Scotland s Commissioner for Children and Young People Records Management Policy

Transcription

1 Scotland s Commissioner for Children and Young People Records Management Policy 1 RECORDS MANAGEMENT POLICY OVERVIEW 2 Policy Statement 2 Scope 2 Relevant Legislation and Regulations 2 Policy Objectives 3 Related Policies and Guidance 4 Definition of Terms 4 2 RECORDS MANAGEMENT POLICY 4 Record Lifecycle 4 Record Creation and Capture 5 Record Maintenance 6 Records Retention and Disposal 7 Training and Support 8 Responsibilities 9 3 Appendix 11 Records Management Glossary of Terms 11

2 1 RECORDS MANAGEMENT POLICY OVERVIEW Policy Statement 1.1 Our records are our corporate memory providing evidence of the actions and decision making that underpin our daily functions and operations and help us to promote and safeguard the rights of children and young people in Scotland. This policy and its related procedures and guidance have been produced to help us ensure that adequate records are held by SCCYP and that they are managed and controlled effectively, and in support of our legal, operational and information needs. Every SCCYP member of staff must comply with this records management policy and related policies, procedures and guidelines. Scope 1.2 This policy covers all records held by SCCYP regardless of format. This policy therefore covers records in the following formats which members of staff use or access as part of their employment with SCCYP. Audio and video tapes, cassettes, DVD film, podcasts Facsimile Photographs Records in all electronic formats, including disks or CDs Records in paper format Relevant Legislation and Regulations 1.3 The policy demonstrates SCCYP s commitment to achieve compliance with the following legislation, and has been informed by the listed best practice standards: Freedom of Information (Scotland) Act 2002 Environmental Information (Scotland) Regulations 2004 Data Protection Act 1998 Human Rights Act 1998 Electronic Communications Act 2000 Freedom of Information (Scotland) Act 2002 Code of Practice on Records Management International Standard on Information and Documentation Records Management ISO Principles for Good Practice for Information Management, PD0010:1997 BS 10008: 2008 Evidential Weight and Legal Admissibility of Electronic Information. Specification. Records Management Policy 2

3 Policy Objectives 1.4 This policy and associated procedures and guidelines are intended to ensure that all records held by SCCYP are effectively managed throughout their lifecycle, from planning and creation through to disposal. The eight overarching objectives of this policy (and associated SCCYP Information Management Principles 1 ) are: Accountability (Keeping Records of What We Do) 2 Complete and accurate records are maintained to account fully and transparently for all actions and decisions, and in particular: to facilitate audit or examination to provide credible and authoritative evidence to protect legal and other rights of staff or those affected by their actions to allow public access to information about: o the functions provided by SCCYP o the costs of providing those functions o the standard attained in fulfilling these functions o the evidence which forms the basis of decisions and actions taken by SCCYP o the publication of reasons for decisions taken Quality (Ensuring information is accurate) Records are authentic, complete and accurate. Their contents should be reliable and their integrity guaranteed. Usability (Information Accessibility) Records and the information within them can be efficiently located, retrieved, presented and interpreted by those with a right of access, for as long as the records are held by SCCYP. Compliance (With Statutory and Regulatory Requirements) Records comply with any record keeping requirements resulting from the regulatory environment, current business requirements and stakeholder expectations. Particular regard must be paid to the S.61 Code of Practice on Records Management published under the Freedom of Information (Scotland) Act Appraisal and Disposal (Keeping Records of What We Do) There are consistent and documented retention, selection and disposition procedures to inform the management of the long term future of the various categories of records held by SCCYP. Security (Information Security) Records will be secure from unauthorised or inadvertent alteration or deletion, whilst access and disclosure will be properly controlled and audit trails in place to track all transactions in relation to a particular record. Records and the systems 1 Information Management Policy. TRIM/ Corporate Management/ Information Management/ Information Management Policies 2 Associated SCCYP Information Management Principles are listed in brackets alongside each policy objective. Records Management Policy 3

4 in which they are stored will be in a robust format ensuring records remain retrievable and readable for as long as records as required. Training (Personal Responsibility) All staff are made aware of the benefits of good records management and their own record-keeping responsibilities through generic and specific training programmes and guidance. Monitoring and Auditing (Compliance with Statutory and Regulatory Requirements) The application of records management procedures and processes are regularly monitored and reviewed, and action taken to improve standards as and when required. Related Policies and Guidance 1.5 The SCCYP Records Management Policy is supplemented by a number of related and supporting policies, procedures and guidance. All of these sit under the umbrella of the SCCYP Information Management Policy. All are available via the SCCYP electronic records and document management system, TRIM. Where reference is made to these additional policy documents, a footnote is provided with the file name of the policy. Definition of Terms 1.6 A glossary has been included in the Appendix to this document providing definitions of records management terms used in this policy. These terms are underlined the first time they appear in the text of this policy. 2 RECORDS MANAGEMENT POLICY Record Lifecycle 2.1 This policy covers the lifecycle of all records held by SCCYP. The key lifecycle phases of a record are outlined below: Phase Created/Received Active Use Semi-Active Use Comments Records are created or received and (where appropriate) captured into SCCYP records management systems Records are regularly used for the business purpose for which they were created Records are stored and maintained for reference purpose; it is possible that records may be required for new, equally legitimate purposes over time and therefore Records Management Policy 4

5 Appraised Disposed it is possible for records to reverse their status from semi-active back to active use Staff appraise the value (business/legal/financial/research/historical) of records Records destroyed or transferred to the SCCYP records archive Record Creation and Capture 2.2 It is the responsibility of all SCCYP staff to ensure all official documents that record essential activities are filed in an appropriate manner, following records creation procedures in the TRIM User Guidance Records of SCCYP s business activity should be complete and accurate enough to enable current employees and their successors to fulfill their responsibilities to: facilitate an audit or examination of the business by anyone so authorised; protect the legal and other rights of SCCYP, its clients and any other persons affected by its actions; provide proof of the authenticity of the records so that the evidence derived from them is shown to be credible and authoritative; and provide a true and accurate record of the principal policies and activities of SCCYP for ongoing public accountability and interest. 2.4 Records are managed within SCCYP via electronic records systems. These systems: accommodate both paper file systems and records that are created or exist in electronic format; provide a simple information architecture for file storage; and Provide referencing and classification metadata for registration of records and quick and easy retrieval of accurate and related information. 2.5 Record Indexing Our records must be trustworthy, complete, accessible, legally admissible in court, and robust for as long as our records retention schedule 4 requires. Records that are consistently and logically indexed are easier to manage to meet these requirements. 3 TRIM User Guidance. TRIM/ IT/ Policies and Procedures/ TRIM User Guidance 4 Records Retention Schedule. TRIM/ Corporate Management/ Information Management/ Information Management Policies Records Management Policy 5

6 To this end all SCCYP staff should reference, title, index and security mark records they create and receive from outside SCCYP with the appropriate metadata in accordance with TRIM User Guidance. The metadata added should be easily understood by all SCCYP staff and enable the efficient retrieval of information. 2.6 Storage Location All SCCYP staff must save these records to the appropriate records management systems as specified in the TRIM User Guidance. Record Maintenance 2.7 Records Searching and Retrieval The design and configuration of information architecture within any records system managing SCCYP records will ensure that related records and the information within them can be efficiently retrieved by those with a legitimate right of access, for as long as the records are held by SCCYP. 2.8 Information Sharing SCCYP staff are encouraged to regard their existing records collection as a knowledge resource of SCCYP experience and expertise. The information held in these records should be used as a key resource for future research and organisational development. 2.9 Version Control A key factor in quality decision making and action is the ability to access the most up-to-date information available. It is therefore vital that all SCCYP staff follow version control procedures, as defined in the TRIM User Guidance, when updating a record Information Security SCCYP staff must follow the SCCYP Information Security Policy 5 to ensure that all records are secure from unauthorised or inadvertent alteration or erasure and that access and disclosure are properly controlled Records Audit The design and configuration of information architecture within any records systems managing SCCYP records will ensure that there is an auditable trail of record transactions Removal of Records SCCYP staff must comply with the Information Security Policy which includes a formal process for removal of records. This policy also covers copies of records removed by contractors as a legitimate requirement of the work they are carrying out on behalf of SCCYP. 5 Information Security Policy. TRIM/ Corporate Management/ Information Management/ Information Management Policies Records Management Policy 6

7 2.13 Paper Records All records should be managed in electronic format with the following exceptions: evidence provided by Service Providers and complainants in the course of an investigation; records that have been received by SCCYP in paper format and which are considered impractical to scan; printed copies of electronic records for reference and to aid record editing; and transitory records e.g. unsolicited promotional material which is deemed to be of no current or future benefit to the work of SCCYP 2.14 Storage and retrieval of paper records Official records in paper format should be managed in a filing system that is consistent with the corporate file plan and should have a matching metadata record in the appropriate information management system. Metadata should include location details Transit of paper files Staff requiring access to paper files should follow the process for logging and tracking of checked out paper files in accordance with the TRIM User Guidance so that an accurate log of the movement of the file can be maintained for tracking and auditing purposes Paper Mail Management Procedures are currently being drafted for the secure logging and tracking of official paper records received as incoming mail Management s generated or received by SCCYP are subject to the same records management principles as the equivalent record in any other format. Due to the complexity of issues surrounding usage and management, a separate policy document has been created detailing management procedures 6. Records Retention and Disposal 2.18 Records Management and Retention Schedule SCCYP has developed a records management and retention schedule to support the control of SCCYP records by determining the record types for creation, storage and final disposition to meet its operational needs and ensure compliance with legal requirements. The retention schedule is an essential component of efficient and effective records management and must be consistently implemented by all staff and reviewed by the Records Management Team annually to maintain the integrity of the retention guidance. Policy and guidance on the schedule is included in the Records Selection and Disposal Policy Management Procedures. TRIM/ Corporate Management/ Information Management/ Procedures 7 Records Selection and Disposal Policy. TRIM/ Corporate Management/ Information Management/ Information Management Policies Records Management Policy 7

8 2.19 Record Selection and Disposal The Records Selection and Disposal Policy sets out the arrangement for managing the appraisal process and recording the final disposition decisions for all SCCYP records when they come to the end of their useful life. Compliance, Governance and Risk 2.20 Compliance Monitoring This Records Management Policy is supported by an audit programme 8 which will monitor compliance with Records Management policies and procedures in SCCYP and put in place corrective actions to resolve any areas of non compliance identified during the audit Audit Log The electronic record systems used by SCCYP log all records activity. This provides an audit trail which can be used as evidential support for system monitoring and compliance auditing Legal Admissibility of Electronic Documents The management and auditing of all SCCYP information held electronically complies with BS 10008: 2008 Evidential Weight and Legal Admissibility of Electronic Information. A statement of SCCYP compliance with this is outlined in the Legal Admissibility Policy Business Continuity SCCYP has in place arrangements for business continuity in the form of a business continuity plan 10 which documents the processes to be undertaken in the event of a disruption to service affecting the normal business activities. The plan includes an official records maintenance/preservation policy which sets out the procedures that must be followed to protect SCCYP official records in the event that any of the listed disaster scenarios should occur. Training and Support 2.24 Staff training and support is recognised by SCCYP as a pre requisite to the successful implementation of its Records Management Policy. To this end appropriate training and guidance will be provided to all staff. Provision of appropriate resources to enable the records management function to be maintained across all of SCCYP s activities. A competency framework for all staff covering all records management processes will be established and reviewed regularly as part of the performance management system. 8 Audit Programme. TRIM/ Corporate Management/ Information Management/ Information Management Policies 9 Legal Admissibility Policy. TRIM/ Corporate Management/ Information Management/ Information Management Policies 10 Business Continuity Plan. TRIM/ Corporate Management/ Business Continuity/ Policies and Procedures Records Management Policy 8

9 A professional development programme in records management functions will be developed and implemented. Awareness of records management issues and practices will be included in the induction training programme for all new staff. There will be a regular analysis of training needs alongside ongoing provision of appropriate training in record keeping for all staff. Responsibilities 2.25 Scotland s Commissioner for Children and Young People has overall responsibility for ensuring that records are managed responsibly within SCCYP, and has delegated the management of this to the Chief Officer The Chief Officer and Information Officer are responsible for Records Management at a strategic level and for developing, publishing, maintaining and administering this policy and the associated guidelines. The key responsibilities of this team are: To ensure that SCCYP complies with the Freedom of Information (Scotland) Act 2002 Code of Practice on Records Management; To review and update this policy and associated guidelines to ensure they continue to support the records management requirements of SCCYP in the undertaking of its obligations under the Commissioner for Children and Young People (Scotland) Act 2003 and the operation of administrative functions; To receive and approve change requests to the SCCYP records management systems; To activate these requests and issue update alerts to all staff; To arrange for the annual review and disposal of files; To manage the audit programme and ensure any corrective actions are carried out; To provide appropriate staff training, guidance and feedback mechanisms to support them in carrying out their records management responsibilities; and To discuss and make proposals for allocating records management responsibilities and resources within SCCYP. Records Management Policy 9

10 2.27 Records management responsibilities will be written into all accountable individuals job descriptions It is the responsibility of all staff to ensure that they keep appropriate records of their work in SCCYP and manage those records in keeping with this policy and with any guidance subsequently produced by the Records Management Team and authorised by Scotland s Commissioner for Children and Young People. In addition all SCCYP staff will have specific responsibilities as records custodians according to their area of work. Document History Issue Date Author Comments 1 15 June 2010 Gillian Munro Approved by Management Team Records Management Policy 10

11 3 Appendix Records Management Glossary of Terms Term Appraisal Audit Programme Business Continuity Disposal Indexing Information Architecture Information Management Legal Admissibility Lifecycle of records Metadata Official Records Definition The process of evaluating business activities to determine which records need to be captured and how long they need to be kept to meet business needs, the requirements of organisational accountability and community expectations. A listing of audit procedures to be performed in completing an audit. A process of identifying, preventing or preparing for events that may interrupt business activities to protect critical business processes from the effects of major failures or disasters. A range of processes associated with implementing appraisal decisions. These include the retention, deletion or destruction of records in or from records management systems. They may also include the migration or transmission of records between records management systems, and the transfer of custody or ownership of records. The action of specifying or determining the predestined topic, name, number, or caption under which a record is to be filed. Organising information to help people effectively fulfil their information needs. The collection and management of information from one or more sources and the distribution of that information to one or more audiences. Information we create and use can be an asset or a liability depending on how it is managed. Organisations must capture, manage, preserve, store and deliver the right information to the right people at the right time. Whether or not a piece of evidence (for the purpose of this policy, an electronic record) would be accepted by a court of law. Is it possible to prove that the system the record is kept in is a secure system? The management concept that records pass through the stages of creation, maintenance, use and disposition. Describes how and when and by whom a particular record, was created, and how the record is formatted. Metadata is essential for a number of records management processes including records retrieval, disposal and auditing. Records that need to be retained to meet legislative requirements under the Freedom of Information (Scotland) Act 2002, Data Protection Act 1998, Environmental Information (Scotland) Regulations 2004, Commissioner for Children and Young People (Scotland) Act 2003, and SCCYP business and accountability requirements. e.g. contracts, the SCCYP Records Management Policy 11

12 Term Record Keeping Record Records Custodian Records Management Records Management System Retention Schedule Version Control Definition Publication Scheme and Records Management Policy. Making and maintaining complete, accurate and reliable evidence of business transactions in the form of recorded information. Information created, received and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business. All categories of SCCYP records have a named custodian who is responsible for carrying out specific records management processes for that category, for example record selection and appraisal. The retention schedule lists custodians of records categories. The discipline and organisational function of managing records to meet operational business needs, accountability requirements and community expectations. An information system which captures manages and provides access to records over a period of time. Examples used in SCCYP are, TRIM, CHAS and Filemaker. A document that identifies the length of time records must be retained in active/current and inactive/non current storage before its final disposal to permanent storage, archival preservation, or destruction. The schedule also indicates confidentiality, privacy and vital records for business continuity. This is a system established to manage the updating of records. It ensures that those accessing information are able to identify the current version of a record and retrieve a previous version where appropriate. Records Management Policy 12