COVERSHEET FOR A NEW OR REVISED POLICY

Transcription

1 COVERSHEET FOR A NEW OR REVISED POLICY Please complete and send with the draft Policy/Procedure to policies@queensu.ca. A separate form is required for each Policy and Procedure. PROPOSED NAME OF POLICY / PROCEDURE FILE # Records Management Policy Secretariat Use Only SELECT ACTION: New Policy/Procedure Replacement to existing policy/procedure Deletion of existing policy/procedure If revised, briefly highlight the significant changes (try to limit to five or less): 1. Responsibility for records management shifted from the University Archives to the Office of the University Secretary and Legal Counsel 2. Greater emphasis placed on records preservation and security to align with information security program in IT Services, and to address recent recordkeeping amendments to FIPPA 3. Clearer statement of responsibilities 4. Repositioning of Records Management Committee from an operational to a strategic governance body RATIONALE FOR SUGGESTING THE POLICY/PROCEDURE OR CHANGES TO THE POLICY/PROCEDURE What developments, changes or circumstances indicate that a policy/procedure or change to a policy/procedure is needed? What are the implications of not having the policy/procedure? How would the University and/or its students, staff and faculty benefit from such a policy/procedure? If you are only proposing a procedure and no policy exists to support it, please explain your rationale for this approach. As a result of the 2013 Records Management Review, responsibility for the records management program has moved from the University Archives to the University Secretariat and Legal Counsel. A revised policy is required to take account of this organizational change. SCOPE OF PROPOSED POLICY/PROCEDURE Indicate to which members of the University community the proposed policy/procedure would apply and reference other pertinent policies, legislation, regulations, collective agreements, etc. and explain their relationship to the policy/procedure.

2 The policy applies to all individuals who create and/or maintain University records, specifically, to all Queen s employees, volunteers, and members of the Board of Trustees. The records management policy is closely related to the work of the Privacy Office as the Director, University Records Management also has responsibility for the Freedom of Information and Protection of Privacy Act (FIPPA). FIPPA and records management are mutually supportive in terms of the management of records for availability and access, and for the protection of privacy. The records management policy is closely related to the work of the Information Security Office and other offices within the scope of the Office of the Chief Information Officer. Electronic information is a subset of University records and accordingly, policies and procedures for ensuring the availability, integrity, and confidentiality of electronic information must align with records management policies and procedures. The records management policy is closely related to the work of the University Archives. Archivists are engaged in identifying, acquiring, preserving and providing continuing access to all inactive, permanently valuable university records. The Office of the University Secretary and Legal Counsel will collaborate with the University Archives to design, create, implement and maintain a University-wide records management program. Records retention schedules, which are a significant part of any records management program, are prepared to address legislative, regulatory, and collective agreement requirements with regards to the retention and disposition of records. Accordingly, this policy is connected with any such requirements contained in the legislation and regulations which pertain to the University, in addition to any such requirements within collective agreements (such as sections pertaining to official employee files). HUMAN RIGHTS, EQUITY, AND ACCESSIBILITY Indicate implications of the policy/procedure on the University s obligations under the Ontario Human Rights Code, Accessibility for Ontarians with Disabilities Act (2005) and its Regulations, the Queen s Multi-Year Accessibility Plan, and established human rights and equity-related policies such as the Employment Equity Policy and the Educational Equity Policy. No implications with regards to Human Rights, Equity, or Accessibility policies or plans. CONSULTATION Describe any consultation undertaken to date or proposed, including the dates and names of committees / staff / student meetings.

3 Human Resources Labour Relations Faculty Relations Advancement Communications Queen s Community Audit ORS Finance/Faculty Budget Officer ITS Deans Other CIO Please provide detail: Records Management Review WG; Operations Review Committee APPROVAL PROCESS What is the recommended approval body(ies) and the steps required to achieve final approval of the proposed policy/procedure? Principal s/vice-principals Committee (PVP) COMMUNICATION PLAN Indicate how the policy / procedure will be communicated to allow for implementation. Note that publishing on the central policy webpage by the Secretariat is assumed; information about additional communication strategies should be provided. Suggested communications strategies include presentations to QMPG, Business Officers, FIPPA Contacts Network, and publication in the Gazette. RISK MANAGEMENT What type of losses (financial, legal, reputation, injury, property damage) could occur if this policy/procedure is not implemented. Records management ensures that information resources are managed properly throughout their lifecycle. Mismanagement of records could lead to loss of information, failure to protect confidential or personal information, improper destruction of information or retention of information for longer than necessary. All of these situations could lead to financial, legal or reputational losses depending on the nature of the records. For example, a legal contract that is misfiled, improperly disclosed, or destroyed too soon could cause the University to default on a payment. A lost blueprint could have serious consequences on how a building is renovated. A student admission application that is misfiled could lead to a privacy breach. A student transcript that is inadvertently destroyed could mean the student is unable to apply for a job. An additional risk is that without the implementation of records management practices, records are allowed to accumulate uncontrollably, leading to space constraints both in paper and within computer systems. Not only does this present a financial burden, but it also leads to inefficiency as employees attempt to manage mountains of records that are no longer needed. An added risk of not managing records properly is that records which could have been destroyed under authorized schedules are required

4 to be produced for FIPPA requests or legal challenges. Such production requests come with financial and legal consequences. Currently, Queen s has a records management policy; however, this revised policy will reinvigorate the program and focus greater attention on the responsibilities of each and every individual to whom the Policy applies to properly manage records, including destroying/deleting records where warranted. How likely is it that they will occur and how significant might they be? Conversely, what opportunities might be missed if this policy/procedure is not enacted? Please consult with the Risk Management Office, if unsure. Information management and security is identified as one of the University s top 10 strategic risks (April 2015). Without control of records, there is a high likelihood that the kinds of situations described above will occur with undesirable consequences. The situation is exacerbated with digital records which are voluminous and more prone to improper deletion or disclosure. There is a critical need to address the availability, integrity and confidentiality of records in digital form as soon as possible. Indicate resources required to implement the policy/procedure (funding, staff time, space). Funding to address the policy changes has already been committed (appointment of a Director, University Records Management and hiring of a Records Manager). Implementation at the local level will continue to require local resources for such activities as offsite records storage, digital records management, etc. It is anticipated that a commitment of institutional resources will be required, especially for the coordinated management of digital records. Indicate how this policy/procedure will be implemented. Note that proactively implementing a policy/procedure is required to decrease liability. Working in collaboration with the University Archives, the Records Management and Privacy Office will undertake a training and awareness campaign to encourage departments and units to ensure their records are scheduled, and to ensure that all individuals to whom the Policy applies are knowledgeable about how to handle records properly. Working in conjunction with both the Archives and IT Services, the Records Management and Privacy Office will focus special attention on measures for managing records in digital form. Are there time constraints which require implementation of the policy/procedure on an expedited basis? Records schedules have been left in limbo because the University Records Management Committee (which approves the schedules) has been dormant pending the outcome of the 2013 review. Accordingly, records are piling up as units do not have the authority to dispose of them without the schedules. A new Committee should get up and running in the near future to deal with approving the backlog. PROCEDURES List required Procedures and attach, if drafted. Procedures and other guidance are on the Records Management and Privacy Office website and the University Archives website.. These documents will be updated in accordance with the revised policy in due course.

5 RESPONSIBLE OFFICER / COMMITTEE Officer / Committee: Lisa Newton, University Legal Counsel (Insert name and title of Senior Administrative Officer responsible for the policy/procedure) Signature: (For a Committee, the Chair is to sign) Date: 19 February 2016 Contact Officer: Carolyn Heald, Director, University Records Management and Chief Privacy Officer (Insert name and title of Contact Officer) POLICY ADVISORY SUBCOMMITTEE (PASC) SIGN OFF Secretariat Use Only Reviewed by PASC on: [DATE] Conforms to Requirements? YES / NO If NO: Next Steps:

6 APPROVAL AUTHORITY DECISION Secretariat Use Only Name of Approval Authority: Approved? YES / NO If NO: Next Steps: If approved: Date of Approval: Date of Commencement: Date for Next Review: Contact Officer: Position: Submit this Form with a Word version of the final approved Policy/Procedure to: policies@queensu.ca

7 POLICY TEMPLATE DRAFT REVISION RECORDS MANAGEMENT POLICY Category: Approval: Responsibility: Date: Leave this blank; a category will be assigned The University Secretary, on the advice of the Policy Advisory Subcommittee, will identify the appropriate approval body(ies), e.g. Board of Trustees, Senate, VPOC, other Office of the University Secretary and Legal Counsel Date initially approved: September 29, 2003 Date of last revision: June 2014 Definitions: Information Steward: the University officer or employee (faculty or staff) having primary responsibility for a record or group of records. Non-University Records: records created or received as a result of personal activities and usually including such items as research and study notes, teaching materials, publications and personal communications of individual faculty, staff and students. Personal Information: recorded information about an identifiable individual. Personal Information is a sub-set of Sensitive Information. Records Retention Schedule: a document governing the life cycle of a record, or series of records, providing the length of time the record is to be retained and its final disposition whether destruction or transfer to the University Archives. Sensitive Information: a set of information or data that is classified as personal, confidential, or operationally-sensitive as defined under the Queen's University Data Classification Standard, whether stored on campus or off. [Note: Sensitive Information in electronic format is defined under the Electronic Information Security Policy.] University Records: records, in any media or format, within the University s custody or under its control that are created or received, and maintained as evidence or information in the administration and operation of the activities of the University. Purpose/Reason for Policy: The purpose of this policy is to:

8 ensure responsible management of University Records as valuable resources and assets in support of effective decision-making, protection of rights and entitlements, and preservation of corporate memory support the protection of Personal Information by ensuring records are managed and disposed of in an appropriate fashion protect the University from the risks associated with inadvertent or inappropriate destruction of information support accountability, and promote operational efficiency and economy ensure compliance with relevant legislation Scope of this Policy: This policy applies to all University Records in all media and formats, including but not limited to paper, electronic documents and files, , photographs, film, audio and video, and drawings. This policy applies to all University employees (including faculty, staff, and students employed by Queen s), as well as members of the Board of Trustees, volunteers, contractors and agents engaged by a department or employee, with respect to the University Records they create and/or receive, use, handle, maintain, store, and dispose of, whether on campus or remotely. Policy Statement: Queen s University will provide for the efficient and effective management of the University s records. 1. Basic Principles 1.1 All University Records, regardless of their format or location, are the property of the University. 1.2 Good records management practice is essential in creating, capturing, using and disposing of the information required for an organization to fulfill its obligations and meet the expectations of its stakeholders. 1.3 Queen s University s records management policy, program and practice will be based on current professional standards and best practices. 2. Records Creation and Maintenance 2.1 Records in all formats created and received as evidence of University activities will be captured as records and maintained in all processes and systems. 2.2 Responsibility for capturing and maintaining records rests with the organization as a whole and with individuals within the organization.

9 2.3 The context and structure of records will be managed in any University recordkeeping system, in order to maintain record security, reliability and authenticity. 2.4 Retention of records will be scheduled and authorized so that they are retained only for as long as they are needed. 3. Records Preservation and Security 3.1 Records will be protected from inappropriate access, use, disclosure, alteration and disposal. 3.2 University Records of archival value will be preserved and access provided where restrictions do not apply. 3.3 Sensitive Information (including Personal Information) contained in University Records will be created, used, maintained and disposed of in an appropriate and lawful manner. 3.4 University Records, being the property of the University, may not be removed from its control or destroyed except under the authority of this policy. 4. Strategic Governance 4.1 The Principal shall appoint a senior leadership committee (the Committee) to provide institutional strategic direction and governance on records management policy and strategy. The Committee will be responsible for the initiation, control and review of records management policies and procedures, including the approval of all University Records Retention Schedules before application/implementation. 4.2 The Committee will consist of senior level employees (or their delegates) with appropriate subject-matter expertise, as well as key Information Stewards both in administrative units and Faculties. Responsibilities: The Office of the University Secretary and Legal Counsel will: provide leadership and strategic management of University Records as valuable information assets appoint appropriate staff and collaborate with the University Archives to design, create, implement and maintain a University-wide records management program develop procedures and guidelines and other user-friendly tools to support implementation by University departments and units provide training and advisory services to employees of University departments and units so that the policy and procedures are understood and applied

10 maintain a network of records management contacts across University departments and units for the purpose of information-sharing, feedback, and continuous program improvement All Information Stewards will: ensure that Records Retention Schedules are prepared and followed for the records under their responsibility, and that the disposal (either destruction or transfer to the University Archives) of records is authorized and documented ensure that records containing Sensitive Information (including Personal Information) are protected from unauthorized access or modification, and inappropriate use or disclosure, whether intentional or unintentional All Department and Unit Heads will: appoint a suitable staff member to serve as the point of contact for records management activities within the department or unit ensure employees in their department or unit are aware of this policy and appropriately trained ensure all other individuals to whom the policy applies who are engaged by, or work with, their department or unit are aware of this policy and appropriately trained All University employees, members of the Board of Trustees, volunteers, contractors and agents will: ensure the effective management of University Records in accordance with this policy and any procedures made hereunder Contact Officer Date for Next Review 2021/03/31 Related Policies, Procedures and Guidelines Carolyn Heald, Director, University Records Management and Chief Privacy Officer Electronic Information Security Policy ( Records Retention Schedules ( Managing University Records (

11 Policies Superseded by This Policy