All University web hosted services will be at risk of downtime every Tuesday between 7am to 9am.

Jump to accessibility statement Skip to content
Close menu

Close

Close menu

Records Management Policy


Techical Services / Cyber Security and Information Governance / Information Governance / Information Governance Policies / Records Management Policy
Lp2

Records Management Policy

The following is a web version of the current University of Sunderland Records Management Policy

Version 1.0 - written November 2018

Review date - December 2020

1. Introduction

Records Management is the process by which an organisation manages all the aspects of records, whether internally or externally generated and in any format or media type, from their creation, all the way through their lifecycle to their eventual disposal.

Records created by the institution to support its core functions and to comply with legal and regulatory obligations, must be handled effectively to contribute to the overall management of the University. This policy provides a framework for managing the University’s records and introduces a series of Records Management related policies, procedures and guidance notes which have been drawn up in conjunction with the Lord Chancellor’s Code of Practice on the Management of Records revised and reissued under s46 Freedom of Information Act 2000 and associated guidance from the Information Commissioner’s Office.

2. Purpose and Scope

The purpose of this policy is to provide a robust managed approach to the management of corporate records held by or on behalf of the University. This policy, together with the associated procedures and guidance notes, applies to the management of all documents and records, in all technical or physical formats or media, created or received by the University in the conduct of its business activities.  It applies to all staff, contractors, consultants and third parties who are given access to our documents and records and information processing facilities.

3. Policy

The following principles form the University’s records management policy, the implementation of which is guided by robust processes, procedures and guidance notes. In following these principles along with sufficiently robust responsibilities (outlined in the responsibilities section) the University can be assured of a fit for purpose and well managed corporate records environment.

  • legislative compliance - compliance with record keeping provisions in current legislation such as the Freedom of Information Act, the Data Protection Act and the Environmental Information Regulations.
  • lifecycle management – records must be kept for an appropriate length of time and in an appropriate manner. They must be disposed of at the end of their lifecycle in accordance with policies, procedures and best practice and in accordance with the University’s Records Retention schedule.
  • confidentiality – University records must be protected from unauthorised access.
  • integrity – the accuracy and completeness of University records must be safeguarded and unauthorised amendment or destruction prevented.
  • availability – University records must be available to authorised users in line with business and funding body requirements.
  • efficiency – University records must be available to authorised users in a form that ensures efficiency and ease of use.
  • authentication – the identity of the persons accessing highly restricted and critical systems which permit the creation, amendment or deletion of University records must be recorded and verifiable.
  • semi-current manual records (records which are not in regular use, but which have not yet reached their disposal date) will be managed, where appropriate, in the University storage systems
  • disclosure and transfer – when the University enters into a partnership, protocols should be established with the partner organisation covering the storage and retrieval of information, the information to be retained and by whom, the level of security required, who has access to the records and the disposal arrangements.
  • incidents involving records – any incidents involving the inappropriate use, loss, alteration, inappropriate storage or accidental or malicious disclosure of records will be managed in accordance with the University’s information security incident management process and other related Information Governance policies.

4. Definitions

4.1 Record(s)

The International Standards Organisation (ISO) defines record(s) as “recorded information, in any form, created or received and maintained by the organisation in the transaction of business or conduct of affairs and kept as evidence of such activity”

 4.2 Records Management

Records management is a discipline, which uses an administrative system to direct and control the creation, version control, distribution, filing, retention, storage and disposal of records, in a way that is administratively and legally sound, whilst at the same time serving the operational needs of the organisation and preserving an appropriate historical record.

5. Roles and Responsibilities

We have a responsibility to ensure that our records are managed well. Different staff have different roles in relation to records management and these responsibilities are detailed below:

The Executive member with overall responsibility for this policy is the Chief Operating Officer. S/he is responsible for deciding on the outcome of internal reviews of Freedom of Information requests and EIR requests.

Director of Technical Services, who performs the role of the University’s Senior Information Risk Owner (SIRO) is responsible for:

  • Ensuring that an overall culture exists that values and protects information within the organisation
  • Owning the organisation’s overall information risk policy and risk assessment process, testing its outcome and ensuring that it is used
  • Owning the organisation’s information incident management framework

Information Governance Team, responsible to the Director of Technical Services, is responsible for drawing up information governance and records management policy, process and guidance and ensuring compliance with this policy.

The University Deans of Faculty and Directors of Support Services (Information Asset Owners) have responsibility for ensuring compliance with the University’s Information Governance policies and ensuring any issues of non-compliance are addressed. They have responsibility for ensuring that an appropriate member of staff, in each Faculty and Service, takes on the role of “Information Asset Administrator”.

The Cyber and Information Governance Management Group is responsible for recommending policy direction on information governance to the Executive and monitoring that agreed policies are followed.

Members of the IG Working Group are accountable to the Information Asset Owner within their area and have a responsibility to monitor information governance compliance and awareness and be the primary point of contact and source of information and support within the Faculty/Service. The IG Working Group will report to the Cyber and Information Governance Management Group.

Individual employees and contractors have responsibility for ensuring that they comply with this policy and any related policies and guidance. Staff must ensure that the records for which they are responsible form complete and accurate records of their activities, and that they are maintained and disposed of in accordance with the University’s records management guidelines and information compliance policies.  Staff should attend training and awareness sessions provided by the University. Employees also have a duty to report any incidents or ‘near misses’ in relation to information governance.

6. Relationship with Other University Policies

This policy should be read in conjunction with the following policies / documents:

1. Information Security and Risk Management Policy

2. Data Protection Policy

3. University Retention Schedule

7. Monitoring and Compliance

Ongoing monitoring of compliance with this policy and supporting guidance material will be undertaken on a regular basis by the Information Governance Management Group and the IG Working Group.

8. Guidance

Guidance on the procedures necessary to comply with this Policy is available from the IG Team. This guidance covers: 

  • Records creation
  • Information Classification process
  • Business classification (for filing schemes)
  • Retention periods for records
  • Destruction options for records
  • Archival records; selection and management
  • External codes of practice and relevant legislation

9. Policy Review

This policy will be reviewed biennially. Unscheduled reviews will take place in the event of significant changes.

 

Records Management Policy

Version 1.0 - written November 2018

Review date - December 2020