Not all corporate records are hardcopy/paper documents. Some are “born digital” such as emails, Word and Excel documents etc. Email folders, hard drives, and shared network drives are NOT recordkeeping systems. Any emails and other electronic documents relating to activities and explain what happened, or provide evidence of decisions, advice, etc. must be filed into a compliant recordkeeping system. Are all relevant corporate documents in your business unit filed onto official file in a consistent and timely manner? Are all relevant official electronic documents, including email, must be captured into a compliant recordkeeping system? University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture Yes - Ensure staff are aware of their responsibilities for filing documents on corporate files (see section 1). - Include the requirement for capture of documents onto corporate files in local procedures as appropriate (this may detail what documents are required to be created and captured). - Ensure corporate files are created in a timely manner (see section 2). - Ensure staff are aware of their responsibilities for capturing relevant electronic documents and email into compliant recordkeeping systems (see section 1). - Establish protocols for the use and management of local hard drives and network drives to better manage locally stored information and recordkeeping requirements. No (action required) N/A* Yes No (action required) N/A* Page 6 of 19 Records Management Self-Assessment Tool ENTER SCHOOL/DIVISION NAME NO. REQUIREMENT QUESTION 4.3 Areas should be maintaining full and accurate records of their business activities. Sometimes this necessitates the creation of records to document verbal advice and decision making processes. Does your business unit capture all relevant decisions and advice provided or received verbally for capture into a compliant recordkeeping system? Verbal decisions may be documented through minutes and file notes (hand-written or typed), or via email confirmations University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture RESPONSE Yes POSSIBLE REMEDIAL ACTIONS - Ensure staff are aware of their responsibilities for documenting verbal decision-making activities (see section 1). - Include the requirement for capture of verbal decisions relating to specific business activities and processes in local procedures as appropriate (this may detail what decisions need to be documented). - Provide staff with file note templates to encourage capture of verbal decisions. No (action required) N/A* Page 7 of 19 Records Management Self-Assessment Tool ENTER SCHOOL/DIVISION NAME NO. REQUIREMENT 5. Managing Physical Files QUESTION RESPONSE POSSIBLE REMEDIAL ACTIONS * A N/A response to the questions in section 5 can only apply if your business unit uses a compliant digital recordkeeping system to capture and manage ALL official records in a digital environment. If some physical / hard-copy records exist, a Yes or No response is required. Note: network / shared drives and email accounts are NOT compliant digital recordkeeping systems. 5.1 5.2 It is important that business units know where their official records are located to ensure: - files can be accessed quickly, - files are accessed by the appropriate people, and - files are not lost. Even where file locations are tracked, care needs to be taken to ensure files are not lost in the process of their use and that they are returned when no longer required. Are the locations of your files recorded appropriately when they move between staff or storage areas? Yes Are records regularly being lost or misplaced when borrowed by staff? University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture - Put in place a local procedure for tracking file locations. N/A* - Ensure file locations are accurate and up-todate. Yes (action required) - See remedial actions section under 5.1. No - Follow up with staff who have borrowed files and not returned them within an agreed timeframe. - Check on the location of files on a yearly basis to ensure locations are up-to-date. - Mark any file that can’t be located as “missing”. - Where staff are leaving the employment of your business unit, ensure all files are returned before they leave. No (action required) N/A* Page 8 of 19 Records Management Self-Assessment Tool ENTER SCHOOL/DIVISION NAME NO. REQUIREMENT QUESTION 5.3 Your records should be considered in relation to any relocation plans. This includes: Are parts of, or your entire business unit, moving before your next scheduled selfassessment? - file storage in your new location, - preliminary archive work, - managing the transfer during the move, and - updating of file locations in the recordkeeping system where required. University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture RESPONSE Yes (action required) POSSIBLE REMEDIAL ACTIONS - Plan the management of your records during the move. - Ensure official records are not thrown out as part of the pre-move cleanup without the appropriate records destruction authorisation. - Keep a record of which boxes contain official files and check immediately upon relocation that boxes have not been lost. - Update file location details in the recordkeeping system after a move. No Page 9 of 19 Records Management Self-Assessment Tool ENTER SCHOOL/DIVISION NAME NO. 6 6.1 REQUIREMENT It is important that locations used for records storage are appropriate for that purpose. Risks can change over time. It is necessary to undertake your risk assessment in line with your selfassessments. Where a business unit uses a local or other storage location for storage of closed / archived files: - - 6.3 RESPONSE POSSIBLE REMEDIAL ACTIONS Storage of Records As part of the University’s Risk Management and Disaster Recovery Plan for Records and Recordkeeping Systems, business units are required to complete the Records Storage Risk Assessment Tool. 6.2 QUESTION a risk assessment of the location must be completed using the Records Storage Risk Assessment Tool; and the location must be approved by the University Records Manager. Business units are required to identify the storage areas used to store their records. Has your business unit completed a risk assessment on the location used to store your current records in line with your business unit’s self-assessment schedule? Yes - Complete the Records Storage Risk Assessment Tool for the area you store your current records (one assessment can be completed to cover your whole office area where files are stored in one larger business unit location). - Complete the Records Storage Risk Assessment Tool for each separate storage location. No (action required) Note: this refers to those records which are still in use by your area and which may be kept in your office. A separate question will cover local archival storage. Has your business unit completed a records storage risk assessment on each separate local or remote location used to store your archived records? Yes No (action required) N/A* *If you have no such locations, select N/A. Note: this does not include the use of University Archives Centre. If yes to Q.6.3, complete Section C in Attachment One. University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture Page 10 of 19 Records Management Self-Assessment Tool ENTER SCHOOL/DIVISION NAME NO. 7. 7.1 7.2 7.3 REQUIREMENT QUESTION RESPONSE POSSIBLE REMEDIAL ACTIONS Security – Access and Confidentiality Records held by your business unit must be secure from unauthorised access. This applies to official and unofficial records. Are all physical / hard-copy records secure from unauthorised access? Confidential records have a higher level of security than standard files and should be stored in locked cabinets when not in use. Confidential records include, but are not limited to, records which are legal or commercial in confidence, or records containing personal information. Are all physical / hard-copy confidential records stored in a locked drawer / room when not in use? HP TRIM is the control system for your business unit’s records. Individual HP TRIM users are responsible for ensuring unauthorised staff do not access HP TRIM via their login. Is access to HP TRIM in your area limited to authorised HP TRIM users? University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture Yes - If your business unit is open to the public, ensure adequate measures are in place to protect files from unauthorised access or theft. This may be through limiting public access to your office areas or securing files within the areas. - Keep confidential files in locked and secure areas. Ensure they can only be accessed by authorised staff. - Ensure HP TRIM users are appropriately trained. - Users of HP TRIM should be required to lock their workstations when not at their desks. This is essential if working in an open office or publicly accessible business unit. No (action required) Note: this applies to corporate records and duplicates/copies. Yes No (action required) N/A* *If you have no confidential records, select N/A. Note: this applies to corporate records and duplicates/copies. *If you have no HP TRIM users in your area, select N/A. Yes No (action required) N/A* Page 11 of 19 Records Management Self-Assessment Tool ENTER SCHOOL/DIVISION NAME NO. REQUIREMENT QUESTION 7.4 To comply with privacy and confidentiality requirements, confidential documents, including any document containing personal information, must be disposed of securely. Locked security bins or shredders must be used, not garbage bins or recycling bins. Are all confidential records, whether official or unofficial, physical / hard-copy or digital, disposed of in a confidential manner? 7.5 Some university staff have access to personal information relating to students and / or other individuals. Staff must be aware of their obligations in relation to privacy and general confidentiality to ensure they manage these records appropriately. All business units will hold some personal information, even if they are not involved in the management of students, such as local staff files, recruitment information etc. University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture RESPONSE Yes POSSIBLE REMEDIAL ACTIONS - Ensure staff are aware of their obligations relating to destruction of confidential documents, such as use of shredders or locked security bins. - If your business unit does not have access to a secure method of destruction, contact the University Records Manager regarding a locked security bin. - Ensure any electronic media, such as computers, USB, or other digital devices are adequately wiped - Consult with the University Records Manager regarding the confidential destruction of any other media, such as CDs, video tapes etc. - Include privacy and confidentiality responsibilities in local procedures. - Ensure staff are reminded regularly of their obligations. No (action required) N/A* *If you have no confidential records, select N/A. Are staff within your business unit aware of their obligations in relation to privacy and confidentiality of information? Yes No (action required) Page 12 of 19 Records Management Self-Assessment Tool ENTER SCHOOL/DIVISION NAME NO. REQUIREMENT 8 Digital Recordkeeping Systems 8.1 Any database or digital system that creates and/or stores official records must be an approved digital recordkeeping system. Such systems have certain requirements for data, security, longevity of the information contained within, and migration practices. Does your business unit capture records using a digital system in lieu of putting those records into HP TRIM? Yes (continue at Q8.2) Business units who are responsible for digital systems used to store official records are responsible for ensuring they are compliant systems. Systems need to be assessed to identify if they hold official records, and if they do, whether they are compliant. Is your business unit responsible for managing the digital system in question (i.e. the system owner/process owner)? Yes (continue at Q.8.3) 8.2 QUESTION RESPONSE POSSIBLE REMEDIAL ACTIONS No (go to Q.9) No (go to Q.9) N/A* (go to Q.9) *If you responded No to Q.8.1, select N/a. Note: network / shared drives and email accounts are NOT compliant digital recordkeeping systems. 8.3 Business units are required to identify digital systems where they are responsible for the content. If yes to Q.8.2, complete Section D in Attachment One. University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture Page 13 of 19 Records Management Self-Assessment Tool ENTER SCHOOL/DIVISION NAME NO. REQUIREMENT 9. Archiving and Destruction 9.1 It is important that business units have control of all their records, whether official or unofficial, or whether created by them or inherited from predecessor business units or staff. Does your business unit have any records where: Areas need to know what records they hold and those records need to be appropriately managed and not dumped in local storage areas. 2) no-one is responsible for maintaining them, inc. access, archiving, destruction etc. 9.2 9.3 QUESTION RESPONSE Yes (action required) POSSIBLE REMEDIAL ACTIONS - A project will need to be established by your business unit to resource the cleanup work. This will involve identifying the records, and identifying whether they are still required and organising their appropriate management, or identifying whether they can be destroyed and organising the appropriate approvals and destruction. The University Records Manager can provide advice on each particular case. - Include a cleanup project in your business unit’s Records Management Plan. - Newer areas may not be ready to destroy records. However, if you are simply storing them indefinitely this can be an issue, in particular in relation to space and responsibilities in relation to privacy of personal information. Action may be required to assess how long the records should be retained and organising the appropriate destruction. - Ensure staff are aware of their responsibilities in relation to the appropriate destruction of records. - Include the requirement for records destruction and appropriate authorisation in local procedures as appropriate. No 1) the type of records and their contents are a mystery as they were inherited; AND/OR When destroying corporate records, there are certain retention requirements that need to be satisfied. As such, destruction of ALL corporate records, whether hard-copy or digital, MUST be authorised through the completion of a Records Destruction Authorisation Form. Has your business unit destroyed official records in the past? Yes Destruction of corporate records should be an ongoing process. However it must be appropriately authorised to ensure retention requirements, and CSU’s administrative, legal, financial needs are satisfied. Does your business unit appropriately authorise the destruction of all official records by completing a Records Destruction Authorisation form? Yes No (action required) No (action required) N/A *If your response to Q.9.2 was No, select N/A. University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture Page 14 of 19 Records Management Self-Assessment Tool ENTER SCHOOL/DIVISION NAME NO. REQUIREMENT QUESTION 10 Risk Management and Disaster Prevention 10.1 Business units are required to create and maintain a “Records Recovery Priority List” for their business unit to assist in prioritising the recovering of records in the event of a disaster. Does your business unit have a Records Recovery Priority List? RESPONSE Yes No (action required) POSSIBLE REMEDIAL ACTIONS - Assess the types of records your business unit holds, where they are located, and create a brief priority list. It is best this list be retained off-site with key personnel and kept up to date (these details were requested under Q.2.2). This is part of the University’s Risk Management and Disaster Recovery Plan for Records and Recordkeeping Systems. End of the assessment. Please complete the sections in Attachment One where directed in the above assessment. University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture Page 15 of 19 Records Management Self-Assessment Tool – Attachment One A. Records Contact Details (referred to in section 1.3) Attachment One Please specify your business unit’s Records Contacts and the level of records training undertaken. Records Contact role Contact Details Secondary Records Delegate 1. Definition: The senior staff member in your business unit responsible overall for records management. Local Records Delegate/s Definition: The staff in your business unit delegated responsibility for file creation, registration, archiving, & destruction activities. [List all Local Records Contacts. Add more rows if required]. Mandatory Training * Position: Records Delegate training session or refresher training session within the past 3 years. Phone: Archiving and Disposal Workshop Name: Records Awareness Session HP TRIM Training Email address: 1. Name: Records Awareness Session Position: Records Delegate training session or refresher training session within the past 3 years. Phone: Email address: 2. Additional Training HP TRIM Training Name: Records Awareness Session Position: Records Delegate training session or refresher training session within the past 3 years. Phone: Email address: Archiving and Disposal Workshop Archiving and Disposal Workshop HP TRIM Training * Remedial Actions Where Mandatory Training Has Not Been Undertaken If Records Delegates have NOT completed the required mandatory training required for their role, liaise with the University Records Manager to book the required training. University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture Page 16 of 19 Records Management Self-Assessment Tool – Attachment One B. Activities of your business unit and records generated (referred to in section 2.3) Attachment One Please specify the type of activities your area undertake, and provide information relating to the records generated and recovery priorities*. Add additional rows if required. Only For Records Held By Your Business Unit Activity Summary of Records Generated Where is the Official Record Kept? Priority For Disaster Recovery Specify On A Scale From 1=High to 3=Low 1 1 2 3 2 1 2 3 3 1 2 3 4 1 2 3 5 1 2 3 6 1 2 3 7 1 2 3 8 1 2 3 9 1 2 3 10 1 2 3 * A Records Recovery Priority List is a list prioritising records from the most important to less important, and where they are kept. This list will assist in planning an effective and efficient response to a disaster situation. A Records Recovery Priority list can be developed separately from this self-assessment. This may be required by business units with complex records, or where business units store records on the behalf of others. University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture Page 17 of 19 Records Management Self-Assessment Tool – Attachment One C. Archival Storage Locations (Complete only if you answered Yes to question 6.2) Attachment One Provide details of storage locations used by your business unit to store records. Add additional rows if required. Campus / Building / Room Number Owner / Responsible Area For The Location 1. 2. 3. Question Response Has the location been approved for records storage? Yes Has the location been approved for records storage? Yes Has the location been approved for records storage? Yes No* No* No* * Remedial Actions for a No Responses If your records storage areas have not been approved: - Include remedial actions arising from the Records Storage Risk Assessment Tool in your business unit’s Records Management Plan. - Contact the Records Manager to discuss records storage issues and alternate storage options. University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture Page 18 of 19 Records Management Self-Assessment Tool – Attachment One D. Digital Recordkeeping Systems (Complete only if you answered Yes to question 8.2) Attachment One Provide details for all information systems used to store official records that are the responsibility of / owner by your business unit. Add additional rows if required. System Name Summary of Purpose of the System/Records Held 1. 2. Question Response Has the system been assessed for digital recordkeeping compliance? Yes Has the system been approved as a compliant digital recordkeeping system? Yes Has the system been assessed for digital recordkeeping compliance? Yes Has the system been approved as a compliant digital recordkeeping system? Yes No* No* No* No* * Remedial Actions for a No Responses If your system has not been assessed for digital recordkeeping compliance: - Complete the Digital Recordkeeping Identification Tool. If your system is not a compliant digital recordkeeping system: - Undertake action to comply with the digital recordkeeping system requirements specified in the Digital Recordkeeping Identification Tool. University Records and Compliance 2015 Division of Information Technology – Enterprise Architecture Page 19 of 19
