Records management policy
Contents
1. Introduction
This policy sits alongside the Data Protection Policy, Information Security Policy and Information Risk Management Policy to form a suite of policies that support an information governance framework.
As a higher education institution, Manchester Metropolitan University (the University) creates, receives and maintains large volumes of records and information to support its educational and research activities. University records and information are valuable corporate assets and vital sources of administrative, evidential and historical information, and the efficient management of records and information is essential to support the University’s core functions, strategic aims and legal obligations.
This policy sets out how records and information should be managed and handled in accordance with the British Standard ISO 15489-1:2016 and the Code of Practice on the Management of Records issued under section 46 the Freedom of Information Act 2000.
An appendix of relevant definitions, which will assist with understanding and interpretation of this policy is set out at Appendix A.
2. Objectives
The University’s core records management objectives are that:
- Records and information shall be appropriately managed throughout their record and information lifecycle, from the point of their creation, capture or receipt, through to active-use, inactive-use and then finally to disposal.
- We shall operate appropriate records management procedures and practices that conform to applicable legislative and accepted best practice requirements.
- There are clear and well-defined responsibilities and accountability for the management of University records and information.
- The University shall capture, retain and manage records as evidence to ensure that a clear and accurate account of its activities and transactions is retained in accordance with legal, regulatory, fiscal, operational and historical requirements.
- We shall ensure that information assets are appropriately identified, have clear owners and are logged within Information Asset Registers (IAR).
- We shall ensure that records and information are retained for as long as they are required and no longer, with appropriate retention periods specified by the University’s retention and disposal schedule.
- We shall identify, retain and preserve records with continuing historical value to the University.
- Our staff shall be appropriately trained in the application of this policy and related records management procedures.
3. Scope
This Policy applies to all records that are created, received or maintained by the University. This includes information created in the course of research, regardless of funding arrangements, in addition to any contractual and academic record keeping requirements.
This policy applies to records in all formats or media, including but not limited to physical and electronic forms, and covers all classifications of information including PUBLIC, INTERNAL and SENSITIVE as defined by the University’s Information Classification procedure.
4. Roles and responsibilities
Senior Information Risk Owner
The University shall appoint a Senior Information Risk Owner (SIRO) who assumes responsibility for information governance and data protection risk. The role of the SIRO is currently undertaken by the Chief Financial Officer. The SIRO is responsible for the approval of this policy.
Information Governance Board
The Information Governance Board is responsible for the strategic level implementation of the policy, oversight of compliance with the policy and reporting identified risks to the SIRO.
Information Asset Owner
Information Asset Owners (IAOs) are responsible for the management of records and information processed in their area. It is the responsibility of the identified Information Asset Owner to ensure that good recordkeeping practices are implemented and to ensure the accuracy, security and relevance of information assets that reside in University storage areas, whether physically or electronically. Please see the IAO terms of reference (Internal only) for a full list of responsibilities.
Information Asset Managers
Information Asset Managers (IAMs) hold local responsibility for records management within their teams and will assist their IAO in fulfilling their duties. Please see the IAM terms of reference (Internal only) for a full list of responsibilities.
Information Governance Board
As per the Information Governance Board (IG Board) TOR (Internal only), the IG Board is responsible for strategic level implementation of information governance policy and oversight of compliance with this policy. The Board shall be chaired by the SIRO and attended by a representative selection of the IAOs and leads from the areas of Data Protection, Freedom of Information, Information Security and Records Management.
Records Manager
The University’s Records Manager is responsible for drawing up guidance for good records management practice and promoting compliance with this policy in such a way as to ensure the practicable, appropriate and timely retrieval of information.
The Records Manager is responsible for liaising with Information Asset Owners and Managers, providing guidance, support and training to units and for monitoring standards.
All staff
All University personnel, including permanent staff, fixed term contractors and temporary workers must ensure that records for which they are responsible are accurate, appropriately secure, fit for purpose, accessible to those with a right to see them and maintained and disposed of in accordance the University’s retention and disposal schedule, this policy and records management guidance.
All Faculties and Departments
All Faculties and Departments are expected to promote and implement practices to ensure compliance with this policy and the retention and disposal schedule.
5. Benefits of good records management
Good records management provides the following benefits:
- Valuable records supporting the University’s activities as an educational and research institution will be controlled and stored appropriately.
- Records required by law, including for financial, health and safety and contractual reasons will be retained.
- The University will be able to demonstrate its compliance with data protection legislation and meet its obligations under the Freedom of Information Act 2000.
- The routine disposal of records and information in line with the University’s retention and disposal schedule reduces the impact of data breaches.
- Reduction and improvements to poor management of information and storage spaces will result in space and cost savings across the University.
- Records with continuing historical or archival value will be retained and preserved.
- Efficiency will increase, as information will be available to the people who need it, when they need it.
- Duplication of information will be reduced, enabling immediate identification of a single source of truth.
- Identification and classification of records will enable proportionate security controls to be put in place
6. Records Management Standards
The underlying principle of records management is to ensure that records and information are appropriately managed throughout their record and information lifecycle, from the point of their creation, capture or receipt, through to active-use, inactive-use and then finally to disposal.
The following records management standards provide a high-level framework for managing records and information throughout their lifecycle:
6.1 Definition, characteristics of a record
Business or personal information should be captured as records when they commit the organisation or an individual to action, render the organisation or an individual accountable, or document an action, a decision or a decision-making process.
The University must be able to rely upon and trust the records and information that it holds. To facilitate this, the University should strive to create, capture or receive authoritative records which possess the characteristics of authenticity, reliability, integrity and usability.
Items that do not constitute records should not be retained long-term in records systems and should be disposed of as soon as their immediate value expires.
6.2 Creation, use and storage of record
Records should be created, captured or received in a timely manner that is during, or shortly after, the event or transaction they relate to.
Records should be created, captured or received by individuals who have direct knowledge of the event or transaction that the records relate to, or where appropriate, by record systems utilised for these purposes.
Records and information should be suitably arranged and described in ways that clearly and consistently identify and explain their contents and ensure they can be located, retrieved, presented and interpreted in a timely manner as determined by business and legislative requirements.
Records and information should be grouped and managed as information assets. Information assets should be logged in Information Asset Registers (IAR) (Internal only), which must be kept relevant, updated and accurate.
Records must be stored in suitable records systems, storage environments, file formats and storage media to ensure they are protected from physical and electronic deterioration and obsolescence until their retention requirements are met.
The digital continuity and digital preservation risks facing records, systems, file formats and storage media should be understood and appropriately managed.
The migration or conversion of records between records systems and between different formats should be planned, documented and communicated to relevant stakeholders.
New and existing records systems should be periodically assessed to ensure they facilitate effective record and information lifecycle management in accordance with the University’s retention and disposal schedule and relevant records management functional requirements.
6.3 Access to and security of records
Records should be securely stored in records systems or locations designed to protect them from unauthorised access, alteration, loss and destruction. Security arrangements should be commensurate with the risk that would result from their loss or unauthorised access.
Access to records should be role-based, restricted and documented. Formal guidelines, specifying who is permitted access to records and in what circumstances, should be established within departments and teams.
Any changes made to University records should be authorised and suitably documented.
Processes should be established within departments and teams to ensure that records are not lost when staff leave the University or during restructuring and major organisational changes.
Records should be appropriately identified and classified to enable proportionate security controls to be put in place in accordance with the University’s Information Classification Procedure.
6.4 Keeping track of the location of records
The location of records should be tracked. This includes transfers between individuals or departments and the return of physical records to their ‘home’ location or storage.
The relocation of records between physical storage locations should be authorised, planned and documented.
The University should make reasonable efforts to recover contextual information for orphaned records and information.
6.5 Retention and disposal of records
All University records are subject to the retention and disposal schedule. The retention periods outlined in the retention and disposal schedule must be adhered to.
When records have met their retention requirements, they must be disposed of through secure destruction of the record or through transferring the record to an institutional archive.
Destruction should take place in an authorised, secure and systematic manner resulting in an auditable record of what has been destroyed. Records systems should be utilised to support the retention and disposal of records where possible.
Destruction of records must ensure that records are destroyed beyond any possible reconstruction. This applies to all copies of a record.
The retention and disposal schedule applies to the master copy of a record. Other convenience copies of a record can be destroyed once they are no longer required and should never be kept for longer than the retention period applicable to the master record.
All Information Assets must have defined and agreed retention periods included in the retention and disposal schedule.
Teams and departments should have routine processes ensuring compliance with the retention and disposal schedule.
Records that form part of ongoing litigation or an investigation must not be destroyed until after the legal proceedings or investigation is completed.
Records of long-term historical and archival value to the University should be identified, captured and preserved in an institutional archive. Criteria should be developed to support the identification of archival records.
7. Review
This policy will be reviewed by the Records Manager annually or more frequently as required.
Appendix A: Definitions
- Authenticity: “quality of a record that can be proven to be what it purports to be, to have been created or sent by the agent purported to have created or sent it, and to have been created or sent when purported”, BS ISO 30300:2020
- Authoritative records: “records, regardless of form or structure, are authoritative evidence of business when they possess the characteristics of authenticity, reliability, integrity and useability [sic]”, BS ISO 15489-1:2016
- Destruction: “process of eliminating or deleting a record, beyond any possible reconstruction”, BS ISO 15489-1:2016
- Digital Continuity: “ability to use digital information in the way that is needed, for whenever and wherever is needed”, BS ISO 30300:2020
- Digital Preservation: “the series of managed activities necessary to ensure long term access to digital materials. It includes actions to maintain persistence and fixity, manage dependencies, survive media failure and maintain usability and context through generations of technological, organisational and societal change”, Code of Practice on the management of records issues under section 46 of the Freedom of Information Act, rev. 2021
- Disposition: “range of processes associated with implementing records retention”, BS ISO 15489-1:2016. Disposal mainly refers to the destruction of records or transfer of records to an archive.
- Information Asset Register: information Asset Registers (IARs) are inventories of the University’s information assets. They contain information on where these assets are stored, who owns and manages them and other information pertinent to ensuring that the information is managed appropriately.
- Information asset: “a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited efficiently. Information assets have recognisable and manageable value, risk, content and lifecycles”, Code of Practice on the management of records issues under section 46 of the Freedom of Information Act, rev. 2021
- Information: “data in context with a particular meaning”, BS ISO 30300:2020
- Integrity: “quality of being complete and unaltered”, BS ISO 30300:2020
- Master record: a master record is the official, complete, up to date, trusted version of the record. The master copy should always be centrally maintained by the business area responsible for the function to which the record relates. Other versions which are used for a short space of time for reference purposes only are considered convenience copies. These convenience copies can be destroyed once they are no longer required, and in any event, should never be kept for longer than the retention period applicable to the master record.
- Record and information lifecycle: conceptual model for the management of records and information throughout their lifecycle. In the lifecycle, records and information have four distinct lifecycle stages, 1. Creation, capture, or receipt, 2. Active-use, 3. Inactive-use and 4. Disposal.
- Record(s): “information created, received and maintained as evidence and information by an organisation or person in pursuance of legal obligations or in the transaction of business”, BS ISO 15489-1:2016
- Records management: “the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records”, BS ISO 15489-1:2016
- Records system: “information system which captures, manages and provides access to records over time”, BS ISO 15489-1:2016
- Reliability: “quality of a record that can be proven to be complete and accurate”, BS ISO 30300:2020
- Retention and disposal schedule: the schedule lists the types of information produced as part of University activities and identifies the period of time for which this information must be retained. The retention period is based on legal, contractual, or regulatory requirements where applicable, and in all cases on operational needs and sector guidance
- Retention: “keeping a record according to records requirements”, BS ISO 30300:2020
- Usability: “property of being able to be located, retrieved, presented and understood, BS ISO 30300:2020
Appendix B: List of associated policies, procedures, legislation and guidance
Policies and Procedures
- Records Management Standards and all supporting procedures and guidance (Internal only)
- Retention and Disposal Schedule
- Records Disposal Procedure (Internal only)
- Data Protection Policy
- Information Sharing Procedure (Internal only)
- Information Security Policy
- Information Risk Management Policy
- Information Classification Procedure
- Freedom of Information Procedure (Internal only)
- Information Governance Incident Management Control Procedure
- Research Data Management Policy
Legislation
- UK General Data Protection Regulation and the Data Protection Act 2018
- Freedom of Information Act 2000
- Environmental Information Regulations 2000
Guidance and standards
- Code of Practice on the Management of Records issued under section 46 of the Freedom of Information Act 2000
- BS ISO 15489-1:2016. Information and documentation — Records management
- BS ISO 30300, 30301, 30302. Information and documentation — Records management — Core concepts and vocabulary, Management systems for records — Requirements, Management systems for records — Guidelines for implementation
- BS 10008:2020. Evidential weight and legal admissibility of electronic information