S 22JUN11 C3 COVER SHEET FOR SENATE MAIN AGENDA PAPERS Title of Paper INFORMATION LEGISLATION COMPLIANCE Author of Paper DR SIMONE CLARKE, DIRECTOR OF PLANNING AND ACADEMIC ADMINISTRATION Type of Paper: A: Substantive Discussion Item A: Preliminary Discussion Item B: Formal Approval Item C: Formal Recommendation to Council X D: Item for Report Dates Previously Discussed: Committee of Senate University Executive Committee X Faculty Other – Audit Committe X Summary: The attached paper outlines four University policies in relation to legislation compliance. The four documents are as follows: 1) Document Definition Policy This paper and policy, outlines a definition for each level of University documentation, to ensure there is clarity over which documents should be regarded as policies, procedures, strategies, codes of practice etc. 2) Records Management This paper outlines a systematic approach to Records Management across the institution, to ensure that each part of the University is compliant with the requirements of Section 46 of the Freedom of Information Act (2000) which is concerned with the appropriate management of records. 3) Freedom of Information Policy This policy has been provided to formalise the procedures already in place with regard to the Freedom of Information Act. The University has complied with the legislation since its introduction in 2005, but now wishes to formalise the established processes, in line with the Document Definition Policy processes (1 above) 4) Data Protection Policy This policy has been provided to formalise the procedures already in place with regard to the Data Protection Act. The University has complied with the legislation since its introduction in 1998, but now wishes to formalise the established processes, in line with the Document Definition Policy processes (1 above) Key risks to be managed: Legal Compliance; Reputational; Good Governance Action Required of Senate: To recommend formal approval to Council S 22JUN11 C3 Senate: Checklist of Issues to be Considered in Respect of all Proposals Procedural Issues 1. Is further discussion required through the Committee system? Yes X No Council n/a X Other 2. Will staff and / or students be consulted further before taking forward? Yes No n/a X Standards Issues 3. Could there be an impact on academic standards? Yes No n/a X Staff / Student Issues 4. Could there be an impact on employee or student relations? Yes No n/a X 5. Are there any equal opportunity issues? Yes X No n/a Risk / Opportunity Issues 6. Do existing commitments place any constraints on the proposal? Yes No n/a X 7. Could there be an impact on student recruitment? Positive Negative n/a X 8. Could there be an external or internal PR impact? Positive Negative n/a X 9. Are there any legal implications? AH 22 May 2002 Yes X No n/a KEELE UNIVERSITY DOCUMENT DEFINITION POLICY 1.0 1.1 Scope The aim of the attached policy is to ensure that all University policies, procedures, strategies and codes of practice, herein referred to as the University’s documentary framework, are necessary, current and relevant by providing a structure for their design, approval, implementation, monitoring and review. The documentary framework referred to in the attached policy is positioned below the University Act, Charter, Statues, Ordinances and Regulations. 2.0 2.1 Context Organisations in the Public Sector are becoming increasingly susceptible to public scrutiny, encouraged by the introduction of the Freedom of Information Act 2000 and the subsequent model publication scheme introduced for 1st January 2009, which expects the publication of University policies and procedures for public inspection. 2.2 Policies, procedures and other such documents at Keele have been developed to provide frameworks within which key University functions are carried out in order to ensure a consistent approach that is in line with good practice and ensures legal compliance where applicable. 2.3 Governance have recently undertaken a review of University documents and identified over 100 currently in operation across the University. Many of these have been developed by different parts of the University and are not available together in one place, thus making it difficult for readers to ensure that they are referring to the correct version and that what they are reading has not been superseded in any way. 2.4 In addition, whilst the approval process is widely understood for top-level University policies, there is no clear framework in place to establish the appropriate systems for the design, approval and implementation of documents such as procedures, codes of practice, University support strategies and guidelines, with no consistent monitoring and review process for these. 2.5 Documentation and Equality Impact Assessment Equality impact assessment (EIA) is the term given to a review of an institution’s policies to ensure that the institution is not discriminating unlawfully – and that it is making a positive contribution to equality. It is the process of assessing the impact of existing or proposed policies and practices in relation to their consequences for equality. (HEFCE and the Equality Challenge Unit, 2007). HEFCE (2004) refer to Equality Impact Assessment as ‘the thorough and systematic analysis of a policy or practice to determine whether it has a differential impact on a particular group’. The ‘particular groups’ referred to are the legally protected equality characteristics: Age, Disability, Gender/Sex, Gender reassignment, Pregnancy & Maternity, Race/nationality/ethnic origin, Religion/belief, and Sexual orientation. Keele is bound by legal duties to assess the impact of all new and existing policies and practices and this legal requirement is enforceable by the Equality and Human Rights Commission. The University is committed to ensuring that Equality Impact Assessments 1 are completed for all existing and future policies and practices, as agreed at Keele’s Equality & Diversity Committee of Council, October 2010. For the purposes of Equality Impact Assessment, the Equality and Human Rights Commission (2009) define ‘policy’ as follows: “ „Policy‟ needs to be understood broadly to embrace the full range of functions, activities and decisions for which the organisation is responsible: essentially everything the authority does. This includes both current policies and new policies under development”. Accordingly and in line with this broad definition of ‘policy’, the University requires any Keele document including but not limited to Strategic Plan, Policy, Procedure, Supporting Strategy, Code of Practice, or Guideline documentation to be Equality Impact Assessed, using agreed University procedure for completion of the Equality Impact Assessment process. It is the responsibility of each Dean/Director to ensure that all Keele documents are Equality Impact Assessed prior to their submission for approval. 3.0 3.1 Process This document seeks the approval of the Committee for the implementation of a two-fold system that will ensure that the University can guarantee the appropriate design, approval, implementation, monitoring and review of all University policies, procedures and other operational documentation such as supporting strategies and codes of practice. 3.2 Stage 1 The University to adopt a policy on the design, approval, implementation, monitoring and review of the University’s documents as detailed in Annex A. This policy clearly defines the difference between a strategic plan, policy, procedure, supporting strategy, code of practice and guideline and also identifies the recommended level of consultation, approval, accountability and review required for each. The policy also requires all subsequent University documents to be presented for approval with an ‘approval grid’ that will clearly define the version, review period and area of University/individual responsible for this document. 3.3 In summary this document (Annex A) outlines that a policy would typically be a top-level, university wide document that clearly defines the University’s position with regard to the particular policy topic. A procedure would be a process that underpins a policy and identifies where individual responsibility for that process lies within the institution. 3.4 The document also defines that a supporting strategy provides a plan of action to achieve set objectives, with regard to a particular defined service provided by the University. A code of practice is defined as a set of rules and expected processes or actions required with regard to a particular aspect of University business/service and a guideline is defined as a flexible framework designed to help staff/students to achieve a particular task or action. 3.5 Stage 2 Governance to collate and maintain a central repository of University policies, procedures, strategies and codes of practice that will be available on-line for staff and, where appropriate, the public to access. This repository will hold the active version of each policy. Once approved, Governance will retain a copy of the policy and use the ‘approval grid’ information to provide an annual report to University Executive Committee, 2 Senate and Council on policy, procedure, strategy and code of practice adoption and review in the previous 12 months and additionally alert University Executive Committee to policies in need of review within the forthcoming 12 months. It is expected this report will be provided to University Executive Committee in January of each year. 4.0 4.1 Timescale Governance has drafted the attached Keele University ‘Document Definition Policy’ (Annex A). 4.2 It is requested that the attached policy is reviewed and recommended for approval by the Committee to Senate and Council, to come into effect for the beginning of the 2011-12 academic year. 4.3 Governance have begun work on collating the information required for the repository and will continue to develop the on-line repository of University Policies and Procedures with a view to finalising the repository in line with the policy approval process. 5.0 5.1 Action Required The Committee is asked to endorse the process outlined above for the development of a University-wide policy on the design, approval, implementation, monitoring and review of University documents and the introduction of a central repository maintained by Governance. 5.2 Members of the Committee are also invited to review and recommend for approval the policy attached to this document in Annex A in accordance with the approval process as defined in the policy. 3 ANNEX A KEELEUNIVERSITY DOCUMENT DEFINITION POLICY 1. Purpose The purpose of this policy is to ensure that all University policies, procedures, strategies, codes of practice and guidelines, herein referred to as the University’s documentary framework, are necessary, current and relevant by providing a structure for their design, approval, implementation, monitoring and review. This policy will also ensure that the University’s documentary framework is clear, concise and consistent, suitably communicated to staff and students and that the content is regularly reviewed and suitable for the University’s needs. 2. Scope This policy applies to all Keele University documents, to include, policies, procedures, strategies, codes of practice and guidelines. 3. Definitions A Strategic Plan defines the University’s strategic direction for the designated time-period. All University activities should contribute towards the University’s Strategic Plan aims. Strategic Plans will also exist at a Faculty, Directorate, School and Research Institute level, which will define the strategic direction for the relevant area and will support the University Strategic Plan. A Policy is a formal written statement of the University’s position with regard to the policy topic, which enables decision-making and clarifies compliance for University members. A policy is applicable across all functions of the University. A Procedure documents the process or actions required to implement a policy or strategy. A procedure identifies where the responsibility for the process or action sits within the institution and is applicable for that process or action across the entire University. A Supporting Strategy identifies a plan of action to achieve set objectives for the delivery of a defined service provided by the University. A supporting strategy will apply to all functions of the University that are involved in the delivery of the service defined in the strategy. A Code of Practice is a set of rules for a particular aspect of the University that details expected processes or actions to be taken with regard to that aspect. A Code of Practice will often have ethical or professional considerations as the reason for its development. A Guideline is a flexible framework to assist and guide members of the University to achieve specific tasks using a recommended course of action. 4. Equality Impact Assessments Equality impact assessment (EIA) is the term given to a review of an institution’s policies to ensure that the institution is not discriminating unlawfully – and that it is making a positive contribution to equality. It is the process of assessing the impact of existing or proposed policies Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Page 1 of 4 Review Date: XX/XX/XX ANNEX A KEELEUNIVERSITY DOCUMENT DEFINITION POLICY and practices in relation to their consequences for equality. (HEFCE and the Equality Challenge Unit, 2007). HEFCE (2004) refer to Equality Impact Assessment as ‘the thorough and systematic analysis of a policy or practice to determine whether it has a differential impact on a particular group’. The ‘particular groups’ referred to are the legally protected equality characteristics: Age, Disability, Gender/Sex, Gender reassignment, Pregnancy & Maternity, Race/nationality/ethnic origin, Religion/belief, and Sexual orientation. Keele is bound by legal duties to assess the impact of all new and existing policies and practices and this legal requirement is enforceable by the Equality and Human Rights Commission. The University is committed to ensuring that Equality Impact Assessments are completed for all existing and future policies and practices, as agreed at Keele’s Equality & Diversity Committee of Council, October 2010. For the purposes of Equality Impact Assessment, the Equality and Human Rights Commission (2009) define ‘policy’ as follows: “ „Policy‟ needs to be understood broadly to embrace the full range of functions, activities and decisions for which the organisation is responsible: essentially everything the authority does. This includes both current policies and new policies under development”. Accordingly and in line with this broad definition of ‘policy’, the University requires any Keele document including but not limited to those defined above (Strategic Plan, Policy, Procedure, Supporting Strategy, Code of Practice, Guideline) to be Equality Impact Assessed, using agreed University procedure for completion of the Equality Impact Assessment process. It is the responsibility of each Dean/Director to ensure that all Keele documents are Equality Impact Assessed prior to their submission for approval. 5. Strategic Plan Development The University Strategic Plan will be in place for a period of 5 years and will be developed in line with Higher Education Funding Council for England (HEFCE) requirements. The University Strategic Plan will be formally approved by the University Council upon the recommendation of the University Executive Committee and the University Senate. Faculty/School/Directorate and Research Institute Strategic Plans will be approved at a local level, but should ensure that they are complimentary to and reflective of the aims of the main University Strategic Plan. 6. Policy and Procedure Development Policies and Procedures must: Comply with relevant legislation and the University Act, Charter, Statues, Ordinances and Regulations Consider all strategic and risk implications associated with the policy/procedure Consider the impact on both staff and students Be feasible to implement Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Page 2 of 4 Review Date: XX/XX/XX ANNEX A KEELEUNIVERSITY DOCUMENT DEFINITION POLICY Have a regular review period set prior to implementation Identify where the responsibility for implementation, operation, monitoring and review is located within the University (Policy/Procedure Owner) Be Equality Impact Assessed throughout the development process Policy and procedures will be developed and maintained by the University. All policies will be approved by the University Council upon the recommendation of University Executive Committee and the University Senate in the case of academic policies and procedures. All procedures will be approved by the University Executive Committee upon the recommendation of either the Secretary & Registrar for administrative procedures or the Deputy Vice-Chancellor and Provost for academic procedures. Approved procedures will be reported to Senate for academic procedures and Council for all other procedures. University policies and procedures are to be developed by the appropriate area of the University in consultation with relevant stakeholders, committees and Planning & Academic Administration for information and advice on the approval process. An Equality Impact Assessment should be completed prior to submitting a policy and procedure for approval through the above process. All policies and procedures will require a valid ‘approval grid’ to be completed with the final version of the policy/procedure before approval can be given. (See example at the base of this policy) 7. Policy/Procedure Reviews Planning and Academic Administration will provide an annual report to the University Executive Committee detailing the number of policies/procedures due for review within the forthcoming year. The Policy/Procedure Owner is responsible for undertaking adequate review, consultation and amendments to their policy/procedure either on or prior to the review date. All policies and procedures for review, must undertake the same approval process as new policies and procedures. 8. Supporting Strategy, Code of Practice and Guideline Development University supporting Strategies, Codes of Practice and Guidelines will be developed in accordance with the business needs of the University. All University supporting Strategies should be approved by the University Executive Committee and will require a valid ‘approval grid’ before approval can be given. University Academic Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Page 3 of 4 Review Date: XX/XX/XX ANNEX A KEELEUNIVERSITY DOCUMENT DEFINITION POLICY Strategies should be ratified by the University Senate. All other University Strategies should be ratified by the University Council. All University Codes of Practice should be approved by the University Executive Committee and be publicised to the University community. All University Guidelines should have their contents approved at a Dean/Director level and be well publicised to the University community. An Equality Impact Assessment should be completed for all of these documents prior to submitting these for approval through the above processes. 9. Communication Governance will maintain a central repository of University Policies and Procedures and will publish these on the University web-pages. Regular announcements will be made to members of the University to identify when new policies have been approved by the relevant Committees. 10. Version Control All University policies, procedures, strategies, codes of practice and guidelines should be version controlled using the University’s standard practice. Details of version control methods can be found at: (web-page) Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Page 4 of 4 Review Date: XX/XX/XX Paper 2 KEELE UNIVERSITY RECORDS MANAGEMENT 1.0 1.1 Introduction This paper outlines a proposed revised approach to Records Management across the Institution, in order to ensure continued compliance with legal and regulatory requirements, greater efficiencies and the adoption of consistent good practice. 1.2 In recent years the number of Freedom of Information and Data Protection Act requests has increased substantially, in addition, the Information Commissioners Office (ICO) which is responsible for overseeing the appropriate application of this legislation has increased its levels of auditing and investigations into organisations. 1.3 Whilst Keele has established a strong record with the ICO for complying with relevant legislation, Directorate of Planning and Academic Administration has noted that within the context of Records Management, Keele is falling behind the sector with regard to good practice and therefore it is apposite to review the practice at Keele, with a view to establishing good practice across all areas of the University. 1.4 The Finance and Resources Strategy Sub-Committee is asked to endorse the proposal set out in this paper and also recommends the policy for approval by Council. 2.0 2.1 Context The Lord Chancellor’s Code of Practice on the Management of Records under Freedom of Information was issued in November 2002 and revised in July 2009, in accordance with the requirements of section 46 of the Freedom of Information Act 2000. It has been designed to support the objectives of Freedom of Information (FOI) legislation by setting out the practices which Public Authorities, including Universities should follow in relation to creating, keeping, managing and disposing of their records. In accordance with this the University’s Vice-Chancellor’s Committee approved a review of Records Management by Directorate of Planning and Academic Administration and endorsed the creation of an institutional Records Management Policy, in 2005. 2.2.1 A Code of Practice and Records Disposal Schedule was approved in June 2006 and developed in light of best practice identified at other Higher Education Institutions (HEIs) and with the Joint Information Systems Committee’s (JISC) model of HEIs Records Retention Schedule. This was drafted to provide staff with advice and guidance on Records Management and outline staff responsibilities. 2.3 It is understood that an institution such as Keele could not justify the costs associated with the delivery of a high level Records Management system similar to that adopted by sector leaders. However, it is crucial that Keele establish the key underlying principles of Records Management in all areas of the University and ensure that it is fully embedded through training and awareness raising, in order to enable Keele to comply with the Lord Chancellor’s Code of Practice. Page 1 of 4 Paper 2 3.0 3.1 Records Management What Are Records? Records are defined in the Lord Chancellor’s Code of Practice as: ‘Information created, received and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business. 3.2 Why Are Records Kept? Records are created to provide information about what has happened, what was decided and how to do things, in the course of normal business activity. The Foreword to the Lord Chancellor’s Code of Practice states: ‘Records and information are the lifeblood of any organisation. They are the basis on which decisions are made, services provided and policies developed and communicated.’ Records, if well-kept, are a reliable source of evidence and information. 3.3.1 What is Records Management and Why Does It Matter? Records Management is about controlling Records in an efficient and systematic way throughout the lifecycle of a record, defined as the; creation use maintenance and final disposal Effective Records Management is based on the principles of regular review and controlled retention or destruction of records with the general aim of ensuring cost-effective business processes, legal and regulatory compliance and corporate accountability. 4.0 4.1 Why is Records Management Important for Keele? The University requires accurate records on a daily basis in order to fulfil its main activities. Good Records Management provides, but is not limited to, the following potential benefits: Efficiency - more effective use of resources – for example, disposing of records that are no longer needed releases space within buildings and information systems and saves time and money, Consistency - ensuring that authoritative information about past activities can be found and used for current business and audit purposes, Compliance - supporting compliance with legislation and rules, Continuity – enables the University to deliver continuity of service in the absence of expertise, including future-proofing systems, particularly IT, Protection – protects records from inappropriate and unauthorised access which is particularly important when considering confidential documentation. 4.2 A benefit set out in the Foreword to the Lord Chancellor’s Code of Practice is that it will support compliance with the FOI and the Environmental Information Regulations (EIR): ‘Access rights are of limited value if information cannot be found when requested or, when found, cannot be relied upon as authoritative. Good records and information management benefits those requesting information because it provides some assurance that the information provided will be complete and reliable. It benefits those holding the requested information because it enables them to locate and retrieve it easily within the statutory timescales or to explain why it is not held.’ Page 2 of 4 Paper 2 4.3 The Foreword to the Lord Chancellor’s Code of Practice also outlines some key risks that can arise from poor Records Management. They include: poor decisions based on inadequate or incomplete information, financial loss because reliable evidence is not available, reputational damage because of criticism by the Information Commissioner for failing to comply with the information legislation he regulates, failure to handle confidential information with the required level of security, failure to protect information vital to the continued functioning of the organisation, costs incurred because records are being kept for longer than they are needed or staff wasting time considering issues previously addressed and resolved. 4.4 Taken together, these benefits and risks provide compelling reasons for Keele to ensure that effective Records Management is in place. The good practice recommendations in the Lord Chancellor’s Code of Practice and the guidance in other national guidance documents provide the necessary foundations for effective Records Management. 5.0 5.1 Current Records Management Activity Directorate of Planning and Academic Administration has developed a Records Management Code of Practice (Annex A) and Records Disposal Schedule, which were approved by the then Vice-Chancellor’s Committee in June 2006 and are available on the Keele web-pages. Freedom of Information and Data Protection legislation is communicated via staff training sessions to raise awareness and outline staff responsibilities, in addition to the University Governance training programmes already in place. 5.2 A recent telephone survey has been carried out across the University to establish compliance to the current Records Management Code of Practice and Records Disposal Schedule. The findings highlighted the following four main areas in need of improvement. Inefficiencies – All departments expressed a lack of space for storing and archiving records. This has been due to the lack of regular record disposal causing the inefficient use of space and time resources. Electronic Storage – There is a lack of understanding of the need to save records on the University’s computer networks as many users save confidential and important information onto their C: // Drives which are not backed up on the University servers and are unable to be restored should a computer breakdown. Regular Compliance – Records Management activity is varied across the areas of the University. Archiving and the disposing of records is carried out on an ad-hoc basis, if at all, with no routine processes for Records Management. Advice & Responsibility – Records Management advice, information and responsibilities are not clearly understood within the University and require better communication, as significant areas across the University are unaware of the Records Disposal Schedule or are unsure who to approach for Records Management advice. 6.0 6.1 Plan Directorate of Planning and Academic Administration reviewed a number of methodologies for the Records Management project (in Annex B). After evaluating each option it was decided that a workshop based approach would be most appropriate for Keele. The main advantages of this approach are its informal and non-intrusive approach that gives opportunity for feedback and inclusion without being time-intensive. Page 3 of 4 Paper 2 6.2 This paper proposes that: The Records Management Policy will be updated and amended as per Annex C: o Directorate of Planning and Academic Administration will re-view and re-launch the current Records Disposal Schedule to ensure that colleagues across the institution are familiar with its content and its location. This will be done in consultation with key stakeholders. Train and Develop Staff Awareness o Directorate of Planning and Academic Administration currently run a number of training programmes which will be expanded to include Records Management. Produce Records Management web-pages o A dedicated Records Management web-page will be developed which will include guidance notes on FOI, DPA and Records Disposal. Best practice Records Management guides will be included and advertised widely across the institution, examples of which are at Annex D. Review data systems o Identification and avoidance of local data systems. There will be encouragement for all staff to use ‘shared’ office drives, rather than C: // drives, appropriate naming conventions for electronic records and there will be published advice detailing file naming and structure good practice. Identify ‘Records Champions’. o Senior Management will be asked to identify a number of ‘Records Champions’ in each of their teams. A Champion would typically be an administrator within an area of the University, who would act as a local source of expertise and advice for Records Management in their office. These Records Champions would be asked to attend workshops on Records Management and lead on the implementation of records disposal in their office. 7.0 7.1 Timelines The paper and policy were circulated for consultation with Directors, Deans and Faculty Business Managers in January and any comments made have been incorporated. Once the paper and policy have been endorsed by the Finance and Resources Strategy SubCommittee, they will be considered at the March and April Senate and Council meetings. 7.2 Directorate of Planning and Academic Administration plan to implement the policy and disseminate the information to the University by the end of May 2011, allowing one year for the policy and processes to fully embed. Compliance with the policy once embedded will continue to be monitored on an annual basis by Directorate of Planning and Academic Administration and the policy will be reviewed twelve months after its approval. 8.0 8.1 Action The Finance and Resources Strategy Sub-Committee is asked to support the following proposals as set out in this paper: Recommend the Records Management Policy (Annex C) for approval by the University Council Approve the actions to be undertaken by Directorate of Planning and Academic Administration as identified under section 6.2 of this paper To note the guidance documents (Annex D) that will be published on the Directorate of Planning and Academic Administration web-pages Page 4 of 4 Paper 2 KEELE UNIVERSITY Records Management Code of Practice 1. Why do we have a Records Management Code of Practice? All further and higher education institutions now face mounting pressure to demonstrate legal compliance, regulatory compliance and high standards of corporate governance. An effective Records Management programme is the foundation upon which an institution such as Keele can build their response to these growing demands. 2. What is the definition of a record? Recorded information [regardless of form or medium] created, received and maintained by an organisation in pursuance of its legal obligations or in the transaction of business. At Keele, a growing majority of records are electronic, including emails, web-based content, spreadsheets and databases. 3. What is Records Management? Records Management seeks to efficiently and systematically control the creation, use, maintenance and final disposal of the records which are routinely created as a result of an organisation’s activities and transactions. It is based on the principles of regular review and controlled retention or destruction with the general aim of ensuring cost-effective business processes, legal and regulatory compliance and corporate accountability. Records Management will help to ensure that: • Only the right information is created in the first place. • Information is kept as long as is necessary and no longer. • Information can be located and retrieved in a timely and controlled manner. • Information is secure. 4. Active Records Management in Directorates, Schools and Research Institutes This Code of Practice applies to all records created, received or maintained by all members of University staff. Directorates, Schools and Research Institutes should develop local practice that ensures: • Storage of records in a system that allows for quick and easy retrieval of information. • The record-keeping system should include a set of rules for referencing, titling, indexing and, if appropriate, security marking of records. • The movement and location of records should be controlled. • Records should be stored in a suitable format to retain quality, relevance, accessibility, durability and reliability. • Records are appropriately secure in accordance with the confidentiality and importance of each record. 1 Paper 2 • A contingency plan should be in place to provide protection for records which are vital to continued functioning of the unit. 5. Disposal of Records The disposal of records, which includes either destruction or transfer to archives, should follow the Keele University Records Disposal Schedule (found on the Planning & Secretariat website: http://www.keele.ac.uk/admin/ps/governance/policies/policies_home.htm). All staff are responsible for compliance with the Records Disposal Schedule. 6. Responsibilities for Records Management The Secretary & Registrar is responsible for the implementation of a corporate records management procedure within Keele University. The Planning & Secretariat Directorate are responsible for developing a Code of Practice and providing guidance for operational use within the Institution. For the life of this Code of Practice, Faculties and Directorates should ensure all staff are aware of the Records Disposal Schedule and are responsible for monitoring compliance. Directorates, Schools and Research Institutes are responsible for developing local best practice guidelines for staff to follow and adopt records management principles. All members of staff are responsible for ensuring they exercise good records management in their daily working practice. O:\Governance\Records Management\Keele's RM Code of Practice.doc 2 ANNEX B Paper 2 Options Appraisal for Records Management Approach This document briefly summarises four options that could be undertaken by the project team to begin the records management review. These options are: 1) 2) 3) 4) The Full Information Audit A Sample Information Audit An ISO-based Audit Approach A survey based approach Details of the four options are outlined below: 1) The Full Information Audit Description: A full audit would take the form of a detailed questionnaire being sent to an appropriate representative of an area (eg. School Manager) asking for full details of their Records Management systems. This questionnaire would then be followed up with a number of 1 – 2 hour interviews where the answers would be discussed in detail and examples shown to the RM team. These would be conducted on a rolling basis. Pros Cons Full and complete understanding of RM Very time intensive for both interviewee in every area of the University and interviewer Strong base to work upon for Will generate much repetition on areas of further/future audits. common RM activity May lead to interviewee ‘misleading’ the RM team, to hide non-compliance Evaluation: A full information audit does have its advantages, but at the early stage of this project, may be an extremely intensive option with very few outputs – potentially leading to less ‘buy-in’ from staff across the institution. Recommendation: Do not adopt this approach at present. 2) A Sample Information Audit Description: Built upon the same principles as a full audit eg. Questionnaire and follow-up interviews, but would only sample a proportion, say 10% of the University. It would be advised that this 10% would be a cross-section from each of the areas of the University and would be conducted on a rolling programme each year. Pros Cons Less intensive than a full audit for the Still very time intensive for both institution as a whole. interviewees and interviewers involved Provides a base-line for each area, once Will mean that on a 10% proportion, the audit has been conducted. Schools will only be audited once every 7 years but Faculties, once every 3 years. Still may lead to interviewee ‘misleading’ the RM team, to hide non-compliance May miss some key areas of concern, because of the selection of areas to audit. Evaluation: This approach is more palatable for all involved in terms of the time commitment and the potential for the project to begin to have an impact from an earlier date; however, this approach also has a number of weaknesses. Recommendation: Consider this approach as adoptable once RM Policy has been developed to ‘maintain’ the new standards. ANNEX B 3) An ISO-based Audit Approach Description: ISO would advocate a structure whereby a number of records managers (or persons with RM responsibility) would be identified across campus and their task would be to sample and review compliance with the University Policy/Practice in their specific areas and report this back to the Records Manager. Pros Cons Responsibility for RM becomes devolved Large time commitment for those from the centre, hence making it more identified with records management likely to be ‘taken-up’ across the responsibility University. Compliance is judged by those who are Keele to date has not established ‘in the know’ about an area of work, policy/practice for compliance to be because it is done internally. judged against Likely to be variance in the understanding of compliance and the thoroughness of the sampling conducted by those identified as having records management responsibility. Evaluation: This approach is rather mechanical and puts a lot of responsibility onto individuals not only to comply, but to also evaluate their own compliance. Whilst this approach may have its merits in the future, as there is currently no established policy/practice for records management, it would be unfair to adopt this approach. Recommendation: Do not adopt this approach at present. 4) A Survey Based Approach Description: This approach would begin with a survey to all areas of the University asking about key areas of records management practice. From these results, the answers would be evaluated and used to develop a policy. Following the adoption of the policy, Senior Managers would be asked to identify a person within each of their teams who would be willing to act as a Records Champion (RC). RCs would then have RM responsibility within their team and would act in a consultative way, rather like Workplace Safety Advisors, with 6 monthly workshops, where ‘hot-topics’ can be discussed and training issued etc. Pros Cons Informal approach that minimises the Will require ‘deliverables’ to be made commitment from ‘manager’ level early on in the process, to keep employees engagement levels high. Provides opportunity for feedback and inclusion Least time-intensive approach overall for all involved. Evaluation: This approach would be highly engaging and will ‘hit the ground running’, although the co-ordination of Records Champions may be complex to maintain. Overall, it is felt that this option has the most benefits for the Records Management project. Recommendation: Adopt this approach in helping to develop the policy and procedures for the Records Management Project. ANNEX C Paper 2 KEELE UNIVERSITY RECORDS MANAGEMENT POLICY 1.0 1.1 Introduction Keele University is committed to managing its records, in whatever format, to minimum agreed standards. This Policy establishes how the University will manage its records and supersedes the Records Management Code of Practice. It also defines the roles and responsibilities for the creation, storage, access, amendment and disposal of University information. This document provides the policy framework through which this effective management can be achieved and audited. 1.2 It covers: 1. Aims 2. Scope 3. Definitions 4. Responsibilities 5. Relationship with existing policies 6. Available Guidance 7. Storage 8. Disposal 9. Contacts 2.0 2.1 Aims The aim of this policy is to consolidate a consistent approach to Records Management across all functions within the University and establish requirements designed to help staff meet legal obligations relating to Records Management and to manage records so that their value as a corporate resource for the University is fully exploited. 2.2 It will ensure that non-essential records are destroyed in a consistent and confidential manner in line with the University’s disposal schedule. It allows the University to identify what it retains as a permanent record of its activities. The schedule also enables the destruction of those records which have outlived their administrative usefulness and are without significance for the historical or legal record. 3.0 3.1 Scope This policy applies to all records created, received or maintained by staff of the University in the course of carrying out their corporate function. Records and documentation created in the course of research, whether internally and externallyfunded are also subject to the University’s contractual record keeping requirements. These records may exist in printed or digital form. 4.0 4.1 Definitions Records are defined in the Lord Chancellor’s Code of Practice as: ‘Information created, received and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business. This is any information, regardless of format or medium, captured in a reproducible format. 4.2 A document is any piece of written information in any form, produced or received by an organisation or person. Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Page 1 of 3 Review Date: XX/XX/XX ANNEX C KEELE UNIVERSITY RECORDS MANAGEMENT POLICY Note all records start off as documents, but not all documents will ultimately become records. 4.3 Records Management is the creation, maintenance, control, storage and disposal of records in a way which facilitates their most appropriate, efficient and effective use. 4.4 A Disposal Schedule is a list of records and the appropriate time limits that they must be kept for before they can be confidentially destroyed or transferred to archives for permanent storage. This document also defines which area of the University is responsible for the storage and disposal of records. 5.0 5.1 Responsibilities The University has a corporate responsibility to maintain its records and recordkeeping systems in accordance with the regulatory environment. The Secretary and Registrar is responsible for the implementation of a corporate Records Management procedure within Keele University. 5.2 Governance is responsible for drawing up guidance for good Records Management practice and promoting compliance with this policy and is responsible for the coordination of the Records Management function across the University. It is also the responsibility of Governance to work with all areas of the University to ensure that this policy is understood and adhered to. 5.3 IT is responsible for supporting good Records Management by providing guidance and codes of conduct on the use of IT systems. IT is also responsible for the security of data held electronically and ensuring that it is backed up in accordance with University policy 5.4 Directorates, Schools and Research Institutes must ensure that records for which they are responsible are accurate, and maintained and disposed of in accordance with the University’s Records Management guidelines. They should develop local best practice guidelines for staff to follow and adopt Records Management principles. All records within a Directorate/School/Research Institute should have an identified ‘owner’ responsible for their management whilst in regular use. 5.5 All University staff who create, receive and use University records hold Records Management responsibilities. All members of staff are responsible for ensuring they exercise good Records Management in their daily working practice, which includes: The creation and maintenance of accurate and reliable records, where applicable to their role Ensuring electronic records are properly maintained and that they capture core information and remain accessible, readable and authentic Ensuring the security of records, irrespective of format, and for ensuring that access to records is only granted to those who are permitted to view them Following guidance provided in the Records Disposal Schedule with regard to the retention and disposal of records Ensuring records of a sensitive or personal nature are handled appropriately and in accordance with legal requirements Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Page 2 of 3 Review Date: XX/XX/XX ANNEX C KEELE UNIVERSITY RECORDS MANAGEMENT POLICY Supporting efficiency and the University’s Environmental Policy by avoiding duplication and only printing emails and electronic records when absolutely necessary 5.6 Members of staff should receive an introductory briefing on Records Management procedures. 5.7 Directorates, Schools and Research Institutes should nominate a ‘Records Champion’ to provide liaison across departments and to ensure the integration of records management practice throughout the University. 6.0 6.1 Relationship with existing policies This policy has been formulated within the context of the following University documents: Data Protection Act Guidance Freedom of Information Act Guidance 6.2 Compliance with this policy will in turn facilitate compliance not only with information related legislation (specifically Freedom of Information Act 2000 and Data Protection Act 1998) but also with any other legislation or regulations (including audit, equal opportunities and research ethics) affecting the institution. 7.0 7.1 Storage Records should be appropriately stored with due regard for efficiency, costeffectiveness, security, durability and access. Appropriate procedures and processes should be put in place to ensure the physical and intellectual security of University records. 7.2 Storage conditions and handling processes should be designed to protect records from unauthorised access, loss or destruction and from theft and disaster. 7.3 The retention of records for longer than necessary is discouraged and the duplication of records should be limited to optimise the use of space for storage purposes. 8.0 8.1 Disposal Records should be disposed of in accordance with agreed retention schedules. The retention schedule should be reviewed regularly and adjusted if necessary. At the expiration of their currency, records should either be destroyed or if they have lasting historical value added to the University archives. 9.0 9.1 Available Guidance It is the responsibility of Governance to provide guidance to all staff on good Records Management practice. 9.2 Further information can be found on the Planning and Academic Administration webpages: www.keele.ac.uk/recordsmanagement/ Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Page 3 of 3 Review Date: XX/XX/XX Paper 2 KEELE UNIVERSITY RECORDS MANAGEMENT GUIDANCE - INTRODUCTION What is the purpose of this guidance? This is part of a series of guidance notes which have been produced as part of the University’s records management. Their aim is to assist the University to put in place a comprehensive records management framework. This guidance aims to recommend some day-to-day actions that can be followed to ensure good records management and should be read alongside the Records Management Policy. Who is this guidance for? This guidance is intended for all University staff that create, receive and use records, including emails. Why are records important? Records are vital for the day-to-day functioning of the University: they support the decisionmaking; document its aims, policies and activities; and ensure that legal, administrative and audit requirements are met. They are the basis on which decisions are made, services provided and policies developed and communicated.’ Records, if well-kept, are a reliable source of evidence and information What is records management and why does it matter? Records management is about controlling records in an efficient and systematic way throughout the lifecycle of a record, defined as the creation, use, maintenance and final disposal. Effective records management is based on the principles of regular review and controlled retention or destruction of records with the general aim of ensuring cost-effective business processes, legal and regulatory compliance and corporate accountability. For records to perform their various functions, some form of management is needed. Management includes control over what is created, the development of effective and efficient filing systems to store the records, and procedures for the retention of those records. Available Guidance University guidance on the procedures necessary to comply with this Policy are available and cover: Records creation Business classification Archival records: selection and management Records disposal Destruction options Disposal Schedule Further information JISC: http://www.jisc.ac.uk/whatwedo/programmes/programme_supporting_irm.aspx Records Management Society of Great Britain: http://www.rms-gb.org.uk Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX KEELE UNIVERSITY RECORDS MANAGEMENT GUIDANCE - INTRODUCTION National Archives Office: (standards for the management of public records and electronic records guidance): http://www.nationalarchives.gov.uk/information-management/projectsand-work/information-records-management.htm Lord Chancellor’s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000: http://www.proni.gov.uk/lord_chancellor_s_code_of_practice_-_section_46.pdf The section 46 code of practice was revised and re-issued on 16 July 2009: http://www.justice.gov.uk/guidance/foi-guidance-codes-practice.htm Contacts For information about this policy or records management in general please contact: Records Management: Jen Paddison – Governance Officer: Tel: 01782 733655 Maria Nield – Governance & Audit Officer: Tel: 01782 734633 For Data Protection Act: Fiona Dumbelton - Governance Manager: Tel: 01782 733373 For Freedom of Information: Jo Sylvester – Governance Officer: Tel: 01782 733589 Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX Paper 2 KEELE UNIVERSITY RECORDS MANAGEMENT GUIDANCE – ARCHIVE & DISPOSAL What are Archives? Archives are permanently valuable records that document the history and heritage of the University. Why Archive? You may wish to archive documents for various reasons, such as: lack of space in the live system, removal of old data that has been processed at the end of a pre-defined period (end of year), or legal requirements to retain the information. How do I Archive electronic files? You may wish to archive electronic files this should be done by creating an archive sub-folder on a University network drive. Within the archive sub-folder you can then create a folder named ‘do not dispose’ and numerous folders with the naming convention as the date of destruction. This will make it easier to dispose of the archived records when they reach their destruction date. What do I need to Archive files? Before you begin to archive you will need to use items that are suitable for storing items longterm such as archive cardboard boxes, paper files, plastic-ended treasury tags etc. as over time metal components may damage the files. It is therefore good practice to: Remove Replace with Paperclips, staples, pins, bulldog and fold back Plastic-ended treasury tags threaded clips through single hole in top left corner. Rubber bands or elastic straps Pages should turn easily without straining or tearing. Spiral and comb bindings Lever arch files, ring binders, plastic report Card wallets or envelope files (acid free covers for long-term storage). Plastic wallets How do I prepare files for Archiving? Documents and files need to be prepared prior to being put into the archive storage box. As noted above files should be removed from lever arch files and placed into card wallets/files and all metal removed. The documentation should be reviewed to remove and destroy any paperwork that is not required to be stored, i.e. personal notes, duplicate items etc. How do I create an Inventory? The first step to archiving your documents is to create an inventory. The best way to do this is by using a standard template detailing all the relevant information of the archive box contents. An ‘Archive Box Contents Form’ is available on the Records Management webpages or you can create one of your own ensuring that the following information is included: Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX KEELE UNIVERSITY RECORDS MANAGEMENT GUIDANCE – ARCHIVE & DISPOSAL Box reference number Office or team details A contact name and job title of the person archiving documents Contact telephone number for person archiving documents Storage Date Destruction Date (in accordance with the Records Disposal Schedule) Your filing reference (if applicable), A brief description of document, i.e.: Council Minutes – Golden Copy Relevant Dates. A copy of the inventory will be included in the box and a copy should be filed under records management in your department. What should I include in / on the Archive Box? Once the documents / files have been cleansed they can be put into the archive box. A copy of the inventory should be placed on the top of the documents / files at the top of the box. You should pack your box carefully, taking care not to overfill or make it too heavy. (Please see the Occupational Health and Safety Committee web-pages for information on lifting and moving boxes) You should store similar items together as they are more likely to have a similar destruction date. Your inventory should not be included on the lid of the box for security reasons. On the outside of your box you should write the box reference number and destruction date. This should be written on all four sides of the box and the top. This information should be clearly written in large writing with a marker so it can be easily read without requiring movement of the box. The box should then be secured and sent to storage/archive for your office/team. original inventory should be filed under records management in your department. The How do I get Box Reference Numbers? Box reference numbers should be allocated from a central list on an office/team devised system. They should be listed to show what numbers have been allocated and should also give details on: Who the number was allocated to Where the box is stored Storage date Destruction date Retrieval date Returned to storage date An ‘Archive Box Reference Numbers Form’ is available from the Records Management webpages or you can create one of your own ensuring that the above information is included. How do I retrieve Archive Boxes? If a document is needed after it has been archived you should approach the individual identified as the Records Champion in your team / office and request the documents you want. They will then review the inventories on file to identify the appropriate documents. This inventory should detail which box reference the document is in and thus where it is stored. Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX KEELE UNIVERSITY RECORDS MANAGEMENT GUIDANCE – ARCHIVE & DISPOSAL Your box will then be retrieved and recorded on the inventory as out of storage until it is returned, which should be within 3 months of obtaining the document. The Records Champion will document you as having taken the box from storage thus you become the owner of that box until it is returned. How do I dispose of an archive box? When a box is no longer required for retention, arrangements should be made for its destruction. You should seek permission to destroy a box from an authorised person (Manager) prior to its destruction. All confidential records, including those containing personal or financial information should be disposed of by shredding where possible, and through the confidential waste system in all cases. When destruction has been carried out you should complete the Certificate of Destruction for the destroyed records and update all relevant paperwork and file this with your Records Management information. The certificate and all other forms must be kept for six years after the box contents are destroyed in order to comply with legislation. How do I dispose of Electronic records? When an electronic record is no longer required to be kept, this may be deleted from all areas of the system including deleted items folders and/or recycle bin. Temporary files will be saved on your PC; it is prudent to use PC software to remove these when you have disposed of confidential records. Further information on how to do this is available on the IT webpages. Disaster Prevention Planning Your documents are valuable, so it is important that we take care to ensure their safety. Some of the most common things that can damage documents are liquids, exposure to light, mice, fire, and flooding. The location of archived documents should be appropriately configured to offer protection from these possible occurrences. If you have any concerns about the storage facilities within your team / office, you should contact Estates for advice on how to prevent damage to your records. Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX Paper 2 KEELE UNIVERSITY RECORDS MANAGEMENT GUIDANCE-CONFIDENTIAL RECORDS What Records are Confidential Records? There are two types of Confidential Records that are produced as a result of University business. These are records that contain either; Personal Data relating to living individuals that can be identified by this data as defined by the Data Protection Act 1998. Commercially Sensitive information relating to the University and its activities, the activities of its partners, staff or students, which is not intended for general public consumption and is to be considered by authorised individuals only. NB. It is important to note that the definition of a record can be extended to an email, any other type of electronic documents and also hand-written documents, including post-it notes. Personal Data The definition of Personal Data under the Data Protection Act 1998 is reasonably complex and therefore for day to day purposes it is best to assume that all information about a living, identifiable individual should be treated as Personal Data. The Data Protection Act 1998 states that Personal Data should be; 1. Processed fairly and lawfully. 2. Obtained for specified and lawful purposes. 3. Adequate, relevant and not excessive. 4. Accurate and up to date. 5. Not kept any longer than necessary. 6. Processed in accordance with the “data subject‟s” (the individual‟s) rights. 7. Securely kept. 8. Not transferred to any other country without adequate protection in situ. Sensitive Personal Data In addition, some personal data is classed as sensitive personal data. This type of data is subject to further regulations under the Data Protection Act 1998 and can only be processed under certain circumstances. Personal data becomes sensitive if it includes any of the following types of information about an identifiable, living individual: racial or ethnic origin; political opinions; religious beliefs; trade union membership; physical of mental health; sexual life; commission of offences or alleged offences. Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX KEELE UNIVERSITY RECORDS MANAGEMENT GUIDANCE-CONFIDENTIAL RECORDS Commercially Sensitive Data Some records may be produced that are considered to be commercially sensitive records due to their content. These may be records that contain financial information about the University or one of its partners, or other information of a similar nature that is not currently within the public domain. These records should be labelled as „Confidential‟ or „Commercial in Confidence‟ and be clear as to who within the organisation should be able to access and use these records. It is also good practice for the record to hold an intended publication date, as few records remain confidential for their entire life-span. N.B. Labelling a record ‘Confidential’ does not exempt the record from being admissible under the Freedom of Information Act 2000. Further information can be obtained from the University’s Freedom of Information web-pages or the FOI Officer. What is not confidential? Any record or document that is already in the public domain for example: Prospectuses; Regulations, Charters, Statutes; Published Minutes; Course guides; Published surveys; Theses (accepted); Blank examination papers (post exam). Handling and storing confidential records Information being supplied in confidence should be stamped, marked, or include a statement that it is confidential or being supplied in confidence, and be treated in a consistent confidential manner. The following guidelines should be considered for confidential records: Store confidential records in secure filing cabinets. Cabinets should always be kept locked when not in use, not located in a public area, and access to the confidential records should be restricted only to those employees that require the information; Confidential records should never be left in a public open area such as an in-tray or on a desk. The record should be returned to the cabinet when not in use; Confidential records must be destroyed by confidential waste disposal or shredding only; For electronic records, store confidential records in separate directories or files and restrict access to these directories or files; Laptops that hold confidential information should be encrypted by IT Services; Confidential information should not be copied to non-University equipment; Confidential information should be removed from University equipment prior to disposal; Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX KEELE UNIVERSITY RECORDS MANAGEMENT GUIDANCE-CONFIDENTIAL RECORDS When using a memory stick – temporary files will be saved on your PC; it is prudent to use PC software to remove these when you have completed your work. Staff storing sensitive or confidential University information on portable electronic devices, in particular memory sticks and laptops should read the „Guidelines for the storage of Sensitive and Confidential Data on Laptops and Memory Sticks‟ available on the IT website. These guidelines also detail encryption information and how to remove temporary files. Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX Paper 2 KEELE UNIVERSITY RECORDS MANAGEMENT GUIDANCE - ELECTRONIC How should we keep records? Records should be held in files - these may be paper based or held electronically in shared directories, databases or document management systems. The files should be organised in a structured way and have some indication as to their contents and relevance. Where there are confidentially issues, files may be held on a computer or email box or in a secure storage area but colleagues should be able to access them in your absence. What points should I bear in mind when managing my e-mails? E-mails may be disclosed in response to a freedom of information or data protection request and in legal cases. Electronic messages can be legally binding and we may be held liable for defamatory statements in e-mails. For these reasons, do not put anything in e-mails that you would not say in other forms of communication. If an e-mail contains important information or an important decision, it should be added to the relevant file/folder either electronically or a hard copy. An email can be saved electronically using ‘File – Save as - File’. The majority of emails produced are trivial; it is therefore, a drain on University resources to store them on our system and can cause a delay in responding to a subject request because of the additional time caused in searching through them. Under the Data Protection Act we should keep information about people for no longer than necessary; this includes e-mails to and from or about people. You should delete e-mails as soon as possible and should not allow a backlog to accumulate as this then becomes difficult to manage. Emails should also be deleted from your deleted items folder and/or recycle bin. Because e-mail is a record you need to know that you can find it quickly and easily if you have to disclose it because of a Data Protection or Freedom of Information request. Sending attachments Try to avoid sending documents as attachments. Instead send a link or tell people where the document can be found. This ensures documents are less likely to get lost and everyone looks at the most up to date copy so there is no confusion over which version is the correct or latest one. Controlling your inbox E-mails need to be treated just like other records you deal with. You wouldn’t leave paper mail piled up permanently in your in tray so you should treat your inbox in the same way. When you receive an e-mail act on it as soon as possible and then delete it. If it needs to be kept then file it. Do you need to print e-mails? Apart from the cost (environmental and financial) paper is easy to mislay. If the e-mail is needed to record official business procedure, note that paper printouts of e-mails don’t hold the same legal weight as e-mails filed electronically. Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX KEELE UNIVERSITY RECORDS MANAGEMENT GUIDANCE - ELECTRONIC On which drive should I save my information? Do not use your computer hard drive (c:// drive) to store information as this drive is not backed up. Use your personal drive (s:// drive) only for information which is confidential or personal. Shared drives should be used for current work to which your colleagues may need access. Do not password protect material unless your colleagues know the password so that the information can be accessed in your absence. The University website should be used for making available non-sensitive information which is needed across the University for reference purposes. How should I manage my electronic files and folders? If you create a folder on a shared drive or on your personal drive, you should take responsibility for maintaining the contents of that folder. Do not allow out-of-date material to accumulate in it. If a document is not accessed in the course of eighteen months, it should probably be deleted from the drive unless it is the master file copy then it should be archived. Naming Convention Documents and folders should have file titles which are easily understood by all members of staff. Do not name them after yourself, as this will be meaningless to others if you leave. Likewise, only use commonly understood abbreviations. The title should clearly indicate what the document is and the version status, such as, draft V1, draft V4, final etc. How should I dispose of my computer? In all computer disposal circumstances (including all computers passed to Keele staff or students thus, leaving campus), data and licensed software stored must be securely removed beforehand. It is insufficient to delete the files and then empty the recycle bin as these files are relatively easy to restore and view. All staff must therefore contact the IT Services Help Desk so a technician can securely remove all data and licensed software from the computer. Further guidance is available in the IT website. Staff wishing to dispose of PC’s should contact Mark Norcup, Residential Operations, CFM after IT Services has cleansed the computer who will pass on the computer to Keele’s accredited PC disposal agent. Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX Paper 2 KEELE UNIVERSITY RECORDS MANAGEMENT GUIDANCE – GOOD PRACTICE How long should I keep my records? The length of time records should be kept can vary depending on the type of documentation and legal constraints, for more details on how long to keep specific records see the University’s Disposal Schedule. How should we keep records? Records should be held in files - these may be paper based or held electronically in shared directories, databases or document management systems. The files should be organised in a structured way and have some indication as to their contents and relevance. Where there are confidentially issues, files may be held in a secure storage area, on a computer or email box but bear in mind that colleagues should be able to access them in your absence. What information should I keep as a record? Exactly what records you keep on file will vary according to the work you do, however reasons for keeping records include but are not exhausted to: There is a legal requirement to keep the information, The information is needed to carry out the University’s everyday business, The information is for financial purposes, Information explaining why and how a particular decision was made, The information is needed if a decision is challenged, Publicly accountable For most topics there should be one lead file – The ‘Golden Copy’. This will be the file of the person or department who has the lead on the topic concerned, for example, a committee secretary’s set of minutes and papers. Other members of staff may also have a file on the same subject but they should keep this only for so long as is needed for their personal reference. General advice on good records management When managing your records you must consider factors such as how your colleagues can access the files if necessary, how to ensure that records are kept for as long as necessary but not too long so as to be a burden on storage. Some general guidelines which may help to meet these and other aims are: avoid duplication - create records only where necessary, name files, electronic and paper, in a way that is meaningful to you and your colleagues, avoid long, complicated numbering or coding that may be easy to misfile, have a filing system that can be accessed by all that have a right to, while also balancing it with appropriate security arrangements, i.e. computer passwords, locked filing cabinets, store material appropriately, do not overfill boxes or cabinets, sort files regularly, dispose of records in a timely manner and use confidential waste collection or shredding facilities where available. Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX Paper 3 KEELE UNIVERSITY FREEDOM OF INFORMATION POLICY 1.0 Introduction 1.1. It is a legal requirement under the Freedom of Information (FOI) Act 2000 that the University complies with this legislation. 1.2. Keele University is committed to supporting and implementing the Act and this document provides the policy statement and framework through which this compliance is achieved. 2.0 Context 2.1. The FOI Act 2000 gives the public a general right to access information held by public authorities, subject to certain conditions and exemptions. 2.2. Requests for information can be made by anyone, anywhere and for any reason. The Act applies to both historic and new information held by the University and applies to all information recorded in any format. 2.3. The purpose of the FOI Act 2000 is to create a culture of openness across the public sector. 2.4. The University endorses and adheres to the principle of public access to official information. 3.0 Scope 3.1. This policy applies to all information that is created, received or maintained by staff and students at Keele University and by external partners on behalf of Keele University. 3.2. This policy applies to all records of information regardless of format, i.e. both hard copy and electronic records, formal and informal. 4.0 Requirements 4.1. The University is required under the FOI Act 2000 to: Maintain a Publication Scheme, which identifies a range of information documents that are routinely and proactively published in the public domain. Provide access to University information which is not otherwise published on receipt of a written request, stating the name and address of the requestor and describing the information required Inform the requestor in writing whether we hold the information requested and, where applicable, to communicate that information to them within 20 working days, subject to any exemption or fees Where information is exempt from disclosure, to send the requestor a notice which specifies and explains the reason why If a fee is chargeable, to send the requestor a fees notice, stating the amount required To provide advice and assistance, as far as is reasonably possible, to anyone seeking information from the University. 4.2. The University will ensure that robust systems for the management of University records and information are in place, including maintaining a Records disposal schedule setting out retention and disposal periods for records. Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX KEELE UNIVERSITY FREEDOM OF INFORMATION POLICY 4.3. The University will provide guidance documents to staff, students and members of the public on relevant aspects of the FOI Act 2000. 5.0 Roles and Responsibilities 5.1. It is the responsibility of all members of Keele University to comply with this policy and the FOI legislation by consulting with the Governance Team. This includes staff, students and those who are contracted to the University for a particular service or research project. 5.2. The Governance Team are responsible for ensuring that the University has sufficient policies, guidance and training available in order for the University to comply with the Freedom of Information Act legislation. 5.3. Senior Management are responsible for ensuring that staff within their areas are made aware of the existence and contents of this policy and that staff in their areas comply with requests for information from the Governance Team in response to requests for information. 6.0 Publication Scheme 6.1. The Publication Scheme specifies: What information the University will make available to the public as a matter of course When information becomes obsolete or suspended that the information is removed or replaced Whether this information will be made available free of charge or on payment of a fee 6.2. The Publication Scheme shall be reviewed annually by the Governance Team in accordance with University policies to ensure that: When new information is produced by the University, details are incorporated into the scheme When information becomes obsolete or suspended that the information is removed or replaced Contact details of key staff or teams are accurate and data is accessible. 7.0 Requests for Information 7.1. Information not available via the publication scheme will generally be accessible through written requests for information which may be submitted in any format to any member of staff. Oral requests are not acceptable. 7.2. Requests for information do not need to make direct reference to the Freedom of Information Act, but they must describe clearly the information being sought. 7.3. Applicants who submit a request have the right to be informed whether the information is held, a right to receive the information (subject to exemptions) and the right to appeal non disclosures and to request internal reviews 7.4. Applicants who submit a request do not need to give a reason for their request nor proof of identity. A valid name and correspondence address is required with all requests. (This can be either electronic or postal) Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX KEELE UNIVERSITY FREEDOM OF INFORMATION POLICY 7.5. All requests for information that are outside of normal working practice will be dealt with by the Governance Team. Requests for information received by staff should be forwarded immediately to the Governance Team. 7.6. Valid requests shall be dealt with within 20 working days of receipt, unless there is a requirement for the applicant to provide further clarification or the payment of fees, in which circumstances the 20 working days will re-start once the further clarification or fee has been received. 8.0 Exemptions 8.1. Some information is exempt from disclosure under the FOI Act and so does not need to be provided. Where information is exempt from disclosure, the University will: Where the exemption allows, state whether the information is held Give details of the reasons why the information has been withheld Explain which sections of the FOI Act details the exemption used to withhold the information Inform the applicant of their right to appeal the decision, initially to the FOI Officer, then subsequently to the University Secretary and Registrar and ultimately, if still unsatisfied, to the Information Commissioners Office. 8.2. There are 23 exemptions under the Act. Many of the exemptions may only be applied if the public interest in withholding the information is greater than the public interest in releasing it; these are referred to as qualified exemptions. Some exemptions are automatic, such as personal information and these are referred to as absolute exemptions. 9.0 Charges and Fees 9.1. Unless otherwise specified, information made available through the Publication Scheme will be free of charge 9.2. In cases where it is appropriate to provide information in hard copy format, we may charge to cover the photocopying costs only if the documents in question exceed 50 sheets of A4 paper. This is charged at 10p per sheet plus postage and packaging. 9.3. If the costs of obtaining information exceed reasonable limits (as set out by the Fees Regulations, currently £450 or about 2.5 days of staff time), the University will alert the applicant and attempt to refine the request to as to reduce the potential retrieval cost. Where this is not possible, the University may pass on the cost to the applicant. In this instance, the University will issue an official invoice based on our estimate of costs and will undertake retrieval after payment of the costs. In extreme circumstances, the University may still exercise the right of exemption of the information through disproportionate effort. Examples of normal working practice would be requests for prospectuses or copies of documents that would normally be undertaken as part of day to day working. Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX KEELE UNIVERSITY FREEDOM OF INFORMATION POLICY 10.0 Appeals and Complaints 10.1. If an applicant is dissatisfied with the outcome of a request, or the manner in which it was handled, applicants have the right to appeal to the FOI Officer. Receipt of the appeal shall be acknowledged and a comprehensive reply will be provided within 14 working days. 10.2. If the applicant is still dissatisfied, applicants have the right to complain to the University Secretary and Registrar for review. Receipt of the complaint will be acknowledged and a comprehensive reply provided within 14 working days. 10.3. If a complainant remains dissatisfied with the outcome of their complaint, they may see an independent review from the Information Commissioner’s Office (ICO), which is the independent body responsible for overseeing the act. The ICO can be contacted using the following address: Information Commissioner’s Office Wycliffe House Wilmslow Cheshire SK9 5AF Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX Paper 4 KEELE UNIVERSITY DATA PROTECTION POLICY 1.0 Introduction 1.1. It is a legal requirement under the Data Protection Act 1998 that the University complies with this legislation. 1.2. Keele University is committed to supporting and implementing the Act and this document provides the policy statement and framework through which this compliance is achieved. 2.0 Context 2.1. ‘Personal Information’ as defined by the Data Protection Act is information which relates to a living individual and from which this individual can be identified, either directly or indirectly. 2.2. Personal Information is held in, or can form part of, many records including student records, staff files and identifiable research data. Personal Information is variable and diverse in its nature and is often crucial to the business needs of the University 2.3. It is the responsibility of all individuals within the University to ensure that Personal Information is handled with care and in compliance with this policy and the Data Protection Act 1998. 3.0 Scope 3.1. This policy applies to all Personal Information that is created, received or maintained by staff and students at Keele University. 3.2. This policy applies to all members of the University, including staff, students and others acting on behalf of the University who are given access to University records and information. 3.3. This policy applies to all records of Personal Information regardless of format, i.e. both hard copy and electronic records, formal and informal. 4.0 Notification and Authorised Recipients 4.1. In compliance with the Data Protection Act 1998, the University will notify the Information Commissioners Office (statutory regulator of the Act) of the reasons why personal data is collected and used. 4.2. Keele University’s notification allows the University to hold data under ten Purposes: Staff Agent and Contractor Administration Advertising Marketing Public Relations General Advice Services Accounts and Records Education Student and Staff Support Services Research Other Commercial Services Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX KEELE UNIVERSITY DATA PROTECTION POLICY Publication of the University Magazines and Handbooks Crime Prevention and Prosecution of Offenders (eg. CCTV) Alumni Relations 4.3. Disclosure of information held under the Registered Purposes will only be permitted to those authorised recipients as defined under the Data Protection Act. 4.4. The University will only disclose personal information to authorised recipients where to do so is both allowed by the provisions of the Data Protection Act and it is deemed appropriate to do so. 4.5. Disclosure of any information covered by the Data Protection Act must only be allowed with the permission of the designated Data Protection Officer within the Governance Team. 5.0 Principles 5.1. When processing personal information, the University will do so in accordance with the eight Data Protection Principles, which states that information must be: Fairly and lawfully processed; Processed for limited purposes; Adequate, relevant and not excessive; Accurate; Not kept for longer than is necessary; Processed in line with your rights; Secure; Not transferred to countries without adequate protection. 6.0 Roles and Responsibilities 6.1. It is the responsibility of all members of Keele University to comply with this policy and the Data Protection Act 1998 legislation. This includes staff, students and those who are contracted to the University for a particular service or research project. 6.2. The Governance Team are responsible for ensuring that the University has sufficient policies, guidance and training available in order for the University to comply with the Data Protection Act legislation. 6.3. Senior Management are responsible for ensuring that their staff within their areas are made aware of the existence and contents of this policy. 6.4. Students have the responsibility for ensuring they comply with this policy and the legislation. Students should not compile or maintain files containing personal information without the express permission of the appropriate member of staff. 7.0 Subject Access Requests 7.1. Staff, students and other data subjects in the University have the right to access any personal information that is help by the University about them. Individuals should submit a Subject Access Request in writing to the University Data Protection Officer to receive this information. Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX KEELE UNIVERSITY DATA PROTECTION POLICY 7.2. Requests for information should clearly state what information is being requested. 7.3. The University will respond to Subject Access Requests in accordance with the Data Protection Act legislation. Requests for personal information will be dealt with as quickly as possible and within the 40 calendar days time period as defined by the Act. 8.0 Verification and Fees 8.1. It may be necessary, to prevent fraudulent behaviour, to require verification of an individual’s identity when processing a Subject Access Request. This would normally be in the form of photographic identification. 8.2. Parents, relatives or others (such as Solicitors) are not able to make Subject Access Requests or access any personal information regarding a member of staff or student without the written consent of the individual in question. Verbal confirmation by the individual is not sufficient. 8.3. The University may charge £10 for each Subject Access Request made under the Act. 9.0 Complaints and Requests for Cessation of Processing 9.1. Complaints about the processing of a Subject Access Request or the processing of personal information should be made to the Data Protection Officer in the first instance. 9.2. The University will respond to complaints within 28 days of receipt of the complaint. 9.3. Individuals who want to request that their personal information is NOT processed by the University should do so in writing to the Data Protection Officer. 9.4. Requests for the cessation of personal information processing will be actioned and responded to as quickly as possible and within 28 days. 9.5. If a complainant remains dissatisfied with the outcome of their complaint, they may see an independent review from the Information Commissioner’s Office (ICO), which is the independent body responsible for overseeing the act. The ICO can be contacted using the following address: Information Commissioner’s Office Wycliffe House Wilmslow Cheshire SK9 5AF Version No: 1 Approval Date: XX/XX/XX Owner: Planning & Academic Administration Review Date: XX/XX/XX
© Copyright 2024