Records Management Workshop presentation
Download
Report
Transcript Records Management Workshop presentation
MANAGING YOUR RECORDS
EFFECTIVELY
Legislative compliance and business efficiency
Organise your (the Uni’s) records…
don’t let them organise (or disorganise) you!!
House-keeping
Fire procedure
Toilets
No mobile phones
Confidential
Breaks
Alignment with Strategy 20:20
Build Innovation, Enterprise and Citizenship
• Adopt a continuous improvement/enhancement
approach in all that we do
• Maximise the value of our [information] assets
Information and records are received and created by University staff
members and representatives to facilitate and support business
processes – they are inputs and outputs of the University’s activities.
Ensuring that our information assets are managed correctly corresponds
directly with the objectives of Strategy 2020, namely improving the
efficiency of business processes.
Alignment with the University’s Values (for PDR)
• Professional
-
Take personal responsibility
Use resources efficiently and effectively
Comply with the University’s statutory obligations, policies and regulations where
applicable
• Ambitious and Innovative
-
Using the information from today’s session to work proactively, using initiative, to
improve working practices to ensure the University is legislatively compliant,
including identifying potential risks and taking steps to mitigate these.
• Inclusive
-
Records Management relies on ensuring information is accessible to all those
who require it, and consistent and compliant practices are shared with
colleagues.
• Confident and Supported
-
Equipped to perform role
Updated professional/specialist skills and knowledge
Sharing good practice across the University
Confident &
Supported
Professional
Inclusive
Ambitious &
Innovative
What is records management?
“…the efficient and systematic control of the creation, receipt,
maintenance, use and disposition of records, including processes for
capturing and maintaining evidence and information of business activities
and transactions in the form of records.”
BS ISO 15489-1:2001
• It is about managing records, not just ‘information’ or documents, from
their creation, through processes associated with their use, such as
version control, distribution, filing, retention, storage, through to their
final disposition and/or disposal of records, in a way that is
administratively and legally sound, whilst at the same time serving the
operational needs of the University and preserving an adequate
historical record.
• The aim is to capture and maintain evidence of activities and
transaction in an efficient and systematic way.
• Organise records…don’t let them organise (or disorganise) you!
Why manage records?
Image – Edinburgh Napier Health and Safety Team
Loss of
information
Unlawful
disclosure of
personal or
confidential
information
Fines of up to £500K
or potentially a % of
the University’s
turnover in future
Difficulties
finding or
retrieving
information
Impact on
individuals
affected
Keeping
information
longer than
permitted
Breach of
legislation
Destroying
information
too soon
What is a record?
• The word record is used to mean ‘any
recorded evidence of an activity or business
transaction’
• Records are not defined by:
– Format, either physical or electronic
– Age, or
– importance
What is a record?
• A record is recorded information kept to provide evidence of some
transaction or activity
• The term ‘record’ can be used for an individual document or a
collection of documents organised as a unit:
– eg a letter, a paper files, a MS word file, an electronic folder, an
email, an MS outlook folder.
• Records management processes are the same regardless of the
format of the material because they are based on the content of the
record.
• We should therefore organise paper and electronic records according
to the same scheme.
Why is records management necessary?
• Good records management is not optional
• It is essential as a result of:
– Legislative requirements such as Freedom of Information, Data
Protection and other information related legislation
– Regulatory requirements eg QAA
– Contractual requirements; and
– Business needs
• Some drivers are external (FOI) but the strongest are internal, and
to do with working more efficiently and effectively.
Legislative requirements
• Legislation often imposes general requirements which require good
record keeping.
• The Data Protection Act 1998:
– Sets down conditions for processing personal data – creating records is a form of
processing, as is storing, retrieving, updating and sharing them
– Creates rights of access by individuals to their data;
– Personal data must not be retained for longer than necessary for the purpose(s) for
which it was gathered
• How long will depend on the circumstances, any may be overridden by other legal
requirements.
Consider the consequences for a breach of the DPA?
How does a breach happen?
Good records management can mitigate the risk!
Legislative requirements
• The Freedom of Information (Scotland) Act 2002 has created a
general right of access to information and records (mainly non
personal) held by public authorities
• Under Section 61 of the FOISA, Scottish Ministers have issued a
Code of Practice regarding records management in Scottish public
authorities
• Good records management is central to compliance with FOI, as
without good records systems the University won’t know what
information it has created, where it is stored and will ultimately be
unable to respond to requests for information
• This can result in legal action being taken against the University
• The Scottish Information Commissioner is also able to conduct audits
of public authorities which scrutinise records management practices.
Generally one University is routinely audited, but others are audited if
there is a breach of FOISA
Business requirements
• But above all….. we need good records management to function
effectively and efficiently an as organisation.
• Records are an asset (and a liability!).
• Everybody’s work requires access to and use of information….
records are the result.
• Not having the records you need is a problem …as is accumulating
too many of them!
Good records management depends on…
•
•
•
•
Creating records when necessary and in an appropriate way
Organising records to support access and re-use
Retaining records for as long as they have value
Disposing of records correctly – through destruction or
transfer to offsite storage
• Security of records and data protection should be taken into
account throughout the life cycle of the record
Records Management Basics
• It’s your RESPONSIBILITY as a University employee to ensure your
records are managed appropriately! That is:
– Appropriate records are created/received/retained
– Records are retained in a way that other colleagues (as appropriate) have
access. If you store information in ‘personal’ storage areas what happens
when you are not available. Storing information where others have access
means that you will have less interruptions where colleagues have to ask
you for information.
– You are not treating corporate information as if it is YOUR information
– File plans should be corporate, not ‘personal’ and should be replicated
across all systems e.g. hard copy, SharePoint, S: Drive etc.
– Departmental procedures should exist so that everyone is following the
same guidance with regards records management
– Information is only kept for as long as necessary
Records Management Basics
Records (evidence of business activity and/or transactions)
should be kept in a filing system (hardcopy/electronic
folders/libraries/etc.) according to the business process they
relate to and should be accessible to colleagues who deal
with that process. Sensitive or confidential information should
be kept in secured libraries/folders to which at least a
manager has access. University records should never be
kept in personal folders to which only one person has access
e.g. individual email accounts, H: Drive, C: Drive, MySite
(SharePoint), removable drives.
Creating and organising records
Which comes first?
Record creation OR it’s place in the filing structure?
When a record is created, in the majority of cases, as it is ‘evidence of
business activity’ (generated by a specific business process), its place in
the filing system (classification, access, security) and retention period
should already exist. This means that if the filing system is set up
correctly the person who is creating the record does not necessarily have
to think about these issues.
If you are creating a new record it should be saved
before you start working on it.
Business processes, activities and tasks
Business process cont’d…
Retention Periods
Termination of
contract + 6years
Recruitment
completion + 3
years
Termination of
contract + 6years
Others incl.
exercise
completion + 3
months
Retention Periods and Schedules
These business processes should therefore be linked to your retention
schedules and records with the same retention periods grouped together
for easy disposition.
Business
Process
Working documents
(examples)
Records
Retention Periods
File Arrangement/Plan
HR
Recruitment
-Email correspondence
-Statistics spreadsheets
-Draft business case
-Emails
-Drafts, emails, reference
documents
-Business case
-CFY+6yrs
-Meeting minutes
documenting BCase
approval
-Authorisation form (signed)
-Permanent
-Person specification
-Job description
-Advertisement text
-Emails, drafts
-Checklists
-Shortlisting matrix template
-Interview questions
-Enquiries
-Completed applications
-Completed shortlist
-Interview notes/scoring
-Employment offer
-Employment contract
-CFY+1yr
-Job T+1yr
-Job T+1yr
-Process T+3mnths
-Process T+3mnths
-Process T+3mnths
-Unsuccessful UK
Process T+3mnths
-Unsuccessful EU
Process T+1yr
-Successful T+6yrs
-Process T+3mnths
-Process T+3mnths
-T+6yrs
-T+6yrs
(moves from
recruitment files to
personnel file)
Business Cases
Authorisations
Job Descriptions
Person
Specifications
Advertising
Enquiries
Applications,
shortlisting and
interview
records
Employee Contract
Management
Training and Development
Evaluation, Pay and Benefits
Organising records
• When creating records think about:
– Do you need to share the information?
– Will your colleagues need access to it?
• If other people need access to records the you should:
– Save the records to a shared directory (if electronic) or a shared paper filing system
•
Shared record keeping systems are preferable to personal systems eg storing
on H:Drive or on disks. Personal files and directories should be used for
personal information not corporate records created in the course of your
employment. Drafts and confidential information can be protected using
access controls/passwords.
• Advantages of shared systems:
– Other people can access the information e.g. if you're away
– Less duplication of documents
Organising records
• File plans/systems should correlate directly to the business process
• Where possible put all related documents in a single area
• Name folders for activities and subjects
• Try to be as open/accessible with permissions as possible – make
sure someone else knows where your data is (however, do not give
out your network password to anyone!)
• Involves setting up a filing or classification scheme and applying the
same scheme to every part of your recordkeeping system.
• This would include using the same filing scheme for paper files, MS
Office folders, Outlook folders and Sharepoint workspace
Things to think about when creating records..
• Some information does not need to become records – in the sense of
information retained in a record-keeping system, for example:
– Ephemeral/transitory/temporary emails eg ‘thank yous’, acknowledgements,
invitations
– Publications and reference materials
– Duplicates of information
– Phone messages and post-it-notes
– Drafts (in most cases, there may be exceptions) once the final version is produced.
• You also have to ensure that the record is complete, for example:
– Does it provide a full and accurate picture of the subject, event, decision etc...?
– If emails are used to make key decisions or convey important information, they too
will also become records.
• What format are you going to keep your records in?
– ‘Print to paper’ (Not recommended)
– ‘All electronic’
Document and Folder Naming
• Name them sensibly for the relevant activity.
• Titles should be concise, but contain enough relevant information.
• Use standard terms or forms for names, places etc..
• Use the date format YYYYMMDD
• Use whole names, or standard acronyms. If acronyms are used,
ensure that the full description is spelt out within the document.
Using records: security issues
• Security is particularly vital for records containing:
– Personal data
– Commercially sensitive
information
– Information provided in
confidence
– Legally privileged information
• Because:
– The Data Protection Act requires us to protect personal data
against unauthorised access and accidental loss
– Poor data security (loss of USB data sticks) can lead to
reputational damage and result in the University being fined or
prosecuted.
censorshipinamerica.com/
Using records: security issues
• For electronic records, this means:
– Keeping passwords secure – and changing them regularly
– Restricting access to those who need it (use of passwords on documents)
– Backing up data regularly – especially those held on USB sticks or laptops
• Further guidance is available form C&IT. The University’s Information
Security Policy can be accessed at:
http://staff.napier.ac.uk/Services/citservices/Information+for+Staff/Info
rmation+Security/
• For paper records, especially those containing personal data:
– Always use lockable cabinets or secure areas
– Operate a clear desk policy
– Consider using security markings on files eg
• Personal data-in-confidence, commercial-in-confidence, Legal-in-confidence.
Emails
• Outlook is a communication tool NOT a filing system
• Emails documenting decisions and evidence of business transactions
are records and therefore subject to the same legislation and other
requirements as records held in other formats.
• Records kept in Outlook are essentially being filed in a personal
storage area and are therefore not accessible to others who may need
to see them.
• Emails should be routinely managed and stored along with other
records pertaining to the same task/subject/business
Vital Records
Vital records are those records which are crucial to the functioning of the
University. They are necessary for the continuing operation of the organisation
following a crisis/disruption/disaster as they contain information which is essential
to provide evidence of the University’s legal and financial status, ensuring that the
rights and responsibilities of stakeholders are maintained. These records are
necessary to assist the University in resuming business as soon as possible after
a crisis/disaster.
How do we identify vital records?
Risk assessments and inclusion of vital records schedules in business continuity
plans.
Contracts
One area that many organisations find challenging is the records
management of contracts, agreements and associated documents.
Good records management is critical to efficient and effective contract
management. Do we know where all the Uni’s contracts are?
It is estimated that companies spend almost 5% of their revenue to track agreements after
signing a contract.
- Goldman Sachs
That’s a lot of money! Apart from time wasted searching for contract
documents costs could also be incurred by having to re-draft documents,
losses incurred if SLAs or contract terms are not met and this cannot be
substantiated by production of the original contract or related documents.
Contracts and records management
Contracts should be registered on a central or departmental register and
accessible to the necessary people.
This register should be cross referenced to a retention schedule and
identify the following information:
• Where the ‘Golden Record’ held
• How the ‘golden record’ is held (fire proof safe, off-site storage, etc.)
• Who is the custodian (department or faculty/job title)
• What is the ‘trigger point’ for the retention period to kick in? (Generally
contract termination)
• What is the retention period? Is there a review date?
• Is the contract a vital record?
Contracts – other considerations
Risk Management – good records management practices can mitigate risks:
Legislative compliance (Prescription and Limitation Act 1973, EU Law, etc.)
Legal admissibility and evidential weight of information
Audit requirements – is an adequate audit trail provided?
Evidence for litigation purposes in the event of a legal challenge.
Other considerations:
• Consistency – ensuring the contract complies with recommendations/University guidance and
using University templates which include relevant data protection and FOISA clauses
• Evidence of past actions to inform future developments e.g. setting precedents for re-tendering
• High costs associated with contract creation and management – good RM can assist with
rationalising these
For guidance drafting contracts and using templates contact:
Commercialisation Contracts - Aileen Wood and Fiona Mason, Innovation Managers
Finance and Procurement Contracts – Lynne Smith, Operations Support Manager
General Contracts – Helen Mizen, Governance Officer (Data Protection & Legal)
Outcome Agreements with the SFC – Anastasia Dragona, Information and Project
Officer
Overview
• Good records management is necessary for statutory, regulatory
and contractual reasons.
• It also helps the University to function more efficiently.
• When creating records, we need to think about:
–
–
–
–
Whether the record is necessary
Whether the language is appropriate
What format are we going to save the record in
Whether people will need access to the record
• Records can exist in many different formats – and pass through a
lifecycle reflecting their business value.
Overview
• Records are the output of business activities and should be arranged
in a way that reflects this.
• Put records in organised shared areas, preferably on SharePoint.
When deciding on the file structure think about how you are going to
dispose of them – don’t have folders full of documents with mixed
retention periods.
• No records should just be accessible to one person (e.g. in an H:
Drive or in Outlook). This doesn’t necessarily make them secure.
• Name documents sensibly. Ideally have departmental naming
conventions which have been documented, so everyone knows how
they should be naming documents and has something to refer to.
• Have disposal events once or twice a year to weed out
records/documents that you no longer need to retain. Individuals
should schedule time into their diaries to maintain their records and
information.
Further information
• Records Management
– Governance Services
• http://staff.napier.ac.uk/services/secretary/Pages/uso.aspx
• http://staff.napier.ac.uk/services/secretary/governance/records/Page
s/default.aspx
– JISC Infokit – Records Management
• www.jiscinfonet.ac.uk/infokits/records-management
– JISC Managing records – guide for administrators
• www.jiscinfonet.ac.uk/records-management/guide-for-administrators
• Freedom of Information
– Edinburgh Napier FOI website:
• www.napier.ac.uk/foi
– Scottish Information Commissioner:
• www.itspublicknowledge.info
• Data Protection
– Info Commissioner - www.ico.gov.uk/
Contact
Diana Watt
Governance Officer (Records Manager)
Email: [email protected]
Telephone: 0131 455 6257