Records management policy framework

The need to improve the University's records management has become clear from several legislative developments including the Data Protection Act (1998). This need has been thrown sharply into focus by the laying before the Scottish Parliament in September 2001 of the Scottish Executive's draft Freedom of Information Bill.

However the University is not seeking to improve its records management functions solely because of the impending legislation. It believes that it will gain a number of organisational benefits from so doing. These should include:

• better use of physical and server space
• better use of staff time
• improved control of valuable information resources
• compliance with legislation and standards
• reduced costs

The University also believes that its internal management processes will be improved by the greater internal availability of information that will accrue by the recognition of records management as a designated corporate function.

This document sets out an initial framework within which staff responsible for maintaining the University's records can develop policies and practices for this. It is likely to be relevant to all the University's departments and units, and to many staff in them. It will be augmented at a later date with more detailed policies and with guidelines on best practice. These will be developed by a University Records Manager (funding for the establishment of this post is being sought in the planning process for 2002/03) in conjunction with the Central Management Group's Freedom of Information Working Group.

This is a corporate asset. The University's records are important sources of administrative, evidential and historical information. They are vital to the University in its current and future operations (including meeting the requirements of the Freedom of Information legislation), for the purposes of accountability, and for an awareness and understanding of its history and procedures. They form part of the "corporate memory" of the organisation.

This is a set of data that describes and gives information about other data.

These can be defined as "recorded information, in any form, created or received and maintained by an organisation or person in the transaction of business or conduct of affairs and kept as evidence of such activity". Records occur in all types of recording media.

All records have a life cycle from creation/receipt (birth), through into the period of active currency (youth), thence into semi-currency, such as middle-aged closed files that are still referred to occasionally, and finally either confidential disposal or archival preservation. In the digital age it is especially important to introduce conscious management at the earliest possible stage as this will determine the ultimate extent of control over electronic material.

This is a discipline which utilises an administrative system to direct and control the creation, version control, distribution, filing, retention, storage and disposal of records, in a way that is administratively and legally sound, whilst at the same time serving the operational needs of the University and preserving an adequate historical record.

The key components of records management are:

This includes developing consistent rules to ensure integrity and accessibility, deciding on systems to log and track records, and procedures for registering, classifying and indexing.

These processes aim to identify and compile an inventory of the main records series held by an organisation and map them to the various functions, activities and transactions carried out by individuals and business units.

These processes apply various "appraisal criteria" such as legal, operational, administrative and historical requirements, to determine how long a particular series need to be retained.

Storage may either be on paper or electronic. To avoid storing paper records in expensive office space or holding electronic material online, records can be transferred to much less expensive off-site storage or offline facilities where they can still be accessed when required.

This process implements and documents the operation of the retention schedule recommendations, ensuring that records in all formats that are no longer needed are disposed of confidentially, or reviewed after formally agreed periods of time, or permanently preserved as the archival record.

This relates to measures taken to ensure that the vital records of the organisation are securely held in terms of physical and online access procedures and permissions and that back up procedures are in place in the event of a disaster.

The aims of the University's records management system are that:

• the record is present: the University has the information that is needed to form a reconstruction of activities or transactions that have taken place
• the record can be accessed: information can be located and accessed, and displayed in a way consistent with initial use and current version is identified where multiple versions exist
• the record can be interpreted: the context of the record can be established: who created the document and when, during which business process, and how the record is related to other records
• the record can be trusted: the record reliably represents the information that was actually used in or created by the business process, and its integrity and authenticity can be demonstrated
• the record can be maintained through time: the qualities of accessibility, interpretation and trustworthiness can be maintained for as long as the record is needed, perhaps permanently, despite changes of formats

All University staff who create, receive and use records have records management responsibilities. Heads of Colleges, Schools, other units and business functions within the University have overall responsibility for the management of records generated by their activities i.e. for ensuring that records controlled within their unit are managed in a way which meets the aims of the University's records management policies.

The University Secretary has a particular responsibility in ensuring that the University corporately meets its legal responsibilities, and internal and external governance and accountability requirements. Day-to-day responsibility will be delegated to a Records Manager, who will report to the Secretary. The Records Manager will have a coordinating and enabling role and will advise on policy and best practice.

Further policy guidance will be developed by the Freedom of Information Working Group using this framework, for approval by CMG and Court.

The University will seek to ensure that its records management systems and procedures facilitate compliance with relevant legislation and University policies. Legislation of general relevance to the University as a whole includes the Data Protection Act 1998 and the impending Freedom of Information legislation.

Specific business functions and activities within the University may also be subject to specific legislation or to professional best practice or relevant ethical guidelines. For example Finance activities are governed inter alia by the Finance Acts, the Taxes Acts, the Pension Act 1995, and by ethical guidelines issued by the Institute of Chartered Accountants of Scotland and other professional bodies. Personnel activities are regulated by Employment Law.

Records management systems and procedures will also inter-relate with internal University policies such as the Data Protection policy and the Information Policy.

The University will, so far as is practicable, seek to comply with the relevant International Standard on records management, ISO 15489. It will also seek to comply with other relevant documentation e.g. guidance material from the Public Record Office and the Codes of Practice and other guidance material to be developed by the proposed Scottish Information Commissioner. It will co-operate with other higher education institutions and other relevant public authorities with the aim of benefiting from best practice experience.

The University will also, so far as is practicable, comply with relevant guidance in specific business areas, such as financial audit requirements.

The University through the Records Manager will establish and maintain mechanisms through which departments and other units can register the records they are maintaining. This will be necessary for the University to facilitate current and meet future legal requirements, including those under the Data Protection Act 1998 and the impending Freedom of Information legislation. The guidance on registration mechanisms, including the content and maintenance of registration records, will be developed by the Records Manager. These will balance the benefits of the availability of detailed material in the University's Register against the costs of producing and maintaining this.

The Register of records will inter alia facilitate the:

• classification of records into series that have meaningful titles and consistent reference codes, and checking the allocation of records against these
• recording of the responsibility of individuals creating records
• provision of sequences of reference numbers that can cover series with both electronic and paper records
• provision of sequences of reference numbers that can cover series with both electronic and paper records

For some types of records the construction of on-line indexes will significantly improve access to material, not just for legislative compliance but also for internal day-to-day purposes. The University will encourage the construction of indexes in appropriate circumstances. Guidance on developing indexes of records will be developed by the Records Manager.

The University aims to preserve those records designated as having permanent legal, administrative or research value at the earliest possible stage in the records life cycle. Given the rapid pace of technological change in the digital age and the vulnerability of digitally held information, archival status records held solely in electronic formats need to be designated as such soon after creation or receipt. The procedures required to achieve this aim will be developed in consultation with the University Archivist and will follow emerging professional practice in digital archives preservation.

The University will develop a schedule for retention and disposal of records drawn up as a result of applied best practice i.e. based on records surveys, analyses, agreements with business units, etc. The preparation and maintenance of this will primarily be the responsibility of the Records Manager. Substantial input from the relevant officers will be required if the schedule is to reflect the business needs of the University corporately and of the individual departments and units.

Staff responsible for maintaining records in the University will:

• record appropriate descriptive and technical metadata to provide sufficient contextual information throughout the records life cycle
• maintain records securely
• ensure that electronic records are protected during technological change, such as during migration to new software or hardware platforms
• ensure that appropriate access and version controls are applied throughout records life cycles, reflecting both legislative requirements (e.g. from the Data Protection Act) and University policies

Guidance on University policies and on best practices will be developed by the Records Manager, in consultation with the Computing Services and other relevant support services.

The University will regularly audit its records management practices for compliance with this framework. Audit of corporate systems will be the responsibility of the University Secretary, although normally exercised through the Records Manager. Heads of Colleges, Schools and other departments and units will be expected to audit their own practices from time to time, in the light of existing (such as the Data Protection Policy) and future University requirements.

Audit will:

• identify areas of operation that are covered by the University's policies and identify which procedures and/or guidance should adhere to the policy
• follow a mechanism for adapting the policy to cover missing areas if these are critical to the creation and use of records, and use a subsidiary development plan if there are major changes to be made
• set requirements by implementing new procedures, including obtaining feedback where the procedures do not match the desired activity
• highlight where non-conformance to the procedures is occurring and suggest a tightening of controls and adjustment to related procedures

The University will provide appropriate training in records management for all relevant staff. The Freedom of Information Working Group will develop proposals for this on the advice of the Records Manager and in consultation with the Personnel Department and other appropriate departments.

This initial framework for the University's records management policies and practices has been developed by the Freedom of Information Working Group at the request of CMG. It was discussed and approved by CMG on 12 February 2002. It will be subject to ongoing review during the lifetime of the Working Group.

This policy can also be accessed through the Policy Repository and Directory.