< The Management of Records

5. Summary of recommended good practice in records management
6. Organisational arrangements to support records management
7. Records management policy
8. Keeping records to meet corporate requirements
9. Records systems
10. Storage and maintenance of records
11. Security and access
12. Disposal of records
13. Records created in the course of collaborative working or through out-sourcing
14. Monitoring and reporting on records and information management

5    Summary of recommended good practice in records management

5.1   Good practice in records management is made up of a number of key elements. The following list summarises the good practice recommended in Part 1 of the Code. Guidance on each element is given in sections 6-14 of this Part.

• Authorities should have in place organisational arrangements that support records management (see section 6);
• Authorities should have in place a records management policy, either as a separate policy or as part of a wider information or knowledge management policy (see section 7);
• Authorities should ensure they keep the records they will need for business, regulatory, legal and accountability purposes (see section 8);
• Authorities should keep their records in systems that enable records to be stored and retrieved as necessary (see section 9);
• Authorities should know what records they hold and where they are, and should ensure that they remain usable for as long as they are required (see section 10);
• Authorities should ensure that records are stored securely and that access to them is controlled (see section 11);
• Authorities should define how long they need to keep particular records, should dispose of them when they are no longer needed and should be able to explain why records are no longer held (see section 12);
• Authorities should ensure that records shared with other bodies or held on their behalf by other bodies are managed in accordance with the Code (see section 13);
• Authorities should monitor compliance with the Code and assess the overall effectiveness of the programme (see section 14).

6    Organisational arrangements to support records management

6.1   These arrangements should include:

• Recognition of records management as a core corporate function, either separately or as part of a wider information or knowledge management function. The function should cover records in all formats throughout their lifecycle, from planning and creation through to disposal and should include records managed on behalf of the authority by an external body such as a contractor;
• Inclusion of records and information management in the corporate risk management framework. Information and records are a corporate asset and loss of the asset could cause disruption to business. The level of risk will vary according to the strategic and operational value of the asset to the authority and risk management should reflect the probable extent of disruption and resulting damage;
• A governance framework that includes defined roles and lines of responsibility. This should include allocation of lead responsibility for the records and information management function to a designated member of staff at sufficiently senior level to act as a records management champion, for example a board member, and allocation of operational responsibility to a member of staff with the necessary knowledge and skills. In small authorities it may be more practicable to combine these roles. Ideally the same people will be responsible also for compliance with other information legislation, for example the Data Protection Act 1998 and the Re-use of Public Sector Information Regulations 2005, or will work closely with those people;
• Clearly defined instructions, applying to staff at all levels of the authority, to create, keep and manage records. In larger organisations the responsibilities of managers, and in particular heads of business units, could be differentiated from the responsibilities of other staff by making it clear that managers are responsible for ensuring that adequate records are kept of the activities for which they are accountable;
• Identification of information and business systems that hold records and provision of the resources needed to maintain and protect the integrity of those systems and the information they contain;
• Consideration of records management issues when planning or implementing ICT systems, when extending staff access to new technologies and during re-structuring or major changes to the authority;
• Induction and other training to ensure that all staff are aware of the authority’s records management policies, standards, procedures and guidelines and understand their personal responsibilities. This should be extended to temporary staff, contractors and consultants who are undertaking work that it has been decided should be documented in the authority’s records. If the organisation is large enough to employ staff whose work is primarily about records and information management, they should be given opportunities for professional development;
• An agreed programme for managing records in accordance with this part of the Code;
• Provision of the financial and other resources required to achieve agreed objectives in the records management programme.

7    Records management policy

7.1   The policy should be endorsed by senior management, for example at board level, and should be readily available to staff at all levels.

7.2   The policy provides a mandate for the records and information management function and a framework for supporting standards, procedures and guidelines. The precise contents will depend on the particular needs and culture of the authority but it should as a minimum:

• Set out the authority’s commitment to create, keep and manage records which document its principal activities;
• Outline the role of records management and its relationship to the authority’s overall business strategy;
• Identify and make appropriate connections to related policies, such as those dealing with email, information security and data protection;
• Define roles and responsibilities, including the responsibility of individuals to document their work in the authority’s records to the extent that, and in the way that, the authority has decided their work should be documented, and to use those records appropriately;
• Indicate how compliance with the policy and the supporting standards, procedures and guidelines will be monitored.

7.3   The policy should be kept up-to-date so that it reflects the current needs of the authority. One way of ensuring this is to review it at agreed intervals, for example every three or five years, and after major organisational or technological changes, in order to assess whether it needs amendment.

7.4   The authority should consider publishing the policy so that members of the public can see the basis on which it manages its records.

8    Keeping records to meet corporate requirements

8.1   Authorities should consider what records they are likely to need about their activities, and the risks of not having those records, taking into account the following factors:

• The legislative and regulatory environment within which they operate. This will be a mixture of generally applicable legislation, such as health and safety legislation and the Data Protection Act 1998, and specific legislation applying to the sector or authority. For example, the Charity Commission is required by its legislation to keep an accurate and up-to-date register of charities. This factor also includes standards applying to the sector or authority or to particular functions such as finance;
• The need to refer to authoritative information about past actions and decisions for current business purposes. For example, problems such as outbreaks of foot and mouth disease may recur and in order to deal with each new outbreak a local authority needs reliable information about what it did during previous outbreaks and who was responsible for specific measures, such as closing public footpaths;
• The need to protect legal and other rights of the authority, its staff and its stakeholders. For example, a local authority needs to know what land and buildings it owns in order to ensure proper control of its assets and to protect itself if challenged;
• The need to explain, and if necessary justify, past actions in the event of an audit, public inquiry or other investigation. For example, the Audit Commission will expect to find accurate records of expenditure of public funds. Or, if an applicant complains to the Information Commissioner’s Office (ICO) about the handling or outcome of an FOI request, the ICO will expect the authority to provide details of how the request was handled and, if applicable, why it refused to provide the information.

8.2   Having considered these factors, authorities should set business rules identifying:

• What records should be kept, for example which decisions or actions should be recorded;
• By whom this should be done, for example, by the sender or recipient of an email or voicemail;
• At what point in the process or transaction this should be done, for example when drafts of a document should be frozen and kept as a record;
• What those records should contain;
• Where and how they should be stored, for example in a case file.

8.3   As part of this process authorities should consider whether any of these records should be subject to particular controls so as to ensure their evidential value can demonstrated if required by showing them to:

• Be authentic, that is, they are what they say they are;
• Be reliable, that is, they can be trusted as a full and accurate record;
• Have integrity, that is, they have not been altered since they were created or filed;
• Be usable, that is, they can be retrieved, read and used.

8.4   All staff should be aware of which records the authority has decided to keep and of their personal responsibility to follow the authority’s business rules and keep accurate and complete records as part of their daily work. Managers of business units, programmes and projects should take responsibility for ensuring that the agreed records of the unit, programme or project’s work are kept and are available for corporate use.

8.5   Authorities should ensure that staff creating or filing records are aware of the need to give those records titles that reflect their specific nature and contents so as to facilitate retrieval.

8.6   Staff should also be aware of the need to dispose of ephemeral material on a routine basis. For example, print-outs of electronic documents should not be kept after the meeting for which they were printed, trivial emails should be deleted after being read, and keeping multiple or personal copies of documents should be discouraged.

9    Records systems

9.1   Authorities should decide the format in which their records are to be stored. There is no requirement in this Code for records and information to be created and held electronically, but if the authority is operating electronically, for example using email for internal and external communications or creating documents through word processing software, it is good practice to hold the resulting records electronically. In addition, authorities should note that the EIR require them progressively to make environmental information available to the public by electronic means (Regulation 4).

9.2   Authorities are likely to hold records and other information in a number of different systems. These systems could include a dedicated electronic document and records management system, business systems such as a case management, finance or geographical information system, a website, shared workspaces, audio-visual material and sets of paper files with related registers. In some cases related records of the same business activities may be held in different formats, for example digital files and supporting paper material.

9.3   Records systems should be designed to meet the authority’s operational needs and using them should be an integral part of business operations and processes. Records systems should have the following characteristics:

• They should be easy to understand and use so as to reduce the effort required of those who create and use the records within them. Ease of use is an important consideration when developing or selecting a system;
• They should enable quick and easy retrieval of information. With digital systems this should include the capacity to search for information requested under the Act;
• They should be set up in a way that enables routine records management processes to take place. For example, digital systems should be able to delete specified information in accordance with agreed disposal dates and leave the rest intact;
• They should enable the context of each record and its relationship to other records to be understood. In a records management system this can be achieved by classifying and indexing records within a file plan or business classification scheme to bring together related records and enable the sequence of actions and context of each document to be understood. This approach has the added benefit of enabling handling decisions, for example relating to access or disposal, to be applied to groups of records instead of to individual records;
• They should contain both information and metadata. Metadata enables the system to be understood and operated efficiently, the records within the system to be managed and the information within the records to be interpreted;
• They should protect records in digital systems from accidental or unauthorised alteration, copying, movement or deletion;
• They should provide secure storage to the level of protection required by the nature, contents and value of the information in them. For digital systems this includes a capacity to control access to particular information if necessary, for example by limiting access to named individuals or by requiring passwords. With paper files this includes a capacity to lock storage cupboards or areas and to log access to them and any withdrawal of records from them;
• They should enable an audit trail to be produced of occasions on which selected records have been seen, used, amended and deleted.

9.4   Records systems should be documented to facilitate staff training, maintenance of the system and its reconstruction in the event of an emergency.

9.5   Folders, files and similar record assemblies should not remain live indefinitely with a capacity for new records to be added to them. They should be closed, that is, have their contents frozen, at an appropriate time.

9.6   The trigger for closure will vary according to the nature and function of the records, the extent to which they reflect ongoing business and the technology used to store them. For example, completion of the annual accounting process could be a trigger for closing financial records, completion of a project could be a trigger for closing project records, and completion of formalities following the death of a patient could be a trigger for closing that person’s health record. Size is a factor and a folder should not be too big to be handled or scrutinised easily. For digital records a trigger could be migration to a new system. Authorities should decide the appropriate trigger for each records system and put arrangements in place to apply the trigger.

9.7   New continuation or part files should be opened if necessary. It should be clear to anyone looking at a record where the story continues, if applicable.

10  Storage and maintenance of records

10.1   The effectiveness of records systems depends on knowledge of what records are held,
what information they contain, in what form they are made accessible, what value they have to the organisation and how they relate to organisational functions. Without this knowledge an authority will find it difficult to:

• Locate and retrieve information required for business purposes or to respond to an information request;
• Produce a Publication Scheme or a reliable list of information assets available for re-use;
• Apply the controls required to manage risks associated with the records;
• Ensure records are disposed of when no longer needed.

10.2   Authorities should gather and maintain data on records and information assets.
This can be done in various ways, for example through surveys or audits of the records and information held by the authority. It should be held in an accessible format and should be kept up to date.

10.3   Authorities should consider publishing details of the types of records they hold to help members of the public planning to make a request for information under the Act.

10.4   Storage should provide protection to the level required by the nature, contents and value of the information in them. Records and information will vary in their strategic and operational value to the authority, and in their residual value for historical research, and storage and preservation arrangements reflecting their value should be put in place.

10.5   Authorities should be aware of any specific requirements for records storage that apply to them. For example, the Adoption National Minimum Standards issued by the Department of Health and the Welsh Assembly Government in 2003 require indexes and case files for children to be securely stored to minimise the risk of damage from fire or water.

10.6   Storage should follow accepted standards in respect of the storage environment, fire precautions, health and safety and, if applicable, physical organisation. It should allow easy and efficient retrieval of information but also minimise the risk of damage, loss or unauthorised access.

10.7   Records that are no longer required for frequent reference can be removed from current systems to off-line or near off-line (for digital media) or to off-site (for paper) storage where this is a more economical and efficient way to store them. They should continue to be subject to normal records management controls and procedures.

10.8   The whereabouts of records should be known at all times and movement of files and other physical records between storage areas and office areas should be logged.

10.9   Records should remain usable for as long as they are required. This means that it should continue to be possible to retrieve, use and rely on them.

10.10  Records in digital systems will not remain usable unless precautions are taken. Authorities should put in place a strategy for their continued maintenance designed to ensure that information remains intact, reliable and usable for as long as it is required. The strategy should provide for updating of the storage media and migration of the software format within which the information and metadata are held, and for regular monitoring of integrity and usability.

10.11  Records in digital systems are particularly vulnerable to accidental or unauthorised alteration, copying, movement or deletion which can happen without trace. This puts at risk the reliability of the records which could damage the authority’s interests. Authorities should assess these risks and put appropriate safeguards in place.

10.12  Back-up copies of records in digital systems should be kept and stored securely in a separate location. They should be checked regularly to ensure that the storage medium has not degraded and the information remains intact and capable of being restored to operational use. Back-ups should be managed in a way that enables disposal decisions to be applied securely without compromising the authority’s capacity to recover from system failures and major disasters.

10.13  Physical records such as paper files may also require regular monitoring. For example, formats such as early photocopies may be at risk of fading, and regular checks should be made of any information in such formats that is of continuing value to the authority.

10.14   Metadata for records in any format should be kept in such a way that it remains reliable and accessible for as long as it is required, which will be at least for the life of the records.

10.15  Business continuity plans should identify and safeguard records considered vital to the organisation, that is:

• Records that would be essential to the continued functioning or reconstitution of the organisation in the event of a disaster;
• Records that are essential to ongoing protection of the organisation’s legal and financial rights.

The plans should include actions to protect and recover these records in particular.

11   Security and access

11.1   Authorities should ensure that their storage arrangements, handling procedures and arrangements for transmission of records reflect accepted standards and good practice in information security. It is good practice to have an information security policy addressing these points.

11.2   Ease of internal access will depend on the nature and sensitivity of the records. Access restrictions should be applied when necessary to protect the information concerned and should be kept up to date. Particular care should be taken with personal information about living individuals in order to comply with the 7th data protection principle, which requires precautions against unauthorised or unlawful processing, damage, loss or destruction. Within central Government, particular care should be taken with information bearing a protective marking. Other information, such as information obtained on a confidential basis, may also require particular protection.

11.3   Transmission of records, especially outside the authority’s premises, should require authorisation. The method of transmission should be subject to risk assessment before a decision is made.

11.4   External access should be provided in accordance with relevant legislation.

11.5   An audit trail should be kept of provision of access, especially to people outside the immediate work area.

12   Disposal of records

12.1   For the purpose of this Code, disposal means the decision as to whether the record should be destroyed, transferred to an archives service for permanent preservation or presented,¹⁴ and the putting into effect of that decision.

12.2   As a general principle, records should be kept for as long as they are needed by the authority: for reference or accountability purposes, to comply with regulatory requirements or to protect legal and other rights and interests. Destruction at the end of this period ensures that office and server space are not used and costs are not incurred in maintaining records that are no longer required. For records containing personal information it also ensures compliance with the 5th data protection principle which requires that personal data is kept only for as long as it is needed.

12.3   Records should not be kept after they have ceased to be of use to the authority unless:

• They are known to be the subject of litigation or a request for information. If so, destruction should be delayed until the litigation is complete or, in the case of a request for information, all relevant complaint and appeal provisions have been exhausted;
• They have long-term value for historical or other research and have been or should be selected for permanent preservation. (Note that records containing personal information can be kept indefinitely for historical research purposes because they thereby become exempt from the 5th data protection principle.)
• They contain or relate to information recently released in response to a request under the Act. This may indicate historical value and destruction should be delayed while this is re-assessed.

12.4   Disposal of records should be undertaken only in accordance with clearly established policies that:

• Reflect the authority’s continuing need for access to the information or the potential value of the records for historical or other research;
• Are based on consultation between records management staff, staff of the relevant business unit and, where appropriate, others such as legal advisers, archivists or external experts;
• Have been formally adopted by the authority;
• Are applied by properly authorised staff;
• Take account of security and confidentiality needs.

12.5   The policies should take the form of:

• An overall policy, stating in broad terms the types of records likely to be selected for permanent preservation. The policy could be a separate policy, part of the records management policy or a preamble to a disposal schedule;
• Disposal schedules¹⁵ which identify and describe records to which a pre-defined disposal action can be applied, for example destroy x years after [trigger event]; review after y years, transfer to archives for permanent preservation after z years.

12.6   Disposal schedules should contain sufficient details about the records to enable the records to be easily identified and the disposal action applied to them on a routine and timely basis. The amount of detail in disposal schedules will depend on the authority’s needs but they should at least:

• Describe the records, including any relevant reference numbers;
• Identify the function to which the records relate and the business unit for that function (if that is not clear);
• Specify the retention period, i.e. how long they are to be kept;
• Specify what is to happen to them at the end of that period, i.e. the disposal action;
• Note the legal, regulatory or other reason for the disposal period and action, for example a statutory provision.

Disposal schedules should be arranged in the way that best meets the authority’s needs.

12.7   Disposal schedules should be kept up to date and should be amended if a relevant statutory provision changes. However, authorities should consider keeping information about previous provisions so that the basis on which records were previously destroyed can be explained.

12.8   If any records are not included in disposal schedules, special arrangements should be made to review them and decide whether they can be destroyed or should be selected for permanent preservation. Decisions of this nature should be documented and kept to provide evidence of which records have been identified for destruction, when the decision was made, and the reasons for the decision, where this is not apparent from the overall policy.

12.9    Disposal schedules and disposal decisions should be implemented by properly authorised staff. Implementation arrangements should take account of variations caused by, for example, outstanding requests for information or litigation.

12.10  Records scheduled for destruction should be destroyed in as secure a manner as required by the level of confidentiality or security markings they bear. For example, records containing personal information about living individuals should be destroyed in a way that prevents unauthorised access (this is required to comply with the 7th data protection principle). With digital records it may be necessary to do more than overwrite the data to ensure the information is destroyed.

12.10  When destruction is carried out by an external contractor, the contract should stipulate that the security and access arrangements established for the records will continue to be applied until destruction has taken place.

12.10  In some cases there will be more than one copy of a record. For example, there are likely to be back-up copies of digital records, or there may be digital copies of paper records. A record cannot be considered to have been completely destroyed until all copies, including back-up copies, have been destroyed, if there is a possibility that the data could be recovered.

12.10  Details of destruction of records should be kept, either as part of the audit trail metadata or separately. Ideally, some evidence of destruction should be kept indefinitely because the previous existence of records may be relevant information. However, the level of detail and for how long it should be kept will depend on an assessment of the costs and the risks to the authority if detailed information cannot be produced on request.

12.10  At the very least it should be possible to provide evidence that as part of routine records management processes destruction of a specified type of record of a specified age range took place in accordance with a specified provision of the disposal schedule. Evidence of this nature will enable an authority and its staff to explain why records specified in a court order cannot be provided or to defend themselves against a charge under section 77 of the Act that records were destroyed in order to prevent their disclosure in response to a request for information.

12.10  Records selected for permanent preservation and no longer required by the authority should be transferred to an archives service that has adequate storage and public access facilities. Transfer should take place in an orderly manner and with a level of security appropriate to the confidentiality of the records.

12.10  Part 2 of the Code sets out the arrangements that apply to the review and transfer of public records. The approach set out in Part 2 may be relevant to the review and transfer of other types of records also.

13  Records created in the course of collaborative working or through out-sourcing

13.1   When authorities are working in partnership with other organisations, sharing information and contributing to a joint records system, they should ensure that all parties agree protocols that specify:

• What information should be contributed and kept, and by whom;
• What level of information security should be applied;
• Who should have access to the records;
• What disposal arrangements should be in place;
• Which body holds the information for the purposes of the Act.

13.2   Instructions and training should be provided to staff involved in such collaborative working.

13.3   Records management controls should be applied to information being shared with or passed to other bodies. Particular protection should be given to confidential or personal information.
Protocols should specify when, and under what conditions, information will be shared or passed, and details should be kept of when this information has been shared or passed. Details should be kept also of how undertakings given to the original source of the information have been respected.

13.4   Some of an authority’s records may be held on its behalf by another body, for example a body carrying out work for the authority under contract. The authority on whose behalf the records are held is responsible for ensuring that the provisions of the Code are applied to those records.

14  Monitoring and reporting on records and information management

14.1   Authorities should identify performance measures that reflect their information management needs and arrangements and the risks that non-compliance with the Code would present to the authority, including the impact on risks identified in the overall risk management framework.

14.2   The performance measures could be general in nature, for example that a policy has been issued, or could refer to processes, such as the application of disposal schedules to relevant records with due authorisation of destruction, or could use metrics such as retrieval times for paper records held off-site that have been requested under the Act.

14.3   Authorities should put in place the means by which performance can be measured. For example, if metrics are to be used, the data from which statistics will be generated must be kept. Qualitative indicators, for example whether guidance is being followed, can be measured by spot checks or by interviews.

14.4   Monitoring should be undertaken on a regular basis and the results reported to the person with lead responsibility for records management so that risks can be assessed and appropriate action taken.

14.5   Assessing whether the records management programme meets the needs of the organisation is a more complex task and requires consideration of what the programme is intended to achieve and how successful it is being. This requires consideration of business benefits in relation to corporate objectives as well as risks and should include consultation throughout the authority.

< The Management of Records