Records Management Policy

RECORDS MANAGEMENT POLICY STATEMENT

Skills Development Scotland (SDS) will ensure the effective management of the information it holds and that any information classified as a record is accurate, complete, up-to date and secure and is managed and disposed of appropriately to meet all SDS statutory, regulatory, operational, administrative and accountability requirements. In particular the management of SDS information aims to meet the requirements of the Public Records (Scotland) Act 2011, the Freedom of Information (Scotland) Act 2002 (section 61 Code of Practice on Records Management) and the Data Protection Act 1998. The policy applies to all the information SDS holds and classified as records, including records in all formats received, created and maintained by SDS staff in the course of their work.

Document Control: Title Prepared By Reviewed By Signed off By Version Number Review Frequency Next Review Date

Records Management Policy PRSA Executive Head of Corporate Office Executive Leadership Group (ELG) 1.0 Annually February 2015

Version Control: Version

Date

Status

Prepared by

2

Reason for Amendment

Contents 1. INTRODUCTION AND CONTEXT ........................................................................ 4 2. PURPOSE............................................................................................................. 5 3. SCOPE ................................................................................................................. 5 4. DEFINITIONS ....................................................................................................... 5 5. PRINCIPLES AND GUIDELINES FOR GOOD RECORDS MANAGEMENT ........ 7 6. OBJECTIVES ....................................................................................................... 7 7. POLICY AUTHORISATION AND REVIEW ........................................................... 8 8. RECORDS LIFE CYCLE PROCESS .................................................................... 8 8.1 8.2 8.3 8.4

RECORDS CREATION .................................................................................... 8 RECORDS STORAGE ..................................................................................... 8 RECORDS MANAGEMENT .............................................................................. 8 RECORDS DISPOSAL .................................................................................... 8

9. RESPONSIBILITIES ............................................................................................. 9 9.1 9.2 9.3 9.4 9.5 9.6

EXECUTIVE LEADERSHIP GROUP/ CHIEF EXECUTIVE ...................................... 9 INFORMATION GOVERNANCE LEADERSHIP GROUP ......................................... 9 CORPORATE OFFICE .................................................................................... 9 HEADS OF SERVICE/ INFORMATION ASSET OWNERS ..................................... 9 RECORDS MANAGEMENT CHAMPIONS .......................................................... 9 SDS STAFF .................................................................................................. 9

10. LEGISLATION & ASSOCIATED POLICIES ..................................................... 10 10.1

LEGISLATION ............................................................................................................. 10

10.2

SDS POLICIES & STRATEGIES .................................................................... 10

11. MONITORING AND REVIEW ........................................................................... 10

3

1. Introduction and context Information is every organisation's most basic and essential asset, and in common with any other business asset, recorded information requires effective management. Records management ensures information is appropriately classified and can be accessed easily, can be destroyed appropriately when no longer needed, and enables organisations not only to function on a day to day basis, but also to fulfil legal and financial requirements. This policy governs the management of all information classified as records in all formats that are received, created and maintained by SDS staff in the course of their work. In addition to being sound business practice legislation is increasingly underlining the importance of good records management. Compliance with Freedom of Information and Data Protection legislation is underpinned by effective records management: without properly organised and retrievable records, requests for information governed by statutory response timescales would be impossible to service. The Public Records (Scotland) Act 2011 received Royal Assent on 20 April 2011. It is the first new public records legislation in Scotland for over 70 years. The Act will affect Skills Development Scotland and named public authorities in Scotland including local authorities, NHS, police and courts, as well as the Scottish Government and Scottish Parliament. They are now obliged to prepare and implement a records management plan (RMP) which sets out proper arrangements for the management of their records. RMPs will be agreed with the Keeper and should be regularly reviewed. Where authorities fail to meet their obligations under the Act, the Keeper has powers to undertake records management reviews and issue action notices for improvement. The Act has raised the profile of records management across the public sector in Scotland and will lead to the introduction of improvements and efficiencies in public record keeping. As well as increasing business efficiency and effectiveness, and thereby helping organisations to respond better to their users needs, good records management also helps authorities to better monitor public services, maintain accurate records of the circumstances and experiences of individuals, and safeguard the records of vulnerable people. SDS works with a wide range of national and local partners to improve, align and integrate our services for customers. Our records support decision making, document activities, provide evidence of policies, decisions and transactions, and fundamentally underpin the daily work of the organisation. SDS recognises the key role of effective management of its records in order to be able to support these functions and deliver its core services. The benefits of records management Systematic management of records allows organisations to:         

know what records they have, and locate them easily increase efficiency and effectiveness make savings in administration costs, both in staff time and storage support decision making be accountable achieve business objectives and targets provide continuity in the event of a disaster meet legislative and regulatory requirements, particularly as laid down by the Freedom of Information (Scotland) Act and the Data Protection Act protect the interests of employees, clients and stakeholders

4

Records management offers tangible benefits to organisations, from economic good practice in reducing storage costs of documents, to enabling legislative requirements to be met. An unmanaged record system makes the performance of duties more difficult, costs organisations time, money and resources, and makes them vulnerable to security breaches, prosecution and embarrassment. In an unmanaged records environment, up to 10% of staff time is spent looking for information.1 2. Purpose The purpose of this policy is to establish the framework for SDS’ records management procedures and practices and inform staff of their obligations when creating, managing and disposing of records. 3. Scope This policy will create a framework to ensure the efficient management of records and to enable SDS to deliver compliance with the Public Records (Scotland) Act 2011 (PRSA), the Freedom of Information (Scotland) Act 2002 (FOISA) and the Data Protection Act 1998 (DPA). The policy also sets out elements of best practice for creating, using, retaining and disposing of records. It is intended that SDS move within an agreed timeframe from, as a minimum, ensuring compliance with all applicable legislative requirements towards demonstrating good and best practice in its records management, as part of SDS’s commitment to organisational excellence. The policy applies to all records in all formats received, created, and maintained by all staff in SDS in the course of their work and provides an explicit organisational commitment to the effective management of SDS records and associated information management functions. The policy applies to all staff, whether part-time, full-time, permanent, a contractor, temporary or seconded. 4. Definitions Record: Records are defined in the Code of Practice on Records Management 2 as follows: ‘Information created, received and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of the business’. This definition is taken from the British Standard dealing with records management, BS ISO 15489, published in 2000. An initial point to make is that records can be in any format. As the Code says (at paragraph 2 of Part 1): ‘The code applies to all records irrespective of the technology used to create and store then or the type of information they contain. It includes, therefore, not only paper files series and digital records management systems but also business and information systems and the contents of websites’. Recorded Information vs. Record In records management it is important to be clear about the difference between recorded information and a record. 1

As published on National Records of Scotland website.

2

Revised Code of Practice on Records Management issued in July 2009 by the Lord Chancellor under section 46 of the Freedom of Information Act 2000.

5

Recorded Information is any piece of information in any form, produced or received by an organisation or person. It can include databases, website, email messages, word and excel files, letters, video, audio and memos. Some of this information will be ephemeral or of very short-term value and should never end up in a records management system (e.g. invitations to lunch, travel arrangements etc). Some information, classified as records, will need to be kept as evidence of business transactions, routine activities or as a result of legal obligations, such as policy documents. These should be placed into an official filing system and at this point, they become official records. In other words, all records start off as recorded information, but not all recorded information will ultimately become records. Information Asset: An information asset is a specific body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively. Information assets have recognisable and manageable value, risk content and lifecycles. Information Asset Owner: The role was created following the Government’s Review of Data Handling in Government (DHR) in June 2008, which also established mandatory minimum measures for personal data handling in Government. Although it was created out of the Data Handling Review, which initially focused on personal data handling, the role is equally important for any information classified as a record or sensitive that is processed by SDS, whether or not it includes personal information. The IAO manages the information assets to comply with statutory obligations [(such as the Public Records (Scotland) Act 2011, the Freedom of Information (Scotland) Act 2002 and the Data Protection Act 1998. Vital Records: Vital Records are a subset of information classified as records without which SDS could not continue to function and which are deemed essential for purposes of business continuity Records Management: The field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposal of recorded information and the classification and management of information classified as records. This includes the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of that information classified as records (ISO 15489). Retention Policy and Schedules: Policy and actions for the management of information through its life cycle and the rules for destruction or archiving of the information and records in a particular class determined on the basis of administrative, legal and audit needs. Disposal Policy and Arrangements: Policy and final action on a series of records e.g. destruction or preservation for a specified period.

6

5. Principles and features of good records management: The guiding principle of records management is to ensure that information is available when and where it is needed, in an organised and efficient manner, and in a well maintained environment. Organisations must ensure that information classified as records are: Authentic It must be possible to prove that records are what they purport to be and who created them, by keeping a record of their management through time. Where information is later added to an existing document within a record, the added information must be signed and dated. With electronic records, changes and additions must be identifiable through audit trails. Accurate Records must accurately reflect the transactions that they document. Accessible Records must be readily available when needed. Complete Records must be sufficient in content, context and structure to reconstruct the relevant activities and transactions that they document. Comprehensive Records must document the complete range of an organisation's business. Compliant Records must comply with any record keeping requirements resulting from legislation, audit rules and other relevant regulations. Effective Records must be maintained for specific purposes and the information contained in them must meet those purposes. Records will be identified and linked to the business process to which they are related. Secure Records must be securely maintained to prevent unauthorised access, alteration, damage or removal. They must be stored in a secure environment, the degree of security reflecting the sensitivity and importance of the contents. Where records are migrated across changes in technology, the evidence preserved must remain authentic and accurate. 6. Objectives: As all SDS staff are involved in the creation, receipt, management and disposal of SDS information and records, it is important that everyone is aware of their records management responsibilities and the importance of records management for achieving SDS business objectives, delivering efficient and effective business practices and meeting external requirements. Systematic records management is fundamental to the operation of the organisation and this policy will ensure responsibilities are allocated in relation to the information that staff produce and handle. SDS must meet statutory and regulatory requirements in the management of its operational and administrative information. Consistent application of records management practices will ensure SDS’ records are accurate, up-to-date, complete and secure and are managed and disposed of appropriately. This policy and supporting procedural; guidance will also ensure that all members of staff understand what their responsibilities are in relation to the information they produce and handle.

7

7. Policy Authorisation and Review This policy will be considered for approval by the Executive Leadership Group (ELG) and will be reviewed annually or more frequently as circumstances require. 8. Records Life Cycle Process SDS will manage its records effectively and efficiently to support all of its business activities in line with the SDS strategy and to meet statutory and regulatory requirements. SDS will provide records management guidance to all units/ staff and ensure all staff understand their responsibilities. Information classified as records should be clearly identifiable, accessible and retrievable. Their content should correctly and completely reflect what was communicated, decided or done. Records systems should be secure and their creation, management, storage and disposal should comply with the current legislation. 8.1 Records Creation Records are created daily as an indispensable part of SDS functions and services. They should be managed appropriately to the business activity of SDS and according to all related policies and procedures. 8.2 Records storage Records should be stored in a consistent order and be protected appropriately. Records storage areas should provide a safe working environment with secure storage that allows records to be retrieved at all times. These areas should only be accessible to authorised staff. Records should not be moved without authorisation. Electronic records stored on the network drives should be stored in the relevant structure to which the record relates and kept with other related records. Records should not be solely stored in personal email folders. In the future, records should be stored in accordance with the SDS’ agreed classification scheme and this will allow both physical and electronic records to follow a common structure. 8.3 Records management Managing information and maintaining proper records is vital to SDS. SDS has a number of business critical information systems e.g. CSS, CTS, Agresso etc. These are designated as key information assets. Each information asset system should have explicitly defined procedures for the ongoing management of the record from initiation to final disposal in accordance with current legislation, policies and procedures. 8.4 Records disposal Records should be disposed of according to SDS’ disposal policy and arrangements. They should not be disposed of before the time the retention schedule stipulates or retained longer than is agreed. Before records are destroyed, staff should ensure that there are no enquires for information outstanding, related to that record. Where a record does not have a specified retention schedule, staff should endeavour to establish good practice retention for this type of record and seek relevant approvals for this to become part of SDS’s retention schedule. Any temporary information, which is not classified as a record, should be disposed of as soon as it is no longer required.

8

9. Responsibilities 9.1 Executive Leadership Group/ Chief Executive The Executive Leadership Group (ELG) collectively, headed by the Chief Executive as Accountable Officer, has overall accountability for approving SDS Records Management Policy and Procedures and for ensuring their application throughout the organisation. 9.2 Information Governance Leadership Group Cross-directorate governance oversight for records management sits within the Information Governance Leadership Group (IGLG). IGLG will receive regular reports on records management implementation, compliance and practice improvement. 9.3 Corporate Office Management responsibility for coordinating records management policy and procedures and promoting, monitoring and reporting compliance with the policy lies with Corporate Office. This may include reviews and audits of records and developing and promoting good practice and procedures with all staff. 9.4 Heads of Service/ Information Asset Owners Heads of Service are responsible at local business levels for ensuring compliance with the records management policy and should encourage good records management practice. Heads of Service have been identified, trained and guided to take ownership of information assets so that all business critical information assets have clear ownership. Information asset owners are responsible for ensuring the availability and integrity of information made available to staff through the supporting business processes. An Information Asset Owner (IAO) is a mandated role, the individuals appointed as IAOs are responsible for ensuring that specific information assets are handled and managed appropriately. This means making sure that information assets are properly protected and that their value to Skills Development Scotland is fully exploited. IAOs can delegate responsibility to particular areas that can support them in their role but the IAO retains accountability for proper information management and handling. 9.5 Records Management Champions Designated Records Management Champions (RMCs) will be responsible at planning unit level for promoting and supporting operational implementation of records management policy and practice across SDS. They will also be responsible (with support from IGLG, Corporate Office and Heads of Service) for associated training, development and ongoing support of staff. 9.6 SDS Staff All staff within SDS have responsibility for all records that they use, manage, receive and dispose of and should ensure they follow the records management policy. They must ensure that all records are managed and disposed of according to all relevant SDS policies and should ensure that information is up to date and accurate. They must ensure that all records are managed in accordance with SDS’ Retention schedule and information classification and handling policy.

9

10. Legislation and Associated Policies 10.1 Legislation: Relevant statutory obligations are set out in the following pieces of legislation:  Data Protection Act 1998  Freedom of Information (Scotland) Act 2002  Public Records (Scotland) Act 2011 10.2 SDS Policies and Strategies: The following SDS strategies and policies are relevant to effective records management:         

Client Confidentiality Policy Data Protection Policy Freedom of Information Policy Information Assurance Strategy Information Classification and Handling Policy Information Technology and Systems Usage Policy SDS Information Charter (published on the corporate website) Social Media Policy Retention and Disposal Policy and Schedule

11. Monitoring and Review SDS’ Records Management Policy will be reviewed at least annually and updated whenever organisational or procedural changes take place that affect the information contained in the policy.

10