This policy covers information and records created and held by the QAA, in any media or format.

Transcription

1 Title of policy: Information and Records Management Policy Policy statement QAA will create an environment where all staff have access to accurate and appropriate information that they require for their role. The Information and Records Management Policy, supported by specific procedures, provides guidance on the handling of information to facilitate the delivery of QAA s business objectives. Implementation of this policy will ensure compliance with legal requirements and provide a framework for the use of information in line with good practice. This policy covers information and records created and held by the QAA, in any media or format. Aim of policy (ref: Resources Group SDS ) Providing secure and stable systems and procedures which provide sufficient reassurance to funders and other stakeholders. Link to other policies / procedures and guidelines Data Protection Policy Information Security Policy Information management policy framework (links to all procedures and guidelines) Created / owned by: Information Management Policy Group Date: April 2004 Approved by: Information Governance Group Date: September 2013 Date last reviewed / updated: August 2013 Date next review due: September 2014 Location: Version: 3.0 For further information contact: Head of Information Management and Infrastructure Information and Records Manager

2 Information and Records Management Policy Policy Statement QAA will create an environment where all staff have access to accurate and appropriate information that they require for their role. The Information and Records Management Policy, supported by specific procedures, provides guidance on the handling of information to facilitate the delivery of QAA s business objectives. Implementation of the Information and Records Management Policy will ensure compliance with legal requirements and provide a framework for the use of information in line with good practice. All Agency staff are expected to ensure that information resources are managed in accordance with the Information and Records Management Policy and supporting procedures. Strategic Aim of the Information and Records Management Policy To provide a framework for the management of information that complements existing and future policies and strategies of QAA and embodies QAA s standards of integrity, accountability and openness, whilst supporting the delivery of QAA s business objectives. Desired Outcomes QAA s Information management policy framework will provide a comprehensive system of integrated policies, procedures and guidelines, supported by information capture, storage, analysis and exchange systems that will enable the Chief Executive and all QAA staff to: conduct their daily business efficiently and effectively have timely access to meaningful and appropriate information operate within the requirements of prevailing legislation support and inform QAA decision-making respond appropriately to information and data requests. Supporting policies focussing specific information security issues (clear desks, infrastructure access and password requirements) can be found as annexes to this Information and Records Management Policy Principles of the Information and Records Management Policy The information collection, storage, analysis and exchange processes (information resources) within QAA should embody the following principles: information resources, regardless of where they are held, are a corporate resource and collective memory and are the property of QAA and not the property of individuals there should be the opportunity for the free flow of information, as appropriate, across QAA all users should be accountable for their use of information and information resources staff should be able to access information for the effective performance of their role information should be timely, accurate and unambiguous information management must comply with prevailing legislation there should be consistency in information and associated processes all change should be planned and managed confidential information must be protected and all information resources and processes must add value to the work of QAA and demonstrate value for money information should be managed in accordance with agreed procedures those with responsibility for managing information resources and process must be clearly identified records with permanent value are preserved in QAA s archives and non-permanent records are destroyed according to QAA s retention and destruction schedule and procedures for destroying confidential records.

3 QAA will provide all staff with the necessary information based skills and training required for them to undertake their roles effectively, efficiently and in accordance with the Information and Records Management Policy and procedures. Responsibility for QAA s information and records Following consultation with SMC/Directorate, the Information Governance Group is responsible for authorising policy and procedure and ensuring compliance. The Company Secretary is responsible for ensuring legal requirements relating to information and record keeping are met. The Information and Records Manager, reporting to the Head of Information Management and Infrastructure, is responsible for developing and implementing information and records management policy and procedure, monitoring its use and for monitoring compliance with legal requirements. The Chief Executive, Directors, Heads of Function and team managers are responsible for monitoring working practice and ensuring compliance with Information and Records management policy and procedures. All staff are responsible for creating, maintaining and processing information in line with Information and Records management policy and procedures. Scope of the Policy This policy covers information, data and records created or held by QAA in any media or format.

4 Annex 1 Clear desk and clear screen policy 1 QAA has a clear desk and clear screen policy to reduce the risks of unauthorized access to, or loss of, or damage to, information. A cluttered office may also cause health and safety hazards. 2 The policy applies to all QAA offices (Gloucester, Glasgow, London and Cardiff), and covers not only desks but your entire workspace, in the open plan and all offices. 3 At the end of each day all information and records in hardcopy or on any form of removable media must be locked away in pedestals, filing cabinets or fire safes as appropriate - in the open plan and in all offices. 4 At any time that work spaces or offices are unoccupied, confidential information must be locked away in pedestals, filing cabinets or lockable offices, as appropriate. 5 All waste paper must be placed in the locked recycling bins. 6 Whenever leaving your desk with your PC switched on, the screen must be locked. 7 If working on sensitive information, and you have a visitor to your desk, lock the screen to prevent the contents being read. 8 Staff must not leave sensitive information on unoccupied desks. Information should be handed to an appropriate colleague or placed in a lockable storage location. 9 Failure to abide by this policy may result in disciplinary action. Who do I contact for help? Information Security: Sam Phillips and Barbie Panvel. Health and Safety: Vinay Karadia. See also the Clear desk guidelines

5 Annex 2 Infrastructure Access Policy QAA prioritises information security and will take all possible measures to ensure that our infrastructure remains secure, while ensuring that staff have access to the information they need to do their work. Network access All internet and web traffic is logged, with web traffic being logged to the URL level. In certain circumstances it is necessary to give a third party access to internal or test systems. Application development for instance requires access to our testing facilities to ensure that it is tested in an appropriate environment. Where possible such access should be limited by both packet filtering and access permissions. Remote network access QAA will continue to offer a variety of ways to access our systems remotely for staff and reviewers. QAA is committed to continuously improving the security and availability of remote network access. Temporary or guest user accounts QAA very rarely use temporary accounts but if very short term access is required to share information securely these accounts will be created under a rigid set of restrictions. Physical access to secure areas Each secured area has an associated owner or owners. The owners are responsible for ensuring that the approved access list for each room is maintained correctly, and documenting any breach. Authorised Staff are trusted not transfer their access to a third party without the recorded consent of the area owner, except in an emergency. Third Party access to secured areas must be authorised by the room owners or authorising staff, except in an emergency. Third Parties must be accompanied at all times while in the secured area, including where possible in an emergency situation. Who do I contact for help relating to this policy? Technical Support Manager Stephen Boylett.

6 Annex 3 Passwords requirements and use policy Without proper security in place, QAA would not be in a position to deliver any strategic aims. We would risk losing the confidence of the HE sector and students through loss of confidential data or misuse of our system by malicious third parties. Like most IT systems we rely heavily on passwords for authenticating users and as such, we need to ensure they meet a minimum standard to safeguard our data. This policy applies to all users of the QAA s network, including remote-access facilities and ARCS. All user accounts must have a password set. The format and use of this password must comply with the Password requirements and use procedure. Users must not reveal their password to anyone except IMI Staff who may occasionally require access to your password information to assist you with the installation or setting up of IT equipment. In these circumstances users are advised to change their password using the CTRL ALT DEL facility available through windows as soon as practical. All passwords must be treated as sensitive, confidential QAA information. Any user found to have violated this policy may be subject to disciplinary action. Password strength is audited on an annual basis by attempting crack current passwords. Who do I contact for help relating to this policy? IMI service desk