Records Management Policy & Guidance



Similar documents
COMMERCIALISM INTEGRITY STEWARDSHIP. Security Breach and Weakness Policy & Guidance

Remote Access and Network Security Statement For Apple

Lord Chancellor s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000

COMMERCIALISM INTEGRITY STEWARDSHIP. Back-up Policy & Guidance

RECORDS MANAGEMENT POLICY

West Midlands Police and Crime Commissioner Records Management Policy 1 Contents

CCG: IG06: Records Management Policy and Strategy

PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Records Management Policy. Version 4.0. Page 1 of 11 Policy PHSO Records Management Policy v4.

Corporate Records Management Policy

Records Management Plan. April 2015

LORD CHANCELLOR S CODE OF PRACTICE ON THE MANAGEMENT OF RECORDS UNDER

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Life Cycle of Records

Scotland s Commissioner for Children and Young People Records Management Policy

University of Sunderland Business Assurance Information Security Policy

Information and Compliance Management Information Management Policy

Information Governance Strategy & Policy

An Approach to Records Management Audit

RECORDS MANAGEMENT POLICY

NHS Business Services Authority Records Management Audit Framework

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Information Management Policy CCG Policy Reference: IG 2 v4.1

Corporate Information Security Policy

Information Security Policy

Records Management plan

RECORDS MANAGEMENT POLICY

COUNCIL POLICY R180 RECORDS MANAGEMENT

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013

Data Protection Policy June 2014

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Information Governance Management Framework

Information Security: Business Assurance Guidelines

Somerset County Council - Data Protection Policy - Final

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

How To Protect Decd Information From Harm

RECORDS MANAGEMENT POLICY

Information Classification and. Handling Policy

INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

MENTAL HEALTH TRIBUNAL FOR SCOTLAND: RECORDS MANAGEMENT POLICY. Ensuring Information is Accurate and Fit for Purpose

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

Chester Beatty Library Records Management Policy

ANU Electronic Records Management System (ERMS) Manual

Information Governance Framework. June 2015

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February Title: Information Security Policy

Information Management Policy

Human Resources Policy documents. Data Protection Policy

Information Governance Policy (incorporating IM&T Security)

Records and Information Management. General Manager Corporate Services

Caedmon College Whitby

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

RECORDS MANAGEMENT FRAMEWORK

University of Liverpool

Newcastle University Information Security Procedures Version 3

Parliamentary Information & Records Management Policy (v3.0) 2014

Records Management - Department of Health

The CPS incorporates RCPO. CPS Data Protection Policy

Information Governance and Assurance Framework Version 1.0

Policy Document RECORDS MANAGEMENT POLICY

Information Circular

OFFICIAL. NCC Records Management and Disposal Policy

TOWN OF COTTESLOE POLICY MANAGEMENT

What NHS staff need to know

NOT PROTECTIVELY MARKED FORCE PROCEDURES. Retention, Archiving and Destruction Procedure v1.2. Records Manager

Harper Adams University College. Information Security Policy

University of Brighton School and Departmental Information Security Policy

Records Management. 1. Introduction. 2. Strategic Plan Desired Outcomes

DATA PROTECTION AND DATA STORAGE POLICY

Data Protection Policy

Records Management - Council Policy Version 2-28 April Council Policy. Records Management. Table of Contents. Table of Contents... 1 Policy...

Lexcel England and Wales v6 Guidance notes for in-house legal departments Excellence in practice management and client care The Law Society.

Lexcel England and Wales v6 Standard for in-house legal departments Excellence in legal practice management and client care

Issued Page 1 of 40 Version 1.2

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

INFORMATION SECURITY MANAGEMENT POLICY

Data Transfer Policy. Data Transfer Policy London Borough of Barnet

Site visit inspection report on compliance with HTA minimum standards. London School of Hygiene & Tropical Medicine. HTA licensing number 12066

Data controllers and data processors: what the difference is and what the governance implications are

ARMAGH CITY, BANBRIDGE AND CRAIGAVON BOROUGH COUNCIL GPRC/P4.0/V1.0.

INFORMATION SECURITY POLICY

Council Policy. Records & Information Management

Records Management Policy.doc

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Information Management Policy for The Tax Information Authority

Rotherham CCG Network Security Policy V2.0

Information Management Policy

INFORMATION LIFECYCLE & RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY

Management of Official Records in a Business System

Lancashire County Council Information Governance Framework

Information Security Policy

Data Security Policy

Review of DBS Data Retention Policy

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Highland Council Information Security Policy

Mapping the Technical Dependencies of Information Assets

Information Security Incident Protocol

Information and records management. Purpose. Scope. Policy

Transcription:

Records Management Policy & Guidance COMMERCIALISM

Document Control Document Details Author Nigel Spencer Company Name The Crown Estate Department Name Information Services Document Name Records Management Policy Version Date 28/09/12 Effective Date 1 November 2012 Version 1.3 Issue THREE Change Record Modified Date Author Version Description of Changes 14/07/2009 N Spencer 1.0 Comments addressed and minor format changes 23/05/2011 S Smith 1.1 Reviewed on behalf of Service Desk 25/05/2011 A R Last 1.2 Reviewed by M Brazier & A R Last 28/09/12 A R Last 1.3 Annual review Stakeholder Sign off Name Position Signature Date Nigel Spencer Information Services Manager May 2011 Martin Brazier Knowledge Manager May 2011 Nigel Spencer Head of IS September 2012 Martin Brazier Knowledge Manager September 2012 Security Sign-off Name Position Signature Date Adrian Last Business Support Manager May 2011 Adrian Last ISMS Manager September 2012 1

Table of Contents 1. Policy Purpose 3 2. Introduction 3 2.1. What are records? 3 3. Organisational Arrangements 5 3.1. Lead Responsibility 5 3.2. Responsibility of Heads of Business Units 5 3.3. Information Asset Owners 5 3.4. Responsibility for Change Management 5 3.5. General Roles and Responsibilities 5 4. Records Systems 5 4.1. Information Classification 5 4.2. Choosing Where to Store Records 5 5. Storage of Paper Records 6 5.1. New Paper Records 6 5.2. Legacy Paper Records and SAPA 6 5.3. Items on Loan from The National Archives 6 6. Security of Records 7 6.1. Access Control 7 6.2. Collection of Evidence of Security Breaches 7 7. Retention and Disposal 8 7.1. General Principles 8 7.2. Making Disposal Decisions 8 7.3. Implementing Disposal Decisions 8 7.4. Documenting Destruction 8 8. Records Created by Partners 8 8.1. Typical Contract Requirements 8 8.2. Collection of Evidence of Security Breaches 9 9. Review of Records for Transfer to The National Archives 9 9.1. Selection of Records for Permanent Preservation 9 9.2. Determining the Access Status of Records 9 9.3. Transfer of Public Records 10 10. Compliance 10 10.1. Monitoring and Reporting 10 11. Review of Records for Transfer to The National Archives 11 11.1. Selection of Records for Permanent Preservation 11 11.2. Determining the Access Status of Records 11 11.3. Transfer of Public Records 12 2

Table of Contents (Cont.) 12. Compliance 12 12.1. Monitoring and Reporting 12 13. User Awareness 12 14. Incident Reporting 12 15. Disciplinary Process 12 16. Deviations From Policy 12 17. Glossary Of Terms 12 Appendix A List Of Related Documents, Procedures And Processes 13 3

1. Purpose The aim of this policy is to ensure that employees and agents and advisers are aware of their responsibilities when managing records belonging to The Crown Estate and has been written to support the Management Board Statement below: We recognise that records management is vital to our business. Effective records management will help us to ensure we have the right information at the right time to make the right decisions. It will provide evidence of what we do and why, thereby protecting our interests. We recognise that records and the information they preserve are essential corporate assets. By implementing this policy, we aim to balance our commitment to integrity, openness and transparency with our commercial and stewardship responsibilities. We will provide supporting standards, procedures and guidelines, and monitor compliance with them. We will review this policy annually or whenever a significant change is being planned, and we will keep it up to date. 2. Introduction Managing Crown Estate records to agreed standards is essential if those records are to be available and used in the future. Freedom of information and data protection legislation has put greater emphasis on our obligation to maintain a corporate memory securely and to make information available to the public as appropriate. All records need to be managed in line with legal, business or heritage obligations and be accessible, accurate, in good condition and either held permanently or disposed of in a timely fashion, as appropriate. Furthermore, adequate records management ensures the security of our information and is an enabler for accreditation under ISO27001. All employees, advisers and agents should be aware of the value of the Crown Estate records they create or manage, and relevant legislation and regulations governing their use and retention. This policy defines the way Crown Estate records and information should be managed to standards which ensure that vital and important records are identified, that the business holds records that are necessary, sufficient, timely, reliable and consistent with business need, and that legal and regulatory obligations are met. It also defines the roles and responsibilities for the creation, safekeeping, access, change and disposition of information. 2.1. What are records? Records provide a history in detail of an issue, matter, dealing, transaction, project, initiative or decision. Any type of document, data and information in any format can be a record, including paper, electronic files, emails, presentations, scanned images, spreadsheets and models. It is important that all evidence is recorded to show the build-up and background to outcomes. A record is not just the final report or product. To use an analogy with paper file systems, it is important to include draft versions, correspondence, memos, notes and comments the metaphorical pencilled notes in margins - which all help to tell the story and retain the corporate memory. In the electronic world, we must strive to retain and secure all related information in such a way that it is holistic and in context. 4

3. Scope The scope of this policy applies to: The Crown Estate s personnel, temporary staff, contractors and service providers utilising The Crown Estate s information system resources; and Information system resources, including data networks, LAN servers and personal computers (stand-alone or network-enabled) located at The Crown Estate and non-crown Estate locations, where these systems are under the jurisdiction and/or ownership of The Crown Estate, and any personal computers and/ or servers authorised to access The Crown Estate s data networks. Personal mobile devices such as Blackberrys and laptops provided by The Crown Estate are also included. Third parties shall also adhere to this policy. All corporate records, whether in paper or electronic format. 4. Policy 4.1. Policy statement The Crown Estate s records are assets essential to The Crown Estate s business and its dependency on these assets to meet its statutory obligations demands that appropriate levels of records management be instituted and maintained. It is The Crown Estate s policy that appropriate organisational arrangements (see Section 5 below) and processes (Sections 6 to 9) are implemented to ensure its records are maintained in a systematic and orderly fashion, protected against accidental or malicious destruction, damage, modification or disclosure, and to maintain appropriate levels of confidentiality, integrity and availability of its records. 4.2. Policy objectives The objectives of this policy with regard to records management are to: Ensure that comprehensive records are readily available as a corporate memory to enable The Crown Estate to conduct its business in an effective way Enable The Crown Estate to meet its statutory obligations; Minimise reputation exposure, which may result from ineffective records management. 4.3. Policy overview The Crown Estate s records are important business assets. Appropriate systems are required to ensure that sufficiently comprehensive and complete records are kept to enable The Crown Estate to maintain a corporate memory sufficient to meet its statutory obligations. Users should be made aware of the dangers of inadequate record keeping. 4.4. Policy maintenance Supporting standards, guidelines and procedures will be issued on an ongoing basis by The Crown Estate. Users will be informed of any subsequent changes or updated versions of such standards, guidelines and procedures by way of e-mail or other relevant communication media. Users shall then have the obligation to obtain the current information systems policies from The Crown Estate Intranet or other relevant communication media on an ongoing basis and accept the terms and conditions contained therein. 5

5. Organisational Arrangements 5.1. Lead Responsibility The Management Board recognises the importance of records management as a core corporate function, as part of a wider knowledge management function. This responsibility covers records in all formats throughout their lifecycle, from planning and creation through to disposal and includes records managed on our behalf by external partners. Allocation of lead responsibility for the records and information management function is designated to the Director of Finance and Information Systems to act as a records management champion. Operational responsibility is designated to the Knowledge Manager. 5.2. Responsibility of Heads of Business & Support Groups Heads of business and support groups are responsible for ensuring that adequate records are kept of the activities for which they are accountable. Roles and responsibilities for records management and information security will form part of staff induction procedures (including temporary staff, contractors, secondees and consultants) to ensure that all staff are aware of the business s records management policies, standards, procedures and guidelines and understand their personal responsibilities. Heads of business groups are responsible for ensuring that their staff know how they apply to their business or support groups. General responsibilities will be included in Personal Scorecards, with more detailed objectives set for those with a more specific role in record keeping. 5.3. Information Asset Owners Heads of business and support groups are the information asset owners for the information generated or used in their area of responsibility. 5.4. Responsibility for Change Management Records management issues will be considered when planning or implementing IT systems, when extending staff access to new technologies and during re-structuring or major changes to the organisation. 5.5. General Roles and Responsibilities Management Board board level responsibility for ensuring compliance with this policy lies with the Director of Finance and Information Systems. Individual Management Board members have responsibility for ensuring that their heads of business units follow procedures and guidance, comply with the records management policy and standards, and that records management is carried out in accordance with those procedures. Knowledge Management Team this team has the following responsibilities: ensure that the records management policy and standards are kept up to date and relevant; raise staff awareness of records management issues; provide advice and guidance to heads of business units and staff; audit compliance with the records management policy and associated standards; develop and maintain retention and disposal schedules and document disposal activity. Heads of Business & Support Groups are responsible for taking the lead on records management issues in their areas of responsibility, and ensuring that procedures and guidance are in place which support the records management policy and associated standards. All staff all staff who receive, create, maintain, use or delete records are responsible for ensuring that they do so in accordance with this policy. 6

6. Records Systems 6.1. Information Classification The Protective Marking System (often referred to as the Government Protective Marking System/ Scheme or GPMS) is the Government s classification system to ensure that access to information and other assets is correctly managed and safeguarded to an agreed and proportionate level throughout their lifecycle, including creation, storage, transmission and destruction. The system is being adopted by The Crown Estate to ensure good business practice and meet the requirements of relevant legislation and regulation. It is a means of protecting information from accidental or deliberate compromise or disclosure. As staff at The Crown Estate generate and handle sensitive or confidential documents, they must apply the Protective Marking System, and the necessary controls and technical measures as detailed in the Information Classification and Data Handling Policy. 6.2. Choosing Where to Store Records For many specialist types of records there will be an obvious and dedicated repository. For example, financial and purchase-to-pay records will be stored in Agresso, and some HR records in Snowdrop. However, the majority of records are created by standard desktop applications such as Word, Excel, Powerpoint etc. It is the storage of the records created by these generic applications that requires greater levels of advice and guidance. 6.2.1. Personal Storage Portable Media Portable media (memory sticks) are provided for users to store small quantities of information which needs to be mobile or intended for sharing with others. Portable media must not be used to store any information which does not exist as a record on a Crown Estate computer system. Information on a memory stick must be considered as in transit and dispensable and transferred as a record as soon as is practicable. Portable media must be encrypted. Crown Estate records must not be transferred to CD or DVD. 6.2.2. Personal Storage The U: Drive The U: drive is provided for users as a short term area to store personal and rough draft information. For example, users might choose to keep working copies of their personal scorecards or expenses. However, the U: drive must not be used to keep corporate records. 6.2.3. Shared Storage The S: Drive The S: drive stores archived material, and cannot be used to store new records. Some transient information may be stored there by exception and prior arrangement. The S: drive must not be used to keep records. 6.2.4. Corporate Document & Records Management System Wisdom Wisdom is the corporate document and records management system and is provided for users to store information which forms the corporate record; that is the corporate memory of the work of the organisation. Wisdom provides adequate security of access, implements Protective Marking and provides an audit trail and version control for the evolution of documents. It also has appropriate functionality to specify and implement retention and disposal schedules and to review records under the Public Records Act. 7

7. Storage of Paper Records 7.1. New Paper Records The Crown Estate no longer keeps paper records as a matter of course. There are exceptions, such as title deeds, contracts and signed agreements. Individuals must not keep their own private or personal paper files of corporate information corporate paper documents (such as incoming letters) must be scanned and placed into Wisdom and the originals securely destroyed. 7.2. Legacy Paper Records and SAPA Legacy paper documents are held in an offsite store at Peterborough, run by Document Control Services Limited (DCS). Physical security arrangements for those records vary according to need title deeds, for example, are held in vacuum sealed packets in fire safes. The content of the external store can be interrogated using the SAPA application, accessible from the home page of The Crown Estate Intranet, i-site. From SAPA, users can request the transfer of an item or request that it is scanned. Proactive scanning of frequently-used files is undertaken monthly, and the scanned images placed on Wisdom. Records that are recalled from the store are delivered to the requester, and remain in their safekeeping until returned. Requesters will be permitted to retain a file for up to three weeks, after which it must be returned. If a file is needed for longer than three weeks, the file will be scanned and made available through Wisdom. Original paper files will only be released for longer than three weeks in special circumstances. Files must not be despatched directly to an external party such as a managing agent or law firm. Any file required by external bodies must be passed to the Knowledge Management team so that its intended location can be recorded on the SAPA System, and preferably scanned. 7.3. Items on Loan from The National Archives Items held at The National Archives should be requested through the Knowledge Management Team. Items on loan from The National Archives will be immediately assessed to determine whether they contain the information required, and if so, scanned and the original returned as soon as possible. Once items have been transferred to The National Archives they are no longer Crown Estate property and they must therefore be kept safely when in The Crown Estate s possession and returned as soon as possible. 8. Security of Records 8.1. Access Control Records will be stored securely and access to them will be controlled. Storage arrangements, handling procedures and arrangements for transmission of records reflect accepted standards and good practice in information security. Access control will be applied in two ways general access control and specific control using protective marking. Ease of access will depend on the nature and sensitivity of the records, although the presumption will be to open internal access. Access restrictions will be applied when necessary to protect the information concerned and security should be kept up to date with access control removed when information is no longer sensitive. Particular care should be taken with personal information about living individuals in order to comply with the 7th data protection principle, which requires precautions against unauthorised or unlawful processing, damage, loss or destruction. Particular care should be taken with information bearing a protective marking, and should be handled in 8

accordance with the Information Classification and Data Handling Policy. Other information, such as information obtained on a commercially confidential basis, may also require particular protection. 8.2. Collection of Evidence of Security Breaches To allow follow-up action after a breach of information security, evidence should be collected, retained and presented. In general, the rules for evidence cover admissibility of evidence (whether or not the evidence can be used in court) and weight of evidence (the quality and completeness of evidence). Documents stored in Wisdom are likely to meet the rules for evidence, as access control and audit trails are embedded functionality. 9. Retention and Disposal 9.1. General Principles As a general principle, records should be kept for as long as they are needed - for reference or accountability purposes, to comply with regulatory requirements or to protect legal and other rights and interests. Destruction at the end of this period ensures that office and server space are used resourcefully and costs are not incurred in maintaining records that are no longer required. For records containing personal information it also ensures compliance with the fifth data protection principle which requires that personal data is kept only for as long as it is needed. Removing records that are no longer required also improves the likelihood and speed of retrieving retained records. Records should not be kept after they have come to the end of their retention period unless: They are known to be the subject of litigation or a request for information. If so, destruction should be delayed until the litigation is complete or, in the case of a request for information, all relevant complaint and appeal provisions have been exhausted; They have long-term value for historical or research purposes and have been or should be selected for permanent preservation; They contain or relate to information recently released in response to a request under the Freedom of Information Act. This may indicate historical value and destruction should be delayed while this is re-assessed; They relate to the state of existing property and will be kept until the state changes or the property is sold. 9.2. Making Disposal Decisions Disposals of records should be undertaken only in accordance with the Retention and Disposal Schedules, which identify and describe records to which a pre-defined disposal action can be applied, for example destroy x years after [trigger event]; review after y years, transfer to archives for permanent preservation after z years. Asset owners (i.e. heads of business and support groups) must identify a Reviewer who can make disposal decisions at the end of retention periods on behalf of their group. If any records are not covered by a Retention and Disposal Schedule, special arrangements should be made to review them and decide whether they can be destroyed or should be selected for permanent preservation. Decisions of this nature should be documented and kept to provide evidence of which records have been identified for destruction, when the decision was made, and the reasons for the decision, where this is not apparent from the overall policy. 9

9.3. Implementing Disposal Decisions Disposal decisions should be implemented by the appropriate reviewer or the Knowledge Management Team. Records scheduled for destruction should be destroyed in as secure a manner as required by the level of confidentiality or protective security markings they bear. For example, records containing personal information about living individuals should be destroyed in a way that prevents unauthorised access (this is required to comply with the seventh data protection principle). With digital records it may be necessary to do more than overwrite the data to ensure the information is destroyed. When destruction is carried out by an external contractor, the contract should stipulate that the security and access arrangements established for the records will continue to be applied until destruction has taken place, and that the destruction will be certified. In some cases there will be more than one copy of a record. For example, there are likely to be back-up copies of digital records, or there may be digital copies of paper records. A record cannot be considered to have been completely destroyed until all copies, including back-up copies, have been destroyed, if there is a possibility that the data could be recovered. 9.4. Documenting Destruction Details of destruction of records should be kept, either as part of the audit trail metadata or separately. This is done automatically for electronic files reviewed through Wisdom. Ideally, some evidence of destruction should be kept indefinitely because the previous existence of records may be relevant information. At the very least it should be possible to provide evidence that as part of routine records management processes destruction of a specified type of record of a specified age range took place in accordance with the Retention and Disposal Schedule. 10. Records Created by Business Partners 10.1. Typical Contract Requirements When The Crown Estate is working in partnership with other organisations, sharing information and potentially contributing to a joint records system, contractual arrangements should include, where possible, protocols that specify: What information should be contributed and kept, and by whom; What level of information security should be applied; Who should have access to the records; What disposal arrangements should be in place; What happens at the end of the contract with regard to records; Which body holds the information for the purposes of FOI. Instructions and training should be provided to all those involved in such collaborative working. Record management controls should be applied to information being shared with or passed to other bodies. Particular protection should be given to confidential or personal information. Protocols should specify when, and under what conditions, information will be shared or passed, and details should be kept of when this information has been shared or passed. Details should be kept also of how undertakings given to the original source of the information have been respected. 10

11. Review of Records for Transfer to The National Archives 11.1. Selection of Records for Permanent Preservation The Public Records Acts of 1958 and 1967 and the subsequent Dacre review place upon The Crown Estate a requirement that we assess all our records before they are 20 years old, unless they have been routinely destroyed as part of a retention and disposal policy. The review is to determine whether the records can be destroyed or passed to The National Archives for permanent preservation. Records can only be retained after this period in exceptional circumstances, and then only with the approval of the Lord Chancellor. To enable review, it is important that records are accurate, complete, kept together and in context. It is also important that related record sets can be reviewed together. In the context of the Public Records Acts and the Dacre Review, records means May both 2007 paper and electronic records. 11.2. Determining the Access Status of Records When preparing public records for transfer to The National Archives the access status of those records should be considered in order to: Consider which information must be available to the public on transfer because no exemptions under FOI or EIR apply; Consider whether the information must be released in the public interest, notwithstanding the application of an exemption under FOI or EIR; Consider which information must be available to the public at 30 years because relevant exemptions in FOI have ceased to apply; Consider which information should be withheld from public access through the application of an exemption under FOI or EIR. Consultation will take place, both within the business and with other organisations that might be affected by the decision, such as the original suppliers of the information. If the outcome of the review is that records are to be transferred as open, there will be no formal review of this designation by The National Archives. If the outcome of the review is identification of specified information which ought not to be released under the terms of FOI or EIR, a scheduled should be prepared that: Identifies the information precisely; Cites the relevant exemption(s); Explains why the information may not be released; Identifies a date at which either release would be appropriate or the case for release should be reconsidered. The review must also consider whether parts of records might be released if the sensitive information were redacted, i.e. rendered invisible or blanked out. Information that has been redacted should be stored securely and should be returned to the parent record when the exemption has ceased to apply. The schedule should be submitted to The National Archives for review and advice prior to transfer. If the outcome of the review is that some or all of the information in the records should be closed after it is 30 years old, the schedule will be considered by the Advisory Council. 11

11.3. Transfer of Public Records It is the responsibility of the Knowledge Management Team to ensure that those records are adequately prepared and are transferred with the level of security appropriate to the confidentiality of the information they contain. 12. Compliance 12.1. Monitoring and Reporting Monitoring will be undertaken on a regular basis and the results reported to the person with lead responsibility for records management at Management Board level, so that risks can be assessed and appropriate action taken. 13. User Awareness Users shall be made aware of their responsibilities in the effective management of Crown Estate records, including, but not limited to: The need to use The Crown Estate s corporate records system (Wisdom) for the filing of all business related information created by them; The need to ensure that any paper records held either by DCS or at The National Archives are returned promptly when no longer required; The need to be aware of this policy and all its provisions. 14. Incident Reporting All security incidents, including actual or potential unauthorised access to The Crown Estate s records, should be reported immediately to the ISMS Manager or Information Services Manager in accordance with the Security Breach & Weakness Policy. 15. Disciplinary Process The Crown Estate reserves the right to audit compliance with the policy from time to time. Any disciplinary action, arising from breach of this policy, shall be taken in accordance with The Crown Estate s Rules and Disciplinary Code. Disciplinary action may ultimately lead to dismissal. 16. Deviations From Policy Unless specifically approved, any deviation from this policy is strictly prohibited. Any deviation to or non-compliance with this policy shall be reported to the ISMS Manager & Head of IS. 17. Glossary Of Terms The terms used in this policy document are to be found in the ISMS Glossary of Terms. 12

Appendix A List Of Related Documents, Procedures And Processes 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information