Scanning and Disposal Policy



Similar documents
CORPORATE RECORDS MANAGEMENT POLICY

Corporate Records Scanning Strategy

Scanning Guidelines. Records Management

K-Series Guide: Guide to digitising your document and business processing. February 2014 LATEST EDITION

NHS Business Services Authority Records Management Audit Framework

West Midlands Police and Crime Commissioner Records Management Policy 1 Contents

Document and Record Control Procedures

The legal admissibility of information stored on electronic document management systems

Why is British Standard BIP0008 important for a Document Management System?

WEST LOTHIAN COUNCIL RECORDS MANAGEMENT POLICY. Data Label: Public

COUNCIL POLICY R180 RECORDS MANAGEMENT

Records and Information Management. General Manager Corporate Services

Information Management Advice 54 Records Management Toolkit for Local Government

Corporate Records Management Policy

9. GOVERNANCE. Policy 9.8 RECORDS MANAGEMENT POLICY. Version 4

Management of Official Records in a Business System

Records Management Policy & Guidance

Information Security: Business Assurance Guidelines

In addition, a decision should be made about the date range of the documents to be scanned. There are a number of options:

Scotland s Commissioner for Children and Young People Records Management Policy

Scanning of Physical Documentation Policy

Union County. Electronic Records and Document Imaging Policy

Records Management Plan. April 2015

CCG: IG06: Records Management Policy and Strategy

NHS Information Governance:

Implementing an Electronic Document and Records Management System. Key Considerations

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Records Management - Department of Health

Corporate Scanning Guidelines

PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Records Management Policy. Version 4.0. Page 1 of 11 Policy PHSO Records Management Policy v4.

Business System Recordkeeping Assessment - Digital Recordkeeping Compliance

An Approach to Records Management Audit

Data Protection Policy

Document Management Policy

How To Use A Court Record Electronically In Idaho

Records Management Policy

Information Management Policy

ERMS Solution BUILT ON SHAREPOINT 2013

Records Management - Council Policy Version 2-28 April Council Policy. Records Management. Table of Contents. Table of Contents... 1 Policy...

Information Security Policies. Version 6.1

Life Cycle of Records

OFFICIAL. NCC Records Management and Disposal Policy

RECORDS MANAGEMENT POLICY

All staff at Ara, including full and part-time permanent, temporary and contracting staff

Council Policy. Records & Information Management

BLOOM AND WAKE (ELECTRICAL CONTRACTORS) LIMITED QUALITY ASSURANCE MANUAL

RECORDS MANAGEMENT POLICY

Queensland recordkeeping metadata standard and guideline

Records Retention and Disposal Schedule. Information Management

UNIVERSITY OF MANITOBA PROCEDURE

Information Security Policy

Emergency Management and Business Continuity Policy

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

Information Management Policy CCG Policy Reference: IG 2 v4.1

Information Governance Strategy & Policy

Scope and Explanation

Lord Chancellor s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000

State Records Guideline No 15. Recordkeeping Strategies for Websites and Web pages

Guideline for the Implementation of Retention and Disposal Schedules

NSW Government Digital Information Security Policy

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013

Brown County Information Technology Aberdeen, SD. Request for Proposals For Document Management Solution. Proposals Deadline: Submit proposals to:

LORD CHANCELLOR S CODE OF PRACTICE ON THE MANAGEMENT OF RECORDS UNDER

ANU Electronic Records Management System (ERMS) Manual

DELAWARE PUBLIC ARCHIVES POLICY STATEMENT AND GUIDELINES MODEL GUIDELINES FOR ELECTRONIC RECORDS

Greater London Authority Records Management Policy

Third Party Security Requirements Policy

Version 1.0 MCGILL UNIVERSITY SCANNING STANDARDS FOR ADMINISTRATIVE RECORDS. Summary

retained in a form that accurately reflects the information in the contract or other record,

FREEDOM OF INFORMATION (SCOTLAND) ACT 2002 CODE OF PRACTICE ON RECORDS MANAGEMENT

ARGYLL & BUTE COUNCIL Internal Audit Section INTERNAL AUDIT REPORT

Information Management Advice 50 Developing a Records Management policy

Applicability: All Employees Effective Date: December 6, 2005; revised January 27, 2009 Source(s):

University of Aberdeen Information Security Policy

Information and records management. Purpose. Scope. Policy

ARMAGH CITY, BANBRIDGE AND CRAIGAVON BOROUGH COUNCIL GPRC/P4.0/V1.0.

Guidance for managing your records effectively (1)

Policy Document Control Page

Transition Guidelines: Managing legacy data and information. November 2013 v.1.0

NSW Government. Cloud Services Policy and Guidelines

INFORMATION LIFECYCLE & RECORDS MANAGEMENT POLICY

Authentication of Documents. Use of Professional Seals

Regulatory Information and Data Quality Assurance Policy

ITEM NO: 4. Date: 23 March Pam Williams Borough Treasurer Wendy Poole Head of Risk Management Audit Services. Reporting Officers:

State Records Guideline No 25. Managing Information Risk

Caedmon College Whitby

QSS 0: Products and Services without Bespoke Contracts.

Spillemyndigheden s change management programme. Version of 1 July 2012

Chester Beatty Library Records Management Policy

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI v1.0

Records Management Policy.doc

Transcription:

Information Security Document Scanning and Disposal Policy 1

Version History Version Date Detail Author 1.0 09/01/2012 Completed for Distribution David Jenkins 1.0 29/02/2012 Approved by Information Governance David Jenkins Group 2.0 27/03/2013 Reviewed by Information Governance David Jenkins Group 3.0 07/04/2014 Reviewed by Information Governance David Jenkins Group 4.0 11/05/2015 Reviewed by Information Governance Group. David Jenkins. This document has been prepared using the following ISO27001:2013 standard controls as reference: ISO Control Description A.7.2.2 Information security awareness, education and training A.8.2.1 Classification of information A.8.2.2 Labelling of information A.8.2.3 Handling of assets A.8.3.2 Disposal of Media A.18.1.1 Identification of applicable legislation and contractual requirements A.18.2.2 Compliance with security policies and standards 2

1. Introduction Derbyshire County Council acknowledges that as part of the corporate roll out of the Council s Electronic Document and Records Management System (EDRM) it is likely that large series of paper documents will be scanned and added to the system to improve access and workflows. The Council needs to be able to demonstrate that these scanned documents have been unaltered since the time of electronic storage and that they are a true representation of the original paper record. After scanning records and uploading them to the EDRM, departments/sections may wish to destroy the original paper file and use the scanned version as the definitive record for operational and compliance purposes. The disposal of original paper records (and subsequent reliance on a scanned version) is a relatively recent concern and there is, as yet, no definitive case law on the subject of the legal admissibility of scanned files after the destruction of the paper original. However increasing numbers of public authorities are choosing to scan and destroy paper documents. This policy sets out the arrangements required in the scanning and disposal process for scanned records in order to reduce the risk of a challenge to the legal admissibility and evidential value of the scanned records. This policy aims to conform with BS10008:2008 which is the British Standard on the Legal Admissibility and Evidential Weight on Information Stored Electronically. 2. Roles and Responsibilities It is the responsibility of departmental and service managers to approve the scanning of documents and the destruction of the paper original, unless the original has to be returned to a third party or has to be retained for specific reasons because it is important to retain a wet signature. It is also the responsibility of all managers to ensure that staff are made aware of the proper procedures to follow. It is the responsibility of all staff involved in the scanning process to follow the agreed corporate procedures for scanning. It is the responsibility of all staff involved in the destruction process to ensure it is carried out in accordance with the principles of the Council s Records Disposal Policy. The main concern being that the original paper records are treated as confidential waste. 3. Scope This policy applies to all staff who are involved in the scanning of records. Responsibilities under this policy include all stages of the scanning process including the preparation, scanning, quality assurance and filing stages. For the purposes of this policy when a document has been scanned and the original paper copy destroyed, the scanned version will be regarded as the definitive record for legal, accountability and transparency purposes. The scanned copy will need to be managed in accordance with the Council s Corporate Records Management and Records Disposal policies including retention of the digitised document for the agreed retention period. 3

4. Legal Framework This policy seeks to address the key legal issues regarding the scanning and destruction process in terms of the legal admissibility and evidential weight of the digitised images. As a general principle the action of copying a document may reduce its evidential weight. In order to respond to this there needs to be sufficient authentication evidence available to reassure legal and regulatory stakeholders that the image is an accurate copy. This will often require evidence that the document is what it claims to be and that it is a true and accurate copy, including proof that it has not been altered since the date it was added to a council approved electronic record keeping system. The key principles outlined within the policy arise from the Civil Evidence Act 1995 and are supported in respect of criminal prosecutions by the Policy and Criminal Evidence Act 1984. As outlined under Section 6, a risk assessment approach is required for scanning initiatives, which should include assessing the likelihood of future legal reliance on the scanned images. Where the legal risks are high then the use of the Council s offsite document storage contract should be considered. 5. Policy statements The Council is committed to the management of electronic information as outlined in the Council s Information Security Policies including its Corporate Records Management Policy. The Council is committed to the continued use of electronic systems in the form of its Electronic Document and Records Management System for the storage of records over time. This system will be one of the Council s primary systems used for the storage of digitised documents to ensure their authenticity and reliability. The Council is committed to consulting with key stakeholders to ensure that the systems used for the storage of digitised documents meet their needs in respect to compliance with legislation and regulations (see Section 6 for more information on the principles). The Council is committed to complying with the practice outlined under BS10008:2008. This standard outlines the practice which should be followed when scanning to maximise the evidential weight of that scanned information. The standard requires that the procedures in place for scanning meet certain key requirements. The Standard is particularly concerned with the methods used as part of the scanning process, the auditability of the scanned document and assurances that the scanned document has not been amended or altered after the scanning process. The key requirements of the Standard can be found in Appendix A. 6. Policy Principles The framework outlined under BS10008:2008 shall be complied with during scanning initiatives in order to maximise the evidential weight and legal admissibility of the 4

scanned documents. Adherence to the following principles will enable the Council to demonstrate its approach to scanning if the legal admissibility of scanned documents is questioned. If the scanning conforms to the principles outlined within this policy and associated procedures it will be acceptable to destroy the paper original and regard the electronic copy as the definitive record. Procedures: General scanning procedures have been produced as part of the EDRM roll out which meet the requirements of BS10008:2008. These procedures should be followed in all instances where scanning takes place in order to maximise the legal admissibility of those resulting scanned records. It is essential that these procedures be followed regardless of whether departments are intending to destroy the paper originals. This is because if decisions over destruction occur after scanning, it is the scanning process itself which will raise legal admissibility questions. The scanning procedures can be found at the following link: http://dnet/resources/transformation/programmes_projects/document_managem ent/scanning/scanning_procedures/default.asp Risk Assessment: In addition to adhering to the procedures developed by the EDRM Team another requirement in any scanning initiative is to undertake a risk assessment with regards to the potential issues that might arise from a scanning project. This risk assessment should address the risk of a legal challenge, the risk of human error in the scanning process, the risk of technological failure and obsolescence and the risk of the alteration and manipulation of the scanned image. A template for a risk assessment exercise can be found in Appendix B. Stakeholder Consultation: As part of the risk assessment process key stakeholders should be contacted prior to undertaking the scanning and destruction of originals. This should include contacting those stakeholders who are likely to be in a position of requesting access to scanned records (e.g. HMRC for finance related records). There may be some cases were certain stakeholders feel that it is essential to retain the paper original, examples might include deeds to property, or documents with seals etc. to denote authenticity. The majority of records can be scanned with no need to retain the original, however in these minority of cases proper arrangements should be made to ensure the storage of the paper copy (for example using the Council s approved supplier of off-site document storage). Documentation: As part of the auditable scanning and disposal procedures authorisation for the destruction of the paper originals following scanning shall need to be obtained from the relevant head of service. This level of authorisation is only required for destruction occurring after a scanning initiative. Routine destruction of time expired records should be carried out according to the Council s Record Disposal Policy. Documenting the destruction shall require confirmation that the scanning process has been carried out in accordance with appropriate EDRM procedures. A destruction authorisation document can be found in Appendix C. This documentation will need to 5

be retained for the duration of the retention period for the records which have been scanned as outlined in the appropriate departmental records retention schedule. 7. Review and Monitoring A review of this policy will take place at least every two years to take into account changes in legislation and best practice. On-going monitoring of this policy will be the responsibility of departmental Heads of Service, in consultation with the Corporate Records Manager, to ensure that the principles of the policy are being adhered to. This document forms part of the Council's ISMS Policy and as such, must be fully complied with. 6

Appendix A: Key considerations of BS10008:2008 A procedural manual should be produced detailing the procedures to be followed concerning information held within an electronic management system. Procedures should be established for capturing information to ensure that any information loss as a result of the capture process is acceptable. A description should be produced of the key technology component used in electronic information management. Systems used for managing electronic information should be reviewed regularly. Audit trails should be created showing activities associated with information management systems, stored information and transferred information. Where the date or time of an event is relevant, appropriate timing and dating information should be stored in association with the event in the audit trail. Quality control procedures should be established to check for missing images or images that do not meet specified quality standards. Re-scanning procedures should be established to correct any errors identified, as far as possible. Where batching techniques are used in scanning, numbers should be allocated to each batch. Where documents in paper form are photocopies and the photocopies are to be scanned, the images should be identified as being from photocopies. Metadata should be captured to ensure details of information capture processes are retained throughout the storage life of the information. Procedures should be established to demonstrate that information stored has not been changed (either accidentally or maliciously) or, where changes have been made, that they have been authorised. Where information is compressed during the storage process, compression methods used should not affect the authenticity and integrity of the stored information. Procedures should be established to test storage media at regular intervals to reduce the risk of unrecoverable errors. Procedures should be established to ensure that all appropriate digital objects have been migrated to new storage technology; that the file format of migrated digital objects has not changed; the digital objects themselves have either not been changed or that the changes are known, audited and meet corporate requirements. Information should be stored and maintained in a file format that is predicated to allow access over the relevant retention period (PDF(A) or TIFF are generally recommended). Where output is required as evidence in legal or other proceedings, procedures for certifying that the output is authentic should be used. Where the identity of those involved in information capture or transfer is important, procedures which authenticate the identity of the person or body shall be established. Procedures should be in place that protect electronic information storage and/or transfer from loss or corruption. 7

Appendix B: Risk Assessment template for the scanning of records and the destruction of their paper original. This risk assessment concerns the proposal by the [name of] Section to scan various [name of] records and manage them in the Electronic Document and Records Management System and destroy the paper originals. The risk assessments identified the various risks involved and outlined the steps taken to reduce the level of risk. Risk Outline of risk Comments Risk Reduction Activity Risk 1: Legal challenge to the legal admissibility of the scanned image after the destruction of the paper original Risk that courts or other key stakeholders may not accept a scanned image as a true record, particularly after the destruction of the original paper record. Risk 2: Human error during the scanning process Risk that a record may be scanned incorrectly or to a poor quality due to errors by a member of staff. Risk 3: Technological failure or obsolescence Risk that technology fails resulting in the loss of the digital images with no paper counterpart, or that technological/software changes makes the file format and technology obsolete. Risk 4: Alteration of the scanned image (which would cause legal admissibility issues highlighted in risk 1 Risk that an employee digitally manipulates the scanned image and alter it in some way. This risk assessment will be reviewed by the Corporate Records Manager and a nominated representative from the X Section after a period of one year. It is the opinion of the Corporate Records Manager that the steps taken to reduce the levels of risk by the X Section are sufficient to allow for the scanning and destruction of original paper records. The procedural manual which has been followed complies with BS10008:2008 which aims to maximise the legal admissibility and evidential weight of the scanned images. 8

Appendix C: Disposal Authorisation Document DERBYSHIRE COUNTY COUNCIL Destruction Authorisation Document Department: Section/Service: Date of scanning: Schedule of original paper records which have been scanned and which will be destroyed: Title of record series Covering Dates i.e. SEN Case Files DOB 1974-1977 I declare that my section/service has carried out the scanning process in line with the agreed procedures for my section/service. I confirm that my section/service has carried out all appropriate quality assurance requirements specified within the procedures and the scanned records meet the standards set. Derbyshire County Council acknowledges that the scanned records now supersede and entirely replace the original paper records as the Council s master record. I confirm that the original paper records are not subject to any current legal procedures, access to information requests, or any regulatory/legislative requirements which require records to be retained in their original format. The original paper source records will be destroyed as confidential waste. Name: Signature: Job Title: Policy Derbyshire County Council Scanning and Disposal 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information