Records management framework

The University is subject to the provisions of the:

• Data protection legislation (General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), Data Protection Act 2018)
• Freedom of Information Act 2000
• Environmental Information Regulations 2004

This policy is based upon the international standard for records management, ISO 15489 and the Lord Chancellor´s code of practice on the management of records under Section 46 of the Freedom of Information Act 2000. It also draws on best practice guidance and principles from organisations such as JISC and the UK National Archives.

This Records Management Policy exists to ensure efficient management of York St John records - whether paper or electronic – that are created or used by staff, students, and associates of the University.

This Policy underpins a wider framework which supports the University’s core activities and functions, meets expectations for good corporate governance and sets the parameters for complying with legal and regulatory obligations.

York St John University’s Record Management Policy sets out expectations for:

1. the efficient and systematic management of records, seeking to comply with the relevant international standards set out in ISO154891 and the Lord Chancellor’s Code of Practice on Records Management under Section 46 of the Freedom of Information Act 2000.
2. the creation, maintenance and retention of records in order to provide accurate, secure, and accessible information about and evidence of the University’s transactions and activities.
3. implementation, through the definition of management responsibilities for recordkeeping and requirements relating to staff support and development
4. retention schedules, to govern the period of time that records will be retained.

This policy applies to all York St John University staff, students, researchers, contractors, and agents. Any person who handles personal information for or on behalf of the University is responsible for the safety and security of that information under the Data protection legislation (General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), Data Protection Act 2018).

The policy covers all records (recorded information in any form) created or received in the course of York St John University business, corporate functions, and through the course of research (either internally or externally funded).

The policy is binding on all those who create or use University records, whether accessing records on or off-campus.

The Executive Board is responsible for approving the Policy.

Senior staff with specific responsibility for the implementation of records management policy and procedures within their area have been identified. This includes the development and maintenance of local retention schedules within the University’s Records Retention Schedule (which will be published shortly). These senior staff are responsible for identifying an individual within their area with responsibility for maintaining the local schedule and monitoring compliance with requirements for record creation, maintenance and disposal, reporting matters as necessary.

All University staff should receive information on this Policy as part of their induction.

University staff are responsible for:

• Creating and maintaining accurate and reliable records
• Ensuring the security of records, irrespective of format, and for ensuring that access is only granted to those authorised to view them
• Ensuring that electronic records are properly maintained and remain accessible, readable and authentic
• Ensuring records of a sensitive nature are handled in strict confidence and in accordance with legal requirements
• Following guidance on the retention and disposal of records provided within the Records Retention Schedule.

The University Secretary's Office supports the implementation of the Policy by providing:

• Ad hoc support, advice and guidance to staff including advice on the parameters for data sharing
• A resources bank on the website, and 
• Training sessions both specific for individual areas, and general via the Staff Development programme (including for new staff on induction)

The University Secretary's Office will liaise with other stakeholders across the University (eg ILS in relation to security of electronic records, and Registry in relation to the development and support for records management systems leading on student records).

The University aims to adhere to the following guidance and best practice when managing University records and when providing advice and guidance to University record holders.

• International Organisation for Standardisation (ISO). Information and Documentation -Records Management. ISO 15489 (2000)
• Lord Chancellor’s Code of Practice on the Management of Records under Section 46 of the Freedom of Information Act 2000. November 2002
• National Archives Full Work Book (PDF 0.9MB)2006
• Joint Information Systems Committee (JISC) JISC InfoNet Information and Records Management Accessed February 2015
• Joint Information Systems Committee (JISC) HE Business Classification Scheme and Retention Schedule. 2007 Accessed February 2015

This Policy is reviewed every three years.

Review of the Policy will be conducted by the University Secretary in line with current legislation, codes of practice and regulatory standard. The Executive Board is responsible for approval of the Policy.

Approved by SLT: June 2015
Updated: January 2017

A record is recorded information created or received by York St John University or individual members of staff to support and show evidence of YSJ activities.

All records are documents, but not all documents are records. In effect, a document becomes a record when it forms part of a business activity. An example of a document would be a blank form. If somebody completes and submits the form, it becomes a record, because it has participated in a business activity.

Records need to be reliable, have integrity (be complete or unaltered, except under controlled conditions) and be useable. Records therefore need to be subject to controls that ensure these features are maintained.

Information is a corporate asset. York St John University's records are important sources of administrative, evidential and historical information. They are vital to the University in its current and future operations (including meeting legislative requirements), for the purposes of accountability, and for an awareness and understanding of its history and procedures. They form part of the "corporate memory" of the organisation.

In order to rely on the records the University holds, each record must have:

Reliability

• A reliable record is one whose contents can be trusted and depended upon for subsequent purposes
• Records must contain full and accurate information
• Records must be created at the time of, or as soon as possible after, the activity to which they relate
• Record creation should be incorporated into routine activities and processes

Integrity

• The integrity of a record refers to its being complete and unaltered
• Records must be protected against alteration
• Authorised amendments must be clearly identified and traceable
• Migration of records from one system to another must be carefully controlled

Usability

• A usable record is one which can be located, retrieved, presented and interpreted when required. Records must be easily locatable and accessible
• The content and context of records must be interpretable and understandable by all authorised users
• The circumstances surrounding the creation of the record should be clear, along with the identity of the creator/s and the date of creation
• Records relating to the same activity should be associated, regardless of their format

It is helpful for planning records management activities to bear in mind the different stages of the record lifecycle:

1. Creation

1.1 Records may either be created naturally as part of a business process (e.g. sending letters or e-mails), created once an activity is complete (e.g. documenting oral decisions), or received from another source (e.g. incoming correspondence).

1.2 Record “capture” refers to a record being created and kept, and its subsequent incorporation into a record keeping system.

1.3 Full and accurate records should be created where they are needed to support business activities or to provide information or evidence about activities, transactions or decisions.

1.4 Records should be created at the time of or as soon as practical after the event or transaction to which they relate.

1.5 Records may be created in any format, including paper, electronic or digital mediums, as long as their usability, reliability and integrity can be preserved for as long as the record is needed.

1.6 The context of a record should be clearly identifiable

2. Use

2.1 Records need to be maintained for as long as the record is required. Maintaining records appropriately will ensure that they can be protected, accessed and managed efficiently.

2.2 Records in both physical (e.g. paper) and electronic formats should be efficiently locatable, retrievable and usable at any time and by any authorised person.

2.3 Once a record is created and captured it must be protected against unauthorised alteration or destruction.

2.4 Storage accommodation for records should be clean, tidy and organised, and offer the maximum practicable protection against damage by flood, fire or other risks.

2.5 Records must be kept secure against unauthorised access, relative to the sensitivity of their content. Particular protection should be given to records containing personal information.

3. Retention

3.1 Records should have defined cut-off points to determine when files will be closed and new ones opened (normally based on academic years), and will facilitate their subsequent retrieval, retention and disposal.

3.2 Each University department is responsible for managing the retention periods and schedules of its records. Retention schedules set out the period of time that records should be retained for, according to the particular activities that they serve. These schedules specify whether records should subsequently be destroyed, appraised, or retained permanently. The University’s new Data Retention and Erasure Policy will be published and made accessible from this webpage in September 2022.

3.3 Records which are not to be retained permanently should be destroyed in accordance with the periods specified in the Record Retention Schedule.

3.4 If records are temporarily or permanently moved to another location (e.g. offsite storage), either within the University or externally, their movement should be logged to ensure that the record can always be located when required.

3.5 The team or individual responsible for managing each particular record series will usually be apparent from the context of the record and its creation. Where this is not clear, responsibility should be ascertained as appropriate.

4. Disposal

4.1 Disposal is the final state of the record, i.e. destruction or retention.

4.2 Unnecessary retention or premature destruction of records carries different but comparable liabilities to the University.

4.3 Records due for disposal should be destroyed by methods appropriate to the sensitivity or confidentiality of their content. Particular care should be taken with records containing personal information.

The following factsheets have been developed to support staff and the implementation of effective records management.  These should be used to develop procedures locally.

Factsheet 01 - Retention of Student Work (PDF 0.1MB)

Factsheet 02 - Email Etiquette (PDF 0.3MB)

Factsheet 03 - Social Media*

Factsheet 04 -  Record Retention Guidance (PDF 0.2MB)

Factsheet 05 - Disposing of Records (PDF 0.3 MB)

 *guidance will be published shortly.