Records management framework

A record is recorded information created or received by York St John University or individual members of staff to support and show evidence of YSJ activities.

All records are documents, but not all documents are records. In effect, a document becomes a record when it forms part of a business activity. An example of a document would be a blank form. If somebody completes and submits the form, it becomes a record, because it has participated in a business activity.

Records need to be reliable, have integrity (be complete or unaltered, except under controlled conditions) and be useable. Records therefore need to be subject to controls that ensure these features are maintained.

Information is a corporate asset. York St John University's records are important sources of administrative, evidential and historical information. They are vital to the University in its current and future operations (including meeting legislative requirements), for the purposes of accountability, and for an awareness and understanding of its history and procedures. They form part of the "corporate memory" of the organisation.

The University is subject to the provisions of the:

• UK GDPR
• Data Protection Act 2018
• Freedom of Information Act 2000
• Environmental Information Regulations 2004

This policy is based upon the international standard for records management, ISO 15489 and the Lord Chancellor´s code of practice on the management of records under Section 46 of the Freedom of Information Act 2000. It also draws on best practice guidance and principles from organisations such as JISC and the UK National Archives.

Internal policies related to the Records Management Policy and which form the University’s Data Governance Framework, are as follows:

• Data Protection Policy
• Freedom of Information Policy
• Data Retention Erasure Policy
• Subject Access Request Policy
• Clear Desk Poicy
• Acceptable Use Policy for University ICT systems

This Records Management Policy exists to ensure efficient management of York St John records, whether paper or electronic, that are created or used by staff, students, and associates of the University.

This policy underpins a wider framework which supports the University’s core activities and functions, meets expectations for good corporate governance and sets the parameters for complying with legal and regulatory obligations.

York St John University’s Record Management Policy sets out expectations for:

• the efficient and systematic management of records
• the creation, maintenance, retention, and secure disposal of records in order to provide accurate, secure, and accessible information about and evidence of the University’s transactions and activities
• implementation, through the definition of management responsibilities for record-keeping and requirements relating to staff support and development
• retention schedules, to govern the period of time that records will be retained

This policy applies to all York St John University staff, students, researchers, contractors, and agents. Any person who handles personal information for or on behalf of the University is responsible for the safety and security of that information under the Data protection legislation (UK GDPR, Data Protection Act 2018).

The policy covers all records (recorded information in any form) created or received in the course of York St John University business, corporate functions, and through the course of research (either internally or externally funded).

The policy is binding on all those who create or use University records, whether accessing records on or off-campus.

The Executive Board is responsible for approving the Policy. Senior staff with specific responsibility for the implementation of records management policy and procedures within their area have been identified. This includes the development and maintenance of local retention schedules within the University’s Records Retention Schedule. These senior staff are responsible for identifying an individual within their area with responsibility for maintaining the local schedule and monitoring compliance with requirements for record creation, maintenance and disposal, reporting matters as necessary.

All University staff should receive information on this Policy as part of their induction. University staff are responsible for:

• Creating and maintaining accurate and reliable records.
• Ensuring the security of records, irrespective of format, and for ensuring that access is only granted to those authorised to view them.
• Ensuring that electronic records are properly maintained and remain accessible, readable and authentic.
• Ensuring records of a sensitive nature are handled in strict confidence and in accordance with legal requirements.
• Following guidance on the retention and secure disposal of records provided within the Records Retention Schedule.

The Governance and Compliance office supports the implementation of the Policy by providing:

• Ad hoc support, advice and guidance to staff including advice on the parameters for data sharing.
• A resources bank on the website and Staff Intranet.
• Relevant training sessions (including for new staff on induction).

This Policy is reviewed annually. Review of the Policy will be conducted by the University Secretary and Registrar in line with current legislation, codes of practice and regulatory standard. The Executive Board is responsible for approval of the Policy.

In order to rely on the records the University holds, each record must have:

Reliability

• A reliable record is one whose contents can be trusted and depended upon for subsequent purposes.
• Records must contain full and accurate information.
• Records must be created at the time of, or as soon as possible after, the activity to which they relate.
• Record creation should be incorporated into routine activities and processes.

Integrity

• The integrity of a record refers to its being complete and unaltered.
• Records must be protected against alteration.
• Authorised amendments must be clearly identified and traceable.
• Migration of records from one system to another must be carefully controlled.

Usability

• A usable record is one which can be located, retrieved, presented and interpreted when required. Records must be easily locatable and accessible.
• The content and context of records must be interpretable and understandable by all authorised users.
• The circumstances surrounding the creation of the record should be clear, along with the identity of the creator/s and the date of creation.
• Records relating to the same activity should be associated, regardless of their format.

It is helpful for planning records management activities to bear in mind the different stages of the record lifecycle:

Creation

• Records may either be created naturally as part of a business process (e.g. sending letters or e-mails), created once an activity is complete (e.g. documenting oral decisions), or received from another source (e.g. incoming correspondence).
• Record “capture” refers to a record being created and kept, and its subsequent incorporation into a record keeping system.
• Full and accurate records should be created where they are needed to support business activities or to provide information or evidence about activities, transactions or decisions.
• Records should be created at the time of or as soon as practical after the event or transaction to which they relate.
• Records may be created in any format, including paper, electronic or digital mediums, as long as their usability, reliability and integrity can be preserved for as long as the record is needed.
• The context of a record should be clearly identifiable.

Use

• Records need to be maintained for as long as the record is required. Maintaining records appropriately will ensure that they can be protected, accessed and managed efficiently.
• Records in both physical (e.g. paper) and electronic formats should be efficiently locatable, retrievable and usable at any time and by any authorised person.
• Once a record is created and captured it must be protected against unauthorised alteration or destruction.
• Storage accommodation for records should be clean, tidy and organised, and offer the maximum practicable protection against damage by flood, fire or other risks.
• Records must be kept secure against unauthorised access, relative to the sensitivity of their content. Particular protection should be given to records containing personal information.

Retention

• Records should have defined cut-off points to determine when files will be closed and new ones opened (normally based on academic years), and will facilitate their subsequent retrieval, retention and disposal.
• Each University department is responsible for managing the retention periods and schedules of its records. Retention schedules set out the period of time that records should be retained for, according to the particular activities that they serve, and what actions need to be taken when the retention period expires. The University’s Data Retention and Erasure Policy can be found on the University website and departmental retention schedules, along with relevant guidance and templates, can be found on the Staff Intranet.
• Records which are not to be retained permanently should be destroyed in accordance with the periods specified in the Record Retention Schedule and in line with section 4 of this policy.
• If records are temporarily or permanently moved to another location (e.g. offsite storage), either within the University or externally, their movement should be logged to ensure that the record can always be located when required.
• The team or individual responsible for managing each particular record series will usually be apparent from the context of the record and its creation. Where this is not clear, responsibility should be ascertained as appropriate.
• Records no longer required for current business or compliance needs, but with long term historical value, should be archived for permanent preservation.

Disposal

Disposal is the final state of the record, i.e. destruction or retention. Unnecessary retention or premature destruction of records carries different but comparable liabilities to the University. Records due for disposal should be destroyed by methods appropriate to the sensitivity or confidentiality of their content. Particular care should be taken with records containing personal information. The more sensitive the information, the greater the level of security required.

Directorates and departments are responsible for putting in place a process to review records that they are responsible for, their storage and disposal. This document is intended to give information about appropriate disposal methods and does not cover every single instance of information that may be held by directorates or departments.

Some information may have specific retention and disposal requirements which are different to the below, e.g.; some contracts governing provision of access to research data and the funding of research may specify how and where data is stored, accessed, and disposed of; credit card information retention and disposal must conform to the Payment Card Industry Data Security Standard (PCI DSS) further information on which can be found on the PCI Security Standards website; information from the Criminal Records Bureau Disclosure Service must be handled in adherence with the Disclosure and Barring Service Code of Practice.

It is important to dispose of information in the manner most appropriate to its contents. Not every physical piece of information or record needs to be disposed of via the confidential waste service.

If you need to dispose of computing equipment which has been used to store personal data or sensitive information, this should only be done after reasonable precautions have been taken to erase the data on it. Advice on disposing of computing equipment/removal of personal data should be sought from Innovation & Technology Services. You can email support@yorksj.ac.uk.

Agile and Remote Working

Information created as part of Agile and Remote Working is information held by the University and it must be handled in the same way as information created on campus, and in accordance with policy and regulations. It is still under the purview of the Data Protection Act and the Freedom of Information Act. Staff can be liable as individuals for the use or misuse of information in their care, and any breach of University policy and regulation will be treated as a serious disciplinary offence. Security measures put in place should be suitable to the sensitivity of the data and the risks of the environment.

Standard Waste

This is information which could be released under an FOI request: information which is already available publicly, or information where its release would not cause harm, distress or embarrassment.

Examples:

• Charters, constitutions, ordinances, statutes and regulations
• Published directories
• Published minutes and reports
• Press releases
• Prospectuses
• Presentation materials
• Course guides and outlines
• Publicity material
• Blank examination papers (post exam)
• Theses (accepted)
• Data which has been wholly anonymised
• Published surveys

Disposal:

These types of information do not need to be disposed of in a secure manner. They can be placed in standard waste bins to be collected for recycling. If you have a large amount of non-confidential waste to be collected, please contact Porters by emailing porters@yorksj.ac.uk to arrange a collection.

Confidential Waste

This is any record which contains personal information about a living person, records which, if made public before a certain period, may breach commercial confidentiality, any record which may breach intellectual property rights, records which contain information the secure disposal of which is required by the terms of a contract or a licence or a statute or the disclosure of which would breach a statutory restriction.

Examples:

• Documents which reveal personal financial, health, medical, or any other personal details of a named living individual, or which pass comment on a named living person
• Staff discipline or appeals records, and redundancy records
• Student admission records and discipline or appeal records
• Job applications and interview notes
• Accident books and records
• Contracts and tenders
• Purchasing and maintenance records
• Insurance records
• Unpublished accounting records
• Unpublished research material, drafts and manuscripts

Disposal:

Confidential material should be disposed of as soon as possible after its retention period has elapsed. You can check your local retention schedule on the Records Retention section of the intranet.

Paper records can be shredded using a cross-cut shredder and then disposed of via standard wastepaper bins. If you have regular need of a cross-cut shredder, these can be purchased via Print Services through OneUni. This is the most environmentally friendly and cost friendly method of disposal and is sufficient to meet the requirements of secure information disposal.

If you have a significant amount of confidential waste to be disposed of and it is not practical to shred for disposal through standard wastepaper bins, this can be done via the confidential waste bags service; please email sustainability@yorksj.ac.uk to discuss your requirements.

The security of the information in the confidential waste bags must also be kept in mind; it is not secure, for example, to have a confidential waste bag left in an unlocked office when the information was previously held in a locked filing cabinet.

Locations of Confidential Waste Bins on Lord Mayor’s Walk Campus