Records Retention and Disposal Schedule. Information Management

Transcription

1 Records Retention and Disposal Schedule Information Management

2 Version control Version Author Policy Approved By Approval Date Publication Date Review Due V 1.0 Information Governance Unit Philip Jones, Head of Information Governance 03/04/2012 April 2012 March 2013 Information Rights Staffordshire County Council asserts its right to be identified as the author of this Retention Policy and Schedule, and a statement to this effect must be clearly displayed when reproducing all or any part this document. Disclaimer This Policy and Schedule reflect the record keeping requirements of Staffordshire County Council. Staffordshire County Council accepts no liability if this Retention Schedule is used by individuals or organisations outside of the Authority.

3 Understanding Retention and Disposal Schedules Business Classification: Describes the business functions, activities and processes that records support Scope Notes: Further define the business function, activity or process that records support Retention Trigger / Closure Procedure: Defines the event that triggers the start of the retention period and/or closure procedure Retention Period: Specifies the length of time records must be kept following the retention trigger event Disposal Action: Specifies disposal action following end of retention period Authority: Identifies the legal, regulatory or business reasons that records need to be created, received and kept (even if requirements are not explicitly stated)

4 Contents Business Classification Page Corporate Governance 1 Information Management 1 Information Access Management 1 Access to Information Compliance Audit 1 Data Controller Notification 1 Copyright Administration 1 Public Sector Information Reuse Management 1 Data Sharing Protocol Development 1 Publication Scheme Maintenance 1 Information Security Management 1 Information Security Compliance Audit 1 Incident Response & Investigation 1 Records Management Programme Implementation 1 Records Management Compliance Audit 1 Classification Scheme Development & Maintenance 2 EDRMS Specification & Configuration 2 Re-organisation Rationalisation & Closure Planning Support 2 Retention Schedule Development & Maintenance 2 Records Storage Management 2 Disposal Processing 2 Records Migration 2 Retrieval Requests Processing 2 Transfer Processing 2 Surveillance Management 2 Investigatory Powers Regulation Monitoring 2 Index

5 Business Classification Scope Notes Retention Trigger (event triggering start of retention period) / Closure Procedure Corporate Governance Information Management Information Access Management Access to Information Compliance Audit Audit to ascertain compliance with access to information requirements Including: Privacy impact assessment Close records at completion of audit Data Controller Notification Notification data controllers to ICO Retention Period starts at Date Created Retention Period Disposal Action (following end of retention period) Authority Management of Information Assets Including: Information access management, Information security management, records management programme implementation, records storage & surveillance management Excluding: Strategic planning, policy & standards development, communications management, training provision, enquiries management & statutory complaints management Management of Information access Including: Publication scheme maintenance, compliance audit, privacy impact assessment, data controller notification, information rights management, copyright administration, reuse of public sector information, development of data sharing protocols Excluding: Enquiries management & statutory complaints management Retain records for 3 years Data protection Act 1998 Limitation Act 1980, Data protection Act 1998 Copyright Administration Administration of copyright Excluding: Licensing Retention Period starts at Retain records 6 year Copyright, Designs & Date Created Patents Act 1988 Public Sector Information Reuse Management Management of public sector information reuse Close records when licence expires or terminated Reuse of Public Sector Information Regulations 2005, Protection of Freedoms Bill Data Sharing Protocol Development Development negotiation & agreement of data Close records when Data protection Act 1998, sharing protocols Excluding: Formal legal agreements & contracts superseded or terminated Data Sharing Code of Practice 2011 Publication Scheme Maintenance Maintenance of scheme of published & publicly available information Close records when superseded Limitation Act 1980, Freedom of Information Act 2000 Information Security Management of information security Including: Incident response & investigation, compliance audit & Information Asset Register maintenance Management Information Security Compliance Audit Audit to ascertain compliance with information Close records at Retain records for 3 years Data protection Act 1998 security requirements completion of audit Incident Response & Investigation Response to & investigation of security breach incidents Records Management Programme Implementation Records Management Compliance Audit Audit to ascertain compliance with records management requirements Close records at conclusion of investigation, subsequent action, or resolution of incident Development & implementation of records management programme Close records at completion of audit Retain records for 3 years Limitation Act 1980, Computer Misuse Act 1990, Police & Criminal Evidence Act 1984 Page 1

6 Business Classification Scope Notes Retention Trigger (event triggering start of retention period) / Closure Procedure Classification Scheme Development & Maintenance EDRMS Specification & Configuration Development & maintenance of classification scheme(s) Including: Structuring & organisation of records & information systems Development, review & configuration of records management elements of electronic document & records management systems (EDRMS) Including: consultation Excluding: ICT systems design, development, integration & maintenance Close records when superseded Close records when implementation completed Retention Period Disposal Action (following end of retention period) Authority Business Need Re-organisation Rationalisation & Closure Planning Support Provision of records management planning & support required by re-organisation, rationalisation & closure of services & premises Close records following completion of reorganisation, rationalisation or closure Business need Retention Schedule Development & Maintenance Development & maintenance of records retention schedules Close records when SCC no longer responsible for all functions contained within schedule Retain records 0 years Records Storage Management Management of records storage Including: Storage capacity management, record transfer processing, retrieval request processing & disposal processing Disposal Processing Administration of records disposal processes Including: Identification of records due for disposal, review, disposal authorisation, transfer or destruction Close records following disposal of records to which destruction process documentation relates Records Migration Planning & implementation of records migration between systems, storage & migration or conversion to alternative media or formats Close records of migration when records destroyed Retain records 0 years Business need Retrieval Requests Processing Processing of requests to retrieve records from storage Close records following return of issued item(s) Transfer Processing Transfer of physical records into off-site storage Close records when Business Need records destroyed Surveillance Management Management of surveillance Including: Management of access to communications data, covert human surveillance & directed surveillance Investigatory Powers Regulation Retention Period starts at Monitoring Date Created Monitoring of investigatory powers processes Including: Access to communications data, covert human surveillance & directed surveillance Excluding: Carrying out of investigations & surveillance activities Retain records for 6 years Limitation Act 1980, Regulation of Investigatory Powers Act 2000 & Code of Practice Page 2

7 Index Business Classification Page Access to Information Compliance Audit 1 Classification Scheme Development & Maintenance 2 Copyright Administration 1 Corporate Governance 1 Data Controller Notification 1 Data Sharing Protocol Development 1 Disposal Processing 2 EDRMS Specification & Configuration 2 Incident Response & Investigation 1 Information Access Management 1 Information Management 1 Information Security Compliance Audit 1 Information Security Management 1 Investigatory Powers Regulation Monitoring 2 Public Sector Information Reuse Management 1 Publication Scheme Maintenance 1 Records Management Compliance Audit 1 Records Management Programme Implementation 1 Records Migration 2 Records Storage Management 2 Re-organisation Rationalisation & Closure Planning Support 2 Retention Schedule Development & Maintenance 2 Retrieval Requests Processing 2 Surveillance Management 2 Transfer Processing 2