Corporate Records Management Policy

Transcription

1 Corporate Records Management Policy Introduction Part 1 Records Management Policy Statement. February 2011 Part 2 Records Management Strategy. February 2011 Norfolk County Council Information Management Service, B31 Martineau Lane Norwich, NR1 2DQ information.management@norfolk.gov.uk Corporate Records Management Policy Page 1 of 14

2 Part 1. Corporate Records Management Policy Statement 1. Introduction 1.1 Section 224 of the Local Government Act 1972 requires that a principal council shall make proper arrangement with any documents that belong to or are in the custody of the council or any of their officers. 1.2 This policy statement is issued in accordance with Section 224 and Section 7 of the Lord Chancellor s Code of Practice on The Management of Records by Public Authorities, issued under the provisions of Section 46 of the Freedom of Information Act 2000 (the Code): Norfolk County Council s records are an important public asset. They are the Council s corporate memory. Their systematic management is essential to the Council s efficient operation and its accountability in the future as well as the present. Norfolk County Council is committed to creating, keeping, and managing records which document its activities. 2. Definition of a record A record is information created or received, and maintained for a purpose in pursuance of legal obligations or in the transaction of business Scope 3.1 This policy applies to all of the County Council s records, wherever they are located and irrespective of the technology used to create and store them or the type of information they contain, i.e: Paper documents and files Digital documents and files Electronic records management systems Business and information systems (e.g. case management, finance, and geographical information systems) The contents of websites. 3.2 All staff should recognise that all the records they create, receive or maintain in the course of County Council business are official records of the organization. 3.3 This policy supports the Council s Information Management Strategy and is complementary to corporate policies and strategies on Information security Data Protection Digital Preservation ICT Business Continuity Data Quality Management Information 4. Purpose 4.1 The purpose of this policy is to facilitate the delivery of the objectives of Norfolk County Council. The purpose of this policy will be fulfilled by the following means: Corporate Records Management Policy Page 2 of 14

3 Creating and maintaining records of business activities that are sufficiently complete and accurate to enable the Council s employees to undertake appropriate actions to: Provide credible and authoritative evidence of the Council s activities and decisions Protect the legal rights of the Council, its clients, and others affected by our actions Facilitate audit and examination of the Council s business. Maintaining records securely, and taking appropriate measures to minimise the risk of their loss, damage or misuse Maintaining the integrity of records Assigning due value and relative importance to all records, and managing them accordingly Ensuring that records which support critical activities are identified and made accessible to allow continuity of service during a disruption Identifying, registering, marking and protecting Vital Records Ensuring that information is located, retrieved and delivered in a timely and appropriate manner to support business activities and corporate knowledge management, and to comply with access to information legislation Ensuring that all records created are accessible to the authorised users and the information contained therein is available on request to the public unless the content is exempt under legislation Ensuring that the disposal of records is appropriate to their value and importance, and to business need, and is compliant with corporate guidance and any relevant statutory and regulatory frameworks that govern the retention and disposal of records. Ensuring that records with potential historical value are permanently retained as archives. 5 Implementation 5.1 Implementation of this policy is by means of a Records Management Strategy setting out: Organisational arrangements, roles and responsibilities Keeping records Systems Storage and maintenance Security and access Disposal Managing records under collaborative arrangements and outsourcing Guidance and training The way in which compliance with the policy will be monitored and reported. Corporate Records Management Policy Page 3 of 14

4 6 Review This policy will be reviewed regularly and at least once every three years. 1 Definition agreed by the Freedom of Information and Records Management Board, 6th December 2005 and derived from the definition of a record in BS ISO : Information and Documentation Records Management Part 1: General. This definition reads: Records information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business. This Policy Statement was formally approved by the Information Management Board on 15 February First issued: September 2006 Next scheduled review date: February 2014 Corporate Records Management Policy Page 4 of 14

5 Part 2. Corporate Records Management Strategy 1. Introduction 1.1 The purpose of this strategy is to implement the Council s Records Management Policy and ensure that management of the Council s records is compliant with Section 224 of the Local Government Act 1972 and the Lord Chancellor s Code of Practice on The Management of Records by Public Authorities, issued under Section 46 of the Freedom of Information Act 2000 (the Code). 1.2 Schedule 1 lists the statutes and regulations that directly bear on the management of the Council s records generally. There is also a body of legislation informing recordkeeping in relation to specific tasks and duties, for example adoption and fostering services, residential care, planning, health and safety, finance, and human resources management. 1.3 Schedule 2 lists standards and codes of practice with which this strategy aspires to be compliant. 1.4 Detailed instruction and advice for the delivery of this strategy is set out in a Records Management Handbook published on the corporate Intranet. 1.5 Expert advice will be sought from within and outside Norfolk County as appropriate when drafting procedures and guidance, and in particular guidance issued by The National Archives will be consulted. 2. Scope 2.1 This strategy applies to all records as defined in sections 2 and 3 of the Records Management Policy Statement, wherever they are held and throughout the records lifecycle. 2.2 This strategy sets out: A. Organisational arrangements and roles and responsibilities for records management within the Council. B. A framework of principles to ensure that: Individual responsibilities for the creation and management of records are understood by staff at all levels The authenticity and integrity of records can be assured Record-keeping processes and systems are in place Access to records is facilitated Records are stored, protected and preserved appropriately Records are appraised and reviewed systematically Records are disposed of, either by destruction or transfer to an archive, systematically, in the appropriate manner, and with the appropriate approval Records shared with other bodies or held on the Council s behalf by other bodies are managed in accordance with the Code Adequate training and guidance in managing records is available to staff at all levels. C. Arrangements for reviewing and monitoring the quality of implementation of the records management policy. Corporate Records Management Policy Page 5 of 14

6 3. Organisational arrangements for records management within the Council 3.1 The Chief Officers role is to endorse and support the delivery of good records management within their departments and to investigate any exceptions reported to them. 3.2 The Information Management Board is responsible to the Chief Officer Group for all aspects of information strategy and policy. 3.3 The County Archivist is responsible for ensuring the delivery of this records management strategy, for promoting good co-ordination and standards in records management across the Council at a strategic level, and for the permanent preservation of the Council s records deposited in Norfolk Record Office. 3.4 The Corporate Freedom of Information Officer and Records Manager (CFOIO) leads on the corporate management of records across the County Council. The CFOIO s role is to deliver this strategy by: supporting departments to ensure that records are managed consistently and in accordance with the Code and prevailing corporate policy and practice; working with departments to develop policies on the closing, archiving and disposing of files; developing corporate procedures, systems, and tools for managing records; and overseeing the full implementation of the electronic record keeping system. 3.6 All departments should appoint either a departmental records manager or designated officers with records management responsibilities who are responsible for Managing the department s records and in particular for the structures to ensure the proper capture, maintenance, and disposition of records, and Liaising with the CFOIO to ensure a) that departmental needs are brought to the attention of the CFOIO and b) that corporate policy is integrated into local practice. 3.7 ICT managers are responsible for the design, building and maintenance of systems in which electronic records are generated and used, and the technical operation of computer and communication systems. 3.8 Business managers and process owners are responsible for Managing a) the Council s business processes or functions within which records are created or received, and b) the primary units requiring the records for their operations, and ensuring that adequate records are kept of the activities for which they are accountable. 3.9 End users generate and use records in their daily activities. Individual members of staff are responsible for ensuring that records are created and managed appropriately according to corporate and departmental guidelines and are disposed of according to the corporate records retention and disposal scheme. 4. Keeping records 4.1 The Council will ensure that records are kept for business, regulatory, legal and accountability purposes. 4.2 In determining what is to be recorded and assessing the risk of not maintaining a record, the following factors should be taken into account: Corporate Records Management Policy Page 6 of 14

7 The legislative and regulatory environment, both general and specific Business continuity The ability, for current business purposes, to refer to pertinent authoritative information about past actions and decisions The protection of the legal and other rights of the Council, its employees and third parties Accountability for the Council s actions. 4.3 Having determined what is to be recorded, business rules should be developed that identify: Which decisions, actions, and transactions should be recorded By whom the record should be made At what stage the record should be made, or that information should be declared to be a record What should be contained in the record The type or category of record The manner in which the record should be stored The status of the record, in respect of o A vital record o A record necessary to business continuity o A record that warrants protective marking. 4.4 Record-keeping will be assured in the following ways: Managers are responsible for ensuring that the agreed records of the work of business units, programmes, and projects are kept and are available for corporate use All staff are be aware of which types of record the council keeps, and what information is considered ephemeral All staff know which records they create or maintain are necessary to ensure business continuity All staff are aware of their personal responsibility to keep accurate and complete records as part of their daily work All staff are aware of, and comply with, business rules and good practice guidance in naming records and folders so that a record title reflects its nature and content and is as a result easier to locate and retrieve. 4.5 Controls are put in place where necessary to ensure that a record s evidential value, i.e. its authenticity, reliability, integrity, and usability, can be demonstrated. 4.6 Controls are put in place where necessary to ensure that records containing sensitive information are appropriately and consistently marked and subject to security measures consonant with the marking. 5 Systems 5.1 For clarification, in this section a system is any system, the purpose of which is to capture, manage, and provide access to recorded information over time. The system may Corporate Records Management Policy Page 7 of 14

8 be a single entity or an aggregation of entities managed to these ends. The system may be electronic, manual, or comprising both electronic and manual constituent parts. 5.2 Records systems will be designed to serve the Council s operational needs. 5.3 Records systems will be designed to enable Quick and easy retrieval of information Routine records management processes to take place The context of a record and its relationship to other records to be understood An audit trail to be produced. 5.4 Records systems will be designed to provide Business continuity Secure storage Protection from accidental or unauthorized alteration, copying, movement or destruction Protection from unauthorized access and misuse. 5.5 Organization and management of records and their content, and information retrieval, will be facilitated by means of a business classification scheme based on function and activity and using the Local Government Classification Scheme (LGCS) model. In particular, the Classification Scheme will be used in the following: Corporate file plan Records retention and disposal scheme Information Asset Register Records inventories Electronic Document and Records Management System (EDRMS) 5.6 A single corporate file plan will govern the organization of electronic folders and files. 5.7 Standard metadata, set out in a corporate metadata set, will be used to assist retrieval and transfer of information, and continued access to information over time, and will cover: business context, records classification, authorship or ownership, structure and characteristics of records, description of content, retention and preservation, security, and Data Protection Act sensitivity. 5.8 Retention and Disposal arrangements The retention and disposal of records when they cease to be in active use will be determined by legislative and regulatory requirements and business need. Processes will be fully and formally documented The corporate records retention and disposal scheme will be published externally as well as internally, and will be observed throughout the Council Procedures and documentation relating to disposal of records will cover: Closure of records Appraisal and selection for retention, transfer to archives, and destruction Authorisation of disposal Transfer processes, including transfer to an archive Certification of destruction. Corporate Records Management Policy Page 8 of 14

9 5.9 Storage and sustainability Arrangements for records storage and sustainability will support and complement the Council s policies and strategies in respect of its estate and working practices, and in particular Business Continuity Norfolk Workstyle Corporate criteria and standards will ensure that records are stored, maintained and preserved appropriately A Corporate Digital Records Preservation Policy will address the sustainability over time of electronic records. 6. Training for staff 6.1 The Council has a responsibility for ensuring that staff know the extent of their individual records management responsibilities and have the means and skills to fulfil them. 6.2 An in-house modular records management training programme will support the development and maintenance of a records management skills base in departments. 6.3 Records management principles will be included in induction-level information management e-learning resources. 7. Review and monitoring 7.1 This strategy is subject to ongoing oversight by the Information Management Board, to whom highlight reports are submitted. It will be fully reviewed by them at least every three years. 7.2 Internal Scrutiny Self-Assessment Compliance with the Lord Chancellor s Code of Practice under S.46 of the Freedom of Information Act 2000 is self-assessed by reference to the Self-assessment Questionnaire for Compliance with the revised Records Management Code of Practice, issued by The National Archives Internal Audit Programme This is a programme of scheduled reviews which identify places and occasions where there is non-compliance with policy and procedures, make recommendations regarding tightening of controls or achieving compliance, and draw up action plans to address issues identified. 7.3 External scrutiny may be conducted by: The National Archives Inspection and Advisory Service The Information Commissioner. 8. Electronic records 8.1 This strategy applies to electronic records as well as those in traditional media. It includes the management of an electronic document and records management system (EDRMS), and electronic line-of-business and case-management systems. Corporate Records Management Policy Page 9 of 14

10 8.2 Particular issues in managing electronic records that will be addressed by the measures described in this strategy include: Integrity and legal admissibility of content Audit trailing Potential isolation of individual records from their business context, in particular Ease of duplication and modification Hidden evidence of the underlying structure of digital objects Short-lived media and systems Proprietary formats and software Relationships with non-electronic records Management of corporate records held in so-called Web 2.0 applications such as Twitter and Facebook. This Policy Statement was formally approved by the Information Management Board on 15 February First issued: September 2006 Next scheduled review date: February 2014 Corporate Records Management Policy Page 10 of 14

11 Corporate Records Management Strategy: Schedules These are subject to a rolling review process and updated in the light of changes to the statutory framework or the publication of new or revised standards and codes of practice. Schedule 1: Legislative Framework Schedule 2: Standards and Codes of Practice Corporate Records Management Policy Page 11 of 14

12 Schedule 1 Legislative Framework Current legislation includes: Data Protection Act 1998 Freedom of Information Act 2000 Environmental Information Regulations 2004 Health and Safety at Work Act 1974 Limitation Act 1980 Local Government Act 1972 Public Records Acts 1958, 1967 Re-use of Public Sector Information Regulations 2005 As new legislation is enacted, it will be added to the Schedule. Corporate Records Management Policy Page 12 of 14

13 Schedule 2 Standards and Codes of Practice The County Council s records will be managed in compliance with, or by reference to relevant sections of, the following current standards and codes of practice: The Lord Chancellor s Code of practice on the management of records issued under section 46 of the Freedom of Information Act 2000 Generally Accepted Recordkeeping Principles (GARP) BS ISO :2001 Information and Documentation Records Management Part 1: General BS ISO :2001 Information and Documentation Records Management Part 2: Guidelines BS ISO :2006 Information and documentation Records management processes Metadata for records Part 1: Principles BS ISO :2009 Information and documentation Records management processes Metadata for records Part 2: Conceptual and implementation issues BS EN :2001 Document management. Principles and methods BS EN :2005 Document management. Metadata elements and information reference BS 5454 Recommendations for the storage and exhibition of archival documents BS EN 15713:2009 Secure destruction of confidential material Code of Practice BS Evidential weight and legal admissibility of electronic information. Specification BS ISO/IEC 27002:2005 Information Technology Security techniques. Code of Practice for information security management BIP 0008 Code of Practice for Legal Admissibility and evidential weight of information stored electronically Model Requirements for the Management of Electronic Records (MoReq) The National Archives Guidelines for management, appraisal and preservation of electronic records. PD0010 The principles of good practice for information management BS 10012:2009 Data Protection Specification for a personal information management system Corporate Records Management Policy Page 13 of 14

14 BS :2006 Business continuity management. Code of Practice PAS 197:2009 Code of Practice for cultural collections management (As new standards and codes are published, they will be added to the Schedule.) Corporate Records Management Policy Page 14 of 14